Wednesday, November 14, 2007

The Year of PKI? Finally?

Over on, there is an article saying to Expect more PKI in 2008. Since the late 1990's, several years have been deemed the "Year of PKI". The major push by the U.S. Department of Defense to build the world's largest PKI has provided a lot of momentum and investment in the PKI space. The cost of deploying smartcards across an enterprise for use with PKI, workstation login, and physical security has been greatly reduced due to the economies of scale created by DoD PKI. Microsoft's latest PKI-related products, combined with PKI integration built into Windows Server 2003 has reduced many barriers to entry for even small organizations. However, the question still remains: Will there every be a "Year of PKI?" There are many obstacles that must first be overcome before we can definitively answer that question.

Many organizations have grown comfortable with the username/password combination. Passwords aren't secure? Just change the password policy to lengthen the minimum requirements, add special characters, etc. They see no need to move towards client-side certificates, smartcard login, or other strong authentication mechanisms until a major change in their environment requires such an effort. The same is true for intra-server communication. In most organizations, data being transmitted between web servers, application servers, database servers, etc. goes over the network in plaintext. The additional effort involved in configuring SSL for dozens of servers is often enough to justify overlooking this important security fix.

Ease of Use
In the past, rolling out an enterprise-wide PKI was an enormous undertaking in terms of the amount of work required. If an organization wanted to use client-side certificates for authentication, root certificates had to be manually installed on each workstation. Users were enrolled in a time-consuming, manual process. Additionally, the PKI products themselves were often too difficult to administer. A skilled PKI expert also came with a hefty salary. Today, however, many PKI products have become more administrator-friendly. Microsoft's Certificate Server, included within Windows Server 2003, makes deploying client-side certificates much easier by integrating with an organization's existing Active Directory infrastructure. However, this would require an organization to use Active Directory throughout, which many places are unwilling to do.

By this, I do not mean on interoperability between products. There are numerous well-defined standards governing PKI that even Microsoft adheres to. I am referring to interoperability between disparate PKI setups. A PKI is a hierarchical trust system created by an organization. The root certificate serves as the basis for this trust hierarchy. The problem arises when two organizations making use of PKI want to interoperate with one another. Imagine if two PKI-enabled companies, WidgetWorld and GadgetBarn, wish to interoperate with one another. Each organization has their own root certificate. Establishing a trust between these two companies would involve exchanging root and subordinate CA certificates so that SSL and client certificates can be verified all the way up the trust chain. While there are companies such as Cybertrust or Verisign that offer CA certificate signing using a ubiquitous root, that leads us to our next, and most major obstacle.

Cost $$$
Commercial, hosted PKI solutions are typically very expensive. To have certificates that are globally trusted, however, they are necessary. It is possible to create a PKI that is internal to an organization. But, as we discussed earlier, a problem occurs if you want to extend that trust outside of your organization's boundaries. The inclusion of Microsoft Certificate Server in its Windows Server 2003 product, along with open-source PKI solutions, has greatly reduced the cost of deploying an internal PKI. However, this does not address the cost of implementing, maintaining, and monitoring the PKI. In addition, there are equipment costs associated with the servers, smartcards, and smartcard readers necessary to deploy a full-scale, enterprise-wide PKI.

So, given these issues, will there ever be a "Year of PKI?" The answer is "probably not." However, this does not mean that PKI adoption will not continue to grow within the enterprise arena. As more and more organizations realize the potential severity of a data security breach, they are increasingly looking at strong authentication solutions. The benefits to implementing a PKI begin to look very attractive when weighed against the nightmare of a major security breach. In addition, PKI adoption can enable an organization to implement additional security measures, such as encrypted file systems, 802.1x network authentication, code and e-mail digital signatures, and VPN access.

While it is clear there will be no global explosion of PKI use any time soon, the future of PKI adoption does look very bright. The number of PKI implementations will most likely continue to grow in an increasingly rapid manner. However the amount of effort and investigation required with rolling out a PKI -- as with any other security-related endeavor -- will ensure that the transition will not occur overnight.

No comments: