Companies warming up to PKI

SAN FRANCISCO - Although public-key digital certificate systems remain expensive and hard to deploy, last week's RSA Security conference provided ample evidence the technology is winning over organizations.

In its presentation at the RSA Conference, Ford Motor said it has selected two public-key infrastructure (PKI) vendors, VeriSign and RSA Security, to allocate digital certificates to its 350,000 employees for signing and encrypting internal files.

Wanted: PKI interoperability
A look at the proposed XKMS standard.

Network World on Security
Sign up for our free e-mail newsletter.

"We came to the conclusion [we needed] to mandate a corporate policy to encrypt everything so we could secure all data," said Bob Brandt, a security technologist at Ford.

"We wanted dual partners to help ensure interoperability," added Paul Rathbun, also a member of Ford's security team.

Although virtually all vendors offer standardized X.509 digital certificates, getting these products to work reliably across Netscape and Microsoft browsers, VPNs, and certificate authority and validation servers, remains dicey. This despite assurances from vendors that support for the Internet Engineering Task Force's PKIX standards solves interoperability problems.

Even as it embarks on a PKI strategy that will involve working with separate Ford divisions - and later trading partners - to promote end-to-end encryption for Web-based and proprietary business applications, Ford is wondering what the total cost of the effort will be.

"We need to recover the costs from business units, so we need to look at a cost-recovery model," Rathbun said.

Pricing PKI

But figuring out PKI costs involves a complex equation, according to Brad Hildreth, a Gartner research director. An organization embarking on PKI has to figure in much more than just each vendor's stated software prices, based on per-seat charges and amortizing them over five years or so. PKI vendors - there are about a dozen offering full certificate authority software and tool kits - sometimes charge based on the number of applications you want to PKI-enable, Hildreth noted during his talk at the RSA Conference.

"You may typically have two certificates per person, and you want encryption key recovery because people leave an organization and because 20% of users over five years forget their passwords for using their certificates," Hildreth said.

Companies should also have two certificate authorities - systems that issue digital certificates - in case one has problems, he said.

Other costs include hardware, the time of corporate lawyers involved in approving a licensing contract and vendor software maintenance fees. In addition, companies may need to pay for training users and technical staff, which could include help-desk personnel and people to validate users' identities before giving them certificates. Smart cards and readers will also be required if digital certificates are to be stored using such technology.

In all, Gartner estimates that deploying PKI as software managed in-house typically costs $150 to $180 per user for 5,000 to 25,000 seats. But that drops sharply for higher volumes, to an estimated $40 per user for 100,000 seats and $30 per user for 200,000 seats.

To outsource PKI as a service from VeriSign or another such company costs roughly the same up to between 30,000 and 80,000 seats. Beyond that number of seats, it's less expensive to run the PKI system in-house, Hildreth said.

"If this is strategic, you may want to insource it. But if you trust VeriSign's people more than your own, you may want to outsource it," he concluded.

Michigan buys in

The State of Michigan's Department of the Treasury this month is finishing up a 265-seat PKI deployment of RSA's Keon client and server software, which stores keys and certificates and can be used with many applications.

"The transition was traumatic," said Stanley Borawski, an administrator at the Treasury Department in Lansing. The Treasury made the leap from a non-networked environment based on paper, fax and phone, to a LAN-connected office with field auditors equipped with PCs and digital certificates for signing and encrypting all documents. The RSA Keon software constitutes "a complex product, and a sensitive one, especially with unsophisticated users," he added.

The users, mainly auditors, are struggling to learn the new PKI methods of signing and encrypting documents, Borawski said. But the Michigan government decided last year that digital certificates and PKI systems were worth the effort because they represented the best security technologies to safeguard sensitive financial data for transmission.

Borawski also confirmed that PKI isn't cheap. Michigan's Treasury Department had to add six people to support PKI and estimates its PKI-related costs have run between $300,000 and $400,000.

Borawski noted that the Internal Revenue Service, which doesn't seem too concerned about the security implications of sending paper documents through the U.S. mail, evinced a deep curiosity about the Treasury Department's PKI project. "We're pushing the envelope in terms of state government doing anything like this, with the possible exception of California," he said.

Borawski praised the efforts made by project systems integrator Bull Worldwide Information Systems, which has worked with RSA, Novell and WM-Data since December. He noted there was customization required to use the RSA Keon product.

"They all busted their butts for us," he said, adding that Michigan is now looking at having its citizens use Web-based certificates in e-commerce transactions with the government in the future.

Companies warming up to PKI

Pricing PKI

Michigan buys in

Related Links