PKI is now taking a different form. Small, focused projects are succeeding in many areas and trust groups are forming. Approximately 33 percent of surveyed organizations have reported using PKI technology in one form or another, and 36 percent express plans to deploy PKI technology by 2003 (if they do not already use such technology). Even a projected stall rate of 40 percent indicates significant growth of PKI deployment. META Group expects a significant percentage of this deployment to be based on Microsoft PKI components available within Win2000, with the employee's Win2000 desktop playing a major role as the end-point application of choice (for authentication and encryption usage). Digital signing is still of interest to business professionals, but it will not accelerate as quickly as other applications due to added complexity. By 2004, META Group expects 50 percent of all large businesses to have major PKI projects (defined as distribution of client certificates to hundreds of users), primarily for authentication (bolstering internal practices beyond passwords), and especially encryption (as organizations face regulatory requirements for end-to-end encryption/privacy (such as HIPAA and GLBA).
The contenders
It appears the previously dominant trio of PKI vendors (Baltimore Technologies and Entrust for PKI products, and VeriSign for outsourced services) is giving way. Emerging contenders are Microsoft and RSA (though neither has proven offerings), primarily because of their greater financial stability and the more secure prospect of their continued existence during PKI's maturation process. VeriSign still remains the primary outsourcer of PKI services, while Entrust is battling to remain a top-tier vendor. Baltimore's future (due to financial and management issues) is much more uncertain, and potential customers are advised to be cautious of doing business with Baltimore.
Between Microsoft and RSA, the RSA technology (acquired with Xcert International) is much more mature, containing facilities for remote access to centrally stored certificates as well as automated user enrollment. Such functions have long been offered by Baltimore, Entrust, and VeriSign, but currently are completely absent from Microsoft's PKI offerings. Microsoft's primary advantage is that, by being bundled with Win2000, it is perceived as free--even though META Group estimates the costs of deployment and support are at least two to three times as high as they would be for more mature products (such as Entrust, Baltimore, and, to a lesser extent, RSA). Microsoft solutions are currently only appropriate for small, employee-based PKI initiatives; and supporting estimates indicate users should delay Microsoft implementations (1+ years) or utilize an alternate vendor.
Deployment strategies
In the process of launching a PKI initiative, extensive groundwork must be laid via process and strategy document development (for example, certificate policies and certificate practice statements to outline the types/levels of certificates, their intended use, and the means by which they are issued and managed). Extensive consulting services are often utilized.
Organizations must be wary, however. Although it makes sense to outline at a high level where and how certificates will be used (both within organizations, and between partners and customers), companies must not be induced to develop overly aggressive deployment plans. META Group research has identified numerous organizations where the initial deployment and consulting costs have quickly gotten out of hand. Instead, organizations would be well served by outlining a high-level strategy and game plan for certificate use within the overall company, but then focus solely on one or a few projects (authentication and encryption make excellent starting points) with only clearly defined trust groups (for example, employees only, a few partners, perhaps a subset of customers, but not all at once).
Cost: Perception vs. reality
Cost remains one of the biggest unknowns an organization can face when embarking on a PKI initiative. Numbers have ranged from as low as $2 to $5 per user (for high-volume, simple Web authentication-only projects) to $200 per user (for smaller-volume, more complex projects requiring client software for encryption) and further into the hundreds as professional services costs accrue in complicated architecture and application integration projects. Cost containment is a critical issue, and organizations are advised to limit the scope of a project to a set of clearly defined applications (such as authentication for a Web application, encryption, secure e-mail), and not buy into the concept of a global PKI, which will immediately provide all security services to all users (authentication, encryption, and digital signatures). Again, it is the perception of lowered cost that will give Microsoft a competitive advantage in the future.
PKI: A State of the Union
First published October 29, 2001
By David Thompson
