The PKI payoff

 

Connecting state and local government leaders

Once you get past the difficult early stages, the technology delivers a lot of benefits.

Public-key infrastructure is a complex technology that is a burden for agencies to implement.PKI is a powerful technology that can enable a wide array of agency applications and services.Both of those statements are true, but focus on the second one. By anticipating PKI at your agency, and implementing the technology properly, you can create the foundation for many useful applications.With PKI, a third-party entity vouches for the bona fides of two interacting parties. Those parties might be a bank and its card-carrying customer, or an agency and its smart card-carrying employee. The vouching is in the form of digital certificates ' actually large numbers ' issued by a certificate authority to the trusted parties.Think of PKI as learning the secret handshake of the Loyal Order of Antelope. Once you know that secret handshake, you can:Although PKI certificates from different vendors are generally equivalent, agencies have many options to consider before choosing a provider. Agencies might be looking for a supplier of smart cards. They may need hardware, such as card readers, or software, such as personnel tracking systems, to work with PKI.Consulting services can help integrate PKI with existing systems. Indeed, combinations of consultants with different expertise could be necessary to implement different agency applications and services. Technical support and maintenance services are always important considerations.Because PKI is associated with secure and possibly vital agency applications, it's important to determine the disaster-recovery features that different vendors offer. Bulletproof PKI applications are not going to help you if the certificate authority goes down. You might also prefer vendors that are geographically close to you or, alternatively, far away from you. The former might be a benefit if you need assistance. The latter might help ensure survivability if there's a regionaldisaster.'Management has to organize itself and lead,' said Dr. Peter Alterman, assistant chief information officer for electronic authentication at the National Institutes of Health. Alterman is chairman of the Organization for the Advancement of Structured Information Standards' Federal PKI Policy Authority and a member of the OASIS IDtrust Steering Committee. As with any new implementation, there will be resistance to change.In addition, although a PKI digital certificate might just be numbers, the infrastructure itself ' hardware, software, services ' is not cheap. 'The actual PKI technology is trivial compared to the budget and management issues,' Alterman said.An agency also needs to decide who will be administering the PKI system ' the agency itself or an outside entity. 'IT needs to ask whether they really want to take on the physical security responsibility,' Alterman said. This could involve coordinating information technology, human resources and building security to a greater extent than usual. The trade-off is better security for greater responsibility. Shifting responsibility for physical security to another entity could simplify management ' or not ' but might also affect overall security.From what we've covered so far, implementing PKI probably seems like manageable drudgery. However, PKI is a powerful and exciting technology that can enable some attractive and useful agency applications.'PKI is like an electrical outlet,' said Vijay Takanti, vice president of security services at Exostar. 'Once you have it, you can plug all kinds of apps into it.' Put another way: Because you're going to implement PKI anyway, why not take advantage of your investment to get everything you can out of it?For example, there are many state and local agencies that federal agencies have to work with on an ongoing basis or in an emergency situation. The Homeland Security Department might partner with state and local law enforcement; federal health agencies could exchange information with hospitals or public health authorities; money might flow between federal, state and local agencies. It would be convenient to be able to identify trusted people, exchange confidential information and allow secure transactions. Unfortunately, state and local agencies can't use shared-service providers. So even though these groups have to work together, they can't use the same PKI system.However, they can still use PKI to solve their problems. Providers such as CertiPath offer bridge services for just this purpose. If you want the Antelopes to recognize members of the Benevolent Lodge of Beavers, you come up with a new secret handshake both groups know. Then Antelopes and Beavers can work on their joint projects without interfering with Antelope-only or Beaver-only business.CertiPath, jointly owned by ARINC, Exostar and SITA, cross-certifies entities to a common standard, while CertiPath is directly cross-certified with the Federal Bridge Certificate Authority.Interagency cooperation is just one bonus of PKI technology. 'Agencies need to consider making changes to their ways of doing business,' Alterman said. In particular, agencies need to think about ways to re-engineer their business processes to take advantage of PKI. Prime candidates for PKI include:PKI's potential in securing e-mail is one use agencies find attractive. The Defense Department and the United Kingdom's Ministry of Defence already have such systems. PKI certificates encrypt e-mail on the sending end and decrypt it on the receiving end. The process is transparent to users and makes for a new level of secure communications.Encryption is an obvious application of PKI, but not enough agencies appreciate what PKI-encrypted files can accomplish. An encrypted file is not only unreadable by outsiders but also essentially stamped as belonging to your agency. Establishing such ownership credentials is valuable.Digitally signing a file is similar but doesn't involve encryption. A digitally signed file ensures that its ownership is incontestable. The file is also tamper-resistant: People can read it but not alter it. This is very important for agencies that need to circulate agreements or other documents they don't want marred by deliberate or inadvertent changes.As these examples show, agencies need to approach PKI applications as a two-step process. First, they must identify the PKI-based applications that interest them. Then they need to figure out the integration implications for each of these applications.It's possible, for example, that the agency applications of interest only run on a particular operating system. The agency must ensure that the corresponding PKI software will run on the same operating system. Most PKI providers support Windows and other operating systems, including Novell NetWare, Linux and Mac OS. Some operating systems support PKI themselves.Finally, because each agency probably has its own PKI solution provider, interoperability between providers is important. This is simplest if the providers use nonproprietary technology. Some engineering of the infrastructure may be required for applications and PKI to interoperate well.PKI-based agency applications will attract users and grow larger and more popular. That's why you want to ensure that PKI solutions scale well. If you anticipate deploying solutions at multiple locations, make sure the product can handle that.Although most agencies will begin by using SSP or managed services, at some point many will want to spread their wings and fly under their own power. In the PKI world, that means becoming a certificate authority themselves, with the ability to create, distribute and manage certificates. Ideally, providers should have programs to transition agencies from managed services to in-house responsibility.The next iteration of PKI is called a public-key environment. For example, if an operating system and several software applications all offer PKI-compatible capabilities already, you have a PKE. It's far simpler adding new PKI-based agency applications within such an environment because so much support is available.Many software vendors are quietly adding PKI support to their products. They know that PKI is only going to get bigger.

PKI shared-service providers

Cybertrust

Herndon, Va.

(703) 480-8200

www.cybertrust.com

Entrust Managed Services

Addison, Texas

(972) 713-5800

www.entrust.com

Exostar

Herndon, Va.

(703) 793-7800

www.exostar.com

Operational Research Consultants

Fairfax, Va.

(703) 246-8530

www.orc.com

VeriSign

Mountain View, Calif.

(650) 961-7500

www.verisign.com










  • Prove that you are an Antelope in good standing

  • Recognize other Antelope and

  • Identify official Antelope documents that incorporate the secret handshake.














PKI possibilities











  • Interagency communication and cooperation.
  • Risk-associated activities, such as identity cards.
  • Confidentiality and privacy concerns.
  • Financial transactions.













Plan for PKI success







NEXT STORY: Signature style

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.