But just when you thought it was safe to turn your back, PKI rises from the grave. The evidence: a show of hands at a recent meeting of IT security professionals pegged PKI projects twice as popular as a year ago. This admittedly unscientific survey does not a trend make, but the roots of this sudden resurgence in PKI are unmistakably traced to one company: Microsoft.
Microsoft has bundled PKI with its operating system since Windows 2000. Its new version of PKI, Microsoft Certificate Services, has been rebuilt from the ground up to be more than just the 'useful tool' it was in Windows 2000. It is far more feature-rich, supporting many more of the extensions demanded by the industry today, and its internal architecture, including its audit capability and standards compliance, has also improved greatly. Microsoft Certificate Services is in beta evaluation now and will ship later this year with all Windows Server 2003 products, including Server, Enterprise Server and Datacenter Server.
Microsoft's PKI success where other PKI vendors, including Baltimore, Entrust and VeriSign have failed can be traced to two causes: cost and branding. The business case justification for security in general and PKI in particular has always been a challenge. Microsoft is reasoning that it's easier to attack the cost side of the PKI ROI equation rather than try to justify it solely on a returns basis. It is bundling PKI with its server operating systems at no additional charge and, unlike its competitors, the certificates are free. Microsoft has also reduced the cost of implementation through simplified default behaviors and included simple application programming interfaces (APIs) and tools to modify these and other settings.
Faster implementation also reduces project costs, since much of the total project cost is comprised of expensive consultants performing integration services. The result is that a quick, simple pilot with Microsoft Certificate Services can be many times faster than a Baltimore, Entrust or a VeriSign solution. Since many PKI projects fail before they get to pilot stage, upper management is far less reluctant to spend the money on a prototype solution. The branding argument almost goes without saying: any PKI companies out there willing to go head to head against Microsoft's marketing muscle? I think not.
Security skeptics will say that no one should trust a security product from Microsoft, the company that brought you IIS and SQL Server. I think eventually Microsoft will 'get it right' with regard to security products. It usually takes Microsoft more than one try to hit the sweet spot of any market. Internet Security and Acceleration (ISA) Server is an example of Microsoft not giving up on a security product. It recently released a new version of ISA Server and appears poised to gain market share from established firewall players like Check Point Software and NetScreen.
Directory services like Microsoft's Active Directory based on lightweight directory access protocol (LDAP) also help bolster the case for PKI. LDAP enables PKI to operate with a central (or physically decentralized with central control) data store for identity information. That way a systems administrator can 'turn off' several thousand users at one time without having to go around to disparate databases, such as the case with RADIUS authentication. This can be very helpful during a merger, corporate spin-off, or labor dispute where you need to perform mass enrollment changes.
Microsoft Certificate Services works in two modes of operation. One is a standalone certificate authority (CA), which has no interaction with Active Directory whatsoever. The other is an enterprise CA, which is much more tightly integrated with Active Directory. In the case of standalone operation the CA can be completely independent from the rest of the environment, which is useful from a physical/network/administrative standpoint. The enterprise CA is more feature rich, truly integrating with the desktop environment and offering features such as encryption key archive and recovery, automatic enrollment and renewal. However, it does make many more assumptions about your environment.
What's missing from Microsoft Certificate Services? Out of the box, the administration tools are almost non-existent. This is not sufficient for administering the certificate authority (CA) in a 'lights out' operation, where physical and network access to the CA is limited to the privileged few. However, with typical foresight Microsoft provides a rich set of APIs that allow organizations either to write their own tools to build registration and administration processes around the CA, or purchase third-party solutions that leverage the APIs to do exactly this.
It is ironic that for most PKI vendors the news about PKI's resurgent popularity is not good. Companies like RSA with substantial non-PKI businesses are taking the high road and partnering with Microsoft to provide non-PKI authentication services. Others will continue to struggle as they try to compete on non-Microsoft platforms, mine their installed bases, and avoid competing against Microsoft directly. A better strategy may be to develop complementary products and services that assume a Microsoft PKI implementation. As companies who have tried and failed to compete against Microsoft will attest, it is often better to grab a surfboard and ride the waves created by the Microsoft tsunami than to stand ground and risk being washed away like so many grains of sand on the beach.
Robert Lonadier(firstname.lastname@example.org) is the president of RCL & Associates, a Boston-based analyst and consulting firm specializing in providing implementation-ready counsel and advocacy services to senior management in information security. RCL does not currently have any relationships with the companies mentioned in this article.