But, knowing what to include can be a challenge. The following are some key areas you should consider before selecting a PKI solution.
1. The company and its R&D capabilities
You'll want to thoroughly review the technology and the vendor to make sure you are comfortable with its capabilities and level of support. Is the vendor a leader or a follower in the PKI industry? How successful have they been in helping their clients deploy successful PKI solutions?
In addition, you should research the vendor's R&D capabilities to determine whether they are adequately staffed and financially equipped to consistently provide innovative, high-quality products and leadership within the market. A company's investment in R&D can be a good indicator of the level of support and technical depth that the company will be able to offer for its solution today and tomorrow.
2. Core technologies
The certificate authority (CA) is the heart of the infrastructure as this is the component that issues, manages, and validates digital certificates. For consistent security, as well as ease of management and administration, it is important to understand how vendors' products enforce consistent security policies.
Protecting the key pairs used for signing and encryption is vital. Ensure that the PKI solution has security measures in place to protect the key pairs and manage the certificates.
Key recovery capabilities are typically required for businesses that operate in a highly regulated environment and are subject to periodic inspection of business transactions. You should understand how PKI vendors support key recovery capabilities, how they ensure the protection of the archived keys, and how the PKI solution allows for key recovery operations while ensuring that non-repudiation is protected.
If a digital certificate has been compromised, or if the user should no longer be able to access systems or conduct transactions, the PKI solution should have the ability to immediately revoke the certificate and communicate the status to all relying applications upon request.
3. Criteria for assessing PKI
- Interoperability. You should be concerned with three principal levels: interoperability with applications that rely upon PKI services, interoperability between the various components that work with a PKI, and interoperability between vendor PKIs.
- Scalability. As e-commerce grows, so does an organization's security requirements. Businesses rely on dynamic interaction between customers, employees, partners and suppliers and therefore need a scalable PKI solution that will grow to address their needs.
- Ease of use. A PKI that is intrusive on the user's day-to-day business will be met with frustration and resistance to use. When evaluating PKI solutions, it is important that it provides a high level of transparency to the end user, while being easy to deploy and support.
- Investment protection. Evaluate the vendor on whether or not the solution fits into the way you run your organization and works with the systems and applications you already have in place.
- Enhanced Security. You should examine the security measures undertaken to protect the PKI. For example, does the PKI solution offer hardware-based key storage capabilities to protect root keys? You also should understand what measures the PKI offers to minimize the risk of CA being compromised.
4. Standards and pricing
You'll also want to determine the level of support you'll likely receive for your solution and identify which vendors adhere to established industry and/or government standards such as common criteria.
With any long-term investment, it is important to not only focus on the immediate cost of the software, but the cost of the technology as the deployment grows. Does the vendor price its products on a per user of per certificate model? Do the vendor's certificates expire within any defined time and need to be renewed? You'll also want to make sure you have a thorough understanding of the support and maintenance contract costs.
Kevin LeBlanc, product marketing manager, authentication division, RSA Security (www.rsasecurity.com).