Public Key Infrastructure (PKI) is emerging as essential on a growing number of corporate IT security budgets.
Far from being a trendy newcomer in security solutions, however, this technology has a surprisingly long, interesting and substantive history - one that's likely to back up confidence in it as the favoured Internet and e-commerce security standard of the future, says Maeson Maherry, Professional Services Manager at the South African Certification Agency SACA).
Maherry confirms PKI's early roots in the US Intelligence community and Defense industry even prior to the 1960s.
"But it was the decade of the mid eighties to mid nineties which saw the end of the Cold War and the advent of the first commercial encryption product on the market that spurred its development as a commercial solution," he says.
"By 1995 it was edging into electronic commerce environments and by 2000 it started assimilating into all Internet business applications.
"The next step will be to see PKI equally well assimilated amongst private Internet users as well as business users. We see it becoming pretty ubiquitous, setting the legal framework and security standard for e-commerce, particularly in its ability to secure VPN environments and promote digital signatures as an effective legal replacement of ink signatures."
International research supports that prediction. Datamonitor UK, for instance, estimates PKI spend will grow by 46% per annum globally over the next five years, from US$164 million in 2000 to a total market value of US$2.6 billion in 2005.
That far outpaces expected growth in value of the global firewall security products market, which topped US$1billion last year but is only expected to double over the same five-year period. Similarly, global spend on anti-virus software will double from US$1.5billion last year to US$3billion in 2005.
Datamonitor attributes the results to surging interest in Trust infrastructures and to worldwide progress in getting digital signatures recognised as legally binding. The US set the trend in October last year, introducing legislature giving digital signatures the same legal weight as ink signatures. The UK, France, Finland and Thailand have been similarly approving.
Maherry also quotes a Forrester Research report which confirms the shifting trend in global security spend, explaining: "With $2.7 trillion in B2B commerce at stake in 2004, firms will demand high quality certification of staff, business partners and customers."
"The message to companies doing electronic business is clear," says Maherry: "Invest in PKI now to get maximum business benefit from it in the next few years when you'll need it most!
"At the moment the majority spend is on firewall and anti-virus protection," he continues. "The problem is neither of these adequately uphold the six pillars of information security (authenticated identification, authorisation, integrity, confidentiality, non-repudiation, and availability) so we continue to see regular reports of major security infringements and violations.
"PKI on the other hand addresses all these security pillars in a single product."
But exactly why, in business terms, is this such a crucial distinction? "People are starting to do core business over electronic mediums like the Internet and corporate networks, and electronic business has exactly the same needs as real world business for proof of identity and signed contracts supported by law in order to be trusted, effective and binding," Maherry explains.
"Security remains a major concern. However, e-business can actually be more secure and trustworthy because with the right technology in place, security infringements can be immediately detected at any stage.
"PKI stops the gaps other security technologies leave wide open. It uses digital certificates and digital signatures to ensure privacy, integrity, positive identity and non-repudiation. The digital certificates are like individual digital ID books that cannot be stolen, hacked into, forged or tampered with in any way. Issued and used the right way, they verify identity beyond doubt.
"Digital signatures back up identity and protect the integrity of what you digitally sign, thus providing further basis for non-repudiation - an essential aspect of successful e-business initiatives. The signatures are persistent, which is to say that they remain after a transaction is complete so that a full audit trail of activity identifying exactly who did what in any transaction can be maintained.
"This means that we can put accountability into e-business and deliver business systems that have real world benefits."
And that applies to any business system, says Maherry, including Extranets, Intranets, ERP systems, messaging systems (like Exchange, Notes, etc.) and VPNs (Checkpoint, Cisco, etc.). In fact, wherever accountability is needed or where information needs to be protected against unauthorised internal or external access, or where it should not be tampered with once finalised.
"PKI has had decades of consolidation of interoperable and secure standards," he concludes. "It's ready now to take off as the critical factor in securing e-business for the kind of growth industry pundits are predicting.
"Forward-thinking companies would do well to implement PKI early to reap the benefit of that growth."
Share
Editorial contacts