The White House and the Pentagon aren’t the only government agencies embracing public key infrastructure (PKI) — encryption — for Internet security. State agencies in Illinois, and other states, like Virginia, are as well, and, in a twist, they are now farming out the management of the services to third parties.
More than 100 government agencies in Illinois have been working with Entrust, a Dallas-based developer of PKI technologies, for several years. That requires a lot of IT talent to manage and operate. Last week, Entrust disclosed that this quarter it is debuting a managed PKI service for the government sector, and that Illinois is one of the initial customers.
There is “renewed interest in PKI” in the government sector, Allan Carey, a research analyst at IDC said. The catalyst is President Bush’s directive, HSPD-12, or Homeland Security Presidential Directive 12, issued in late 2004, said Carey. The directive calls for the creation of a “common” identification standard for all government employees. Since state and local governments are increasing their cooperation with the feds, in the wake of 9-11, for homeland security purposes, this is spurring the states to action.
PKI can use several algorithms, though typically the RSA algorithm is used, which is based on the difficultly of factoring large integers, Ted Demopolous, an IT consultant, business book author, and founder of Demopolous Associatiates in Durham, N.H., told the E-Commerce Times.
PKI is, he said, considered secure, although their is no “mathematical proof” that it is, indeed, secure.
Encryption is difficult to implement — and the government is interested in farming out management of the process.
“Managed PKI service will be of particular interest to state agencies that need stronger security with the enabling characteristics of PKI, but don’t want the costs of building and maintaining the IT infrastructure,” said Peter Bello, senior vice president of Entrust.
The managed service, expected to be operational this quarter, will enable data exchange between agencies and be compliant with the Federal Bridge Certificate Authority (FBCA) cross-certification standards, Bello said.
PKI enables users of unsecured networks, like the Internet, to privately and securely exchange data, and money, through the use of a private cryptographic key, obtained through a trusted authority. The infrastructure of PKI provides for the presentation of digital certificates that identify particular individuals. The authority that provides the certificates can revoke them when a security breach has happened, Demopolous told the E-Commerce Times.
“A person’s private key has to be kept private or the system falls apart!” said Demopolous, author of the best-seller Blogging for Business. “It’s often stored in a computer file system and password protected, or may be stored in a smart-card or other device. Keeping the private key private is subject to user error and a possible source of attack. Users are always the weak point.”
Demopolous noted that the technology is used by giant online merchants today. “If you buy something online, like a book from Amazon, PKI is used for the transaction, including encrypting your credit card details as they travel over the Internet and making sure you’re actually placing your order with Amazon, as opposed to some crook that just wants to steal your credit card details,” added Demopolous.
Wholly online businesses have embraced PKI, and now the government, but other, regular businesses, that happen to use the Internet, are not on board yet.
“What is worrying is that with more transactions being conducted over the Internet, people are still dependent on perimeter security,” said Andy Beard, director at PricewaterhouseCoopers.
In addition to the Pentagon and the White House and state agencies, other government clients using PKI now include NASA, The U.S. Patent and Trademark Office, the FBI, and the Departments of State, Trade and Energy, according to Entrust. The solution is about as good as it gets today.
“The executive summary on PKI — it’s secure and a good approach,” noted Demopolous. “That said, nothing is 100 percent secure.”