GAO: Adopting PKI security will be tough for government

The federal government needs to overcome several obstacles before it can implement the public-key infrastructure (PKI) technology needed to deliver electronic government services effectively and securely, according to a report released last week by the U.S. General Accounting Office (GAO).

Though these obstacles can be surmounted, doing so will require a lot of coordination among the different agencies, the report said. And that isn't a near-term prospect.

Key challenges cited in the GAO-01-277 report include the following:

  • Meshing incompatible PKI technologies across the different agencies.
  • Ensuring that PKI implementations can support a large number of users.
  • Reducing the cost of building PKI systems.
  • Setting policies that maintain trust levels among different government agencies.

A PKI comprises hardware, software and services that enable the secure and private exchange of data and transactions over the Internet. The GAO report, which was commissioned by Rep. Stephen Horn (R-Calif.), details efforts by the federal government to implement PKI technologies for use in its electronic initiatives.

Though a growing number of vendors today offer PKI products and services, there are no common or widely accepted standards for PKI technologies. As a result, there is little compatibility between PKI products from different vendors.

Therefore, "standards are necessary -- but not sufficient -- to guarantee interoperability," said Derek E. Brink, who heads the customer advisory council for one PKI vendor, RSA Security Inc. in Bedford, Mass. Brink is also chairman of the PKI Forum, an industry group of vendors and users advocating the use of PKI as an enabler of online business.

"[Interoperability] needs to be described and understood in terms of component-level, application-level and interdomain interoperability," he said. The only way to address the issue is by profiling standards and conducting multivendor interoperability testing, he said.

Developing a governmentwide PKI network will require systems that work seamlessly with each other across agencies, the GAO report noted.

Also, "since full-featured PKI's are rare, and those that exist are in the early stages of implementation, it is not yet known how well this technology will truly scale," the report said.

The high cost of implementing PKI could also be a deterrent for many agencies, the report cautioned.

Any effective governmentwide PKI implementation program would require well-defined policies and procedures for installing and monitoring the security of each agency's system on an ongoing basis.

The Office of Management and Budget, which has statutory responsibility to develop and oversee policies relating to the security of federal information, should provide agencies with direction for implementing PKI, the GAO report recommended. The policy guidance should relate to the use of PKI and to ensuring that agency PKI implementations meet consistent levels of security, the report added.

This story, "GAO: Adopting PKI security will be tough for government" was originally published by Computerworld.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon