GAO: Beware managed PKI
- By Brad Grimes
- Sep 10, 2004
In a letter
released yesterday, the Government Accountability Office warned that in certain situations, managed public key infrastructure services could be more trouble than they're worth to government agencies.
Writing to Rep. Tom Davis, chairman of the House Committee on Government Reform, the GAO's chief technologist, Keith Rhodes, said several agencies had looked to GAO for informal advice on managed PKI services. GAO's position was that agencies might face a greater burden in using managed services, specifically contract certification authorities, than they would if they implemented technology themselves.
In a PKI deployment, the certification authority issues and manages the digital certificates that authenticate users and systems in a PKI environment.
GAO is especially concerned about managed services when it comes to using PKI for financial transactions. 'If the certification authority is compromised, the impacts can be catastrophic to an agency's operations,' Rhodes wrote.
GAO suggested several controls for implementing PKI, such as exercising strict physical control over the necessary hardware and software so they can't be compromised. According to GAO, agencies should study managed PKI services to ensure they use proper controls.
'If agencies are willing to accept this potential increased burden by accepting and mitigating the potential risks'a certification authority may be able to provide the same level of security assurances as an internal certification authority,' Rhodes wrote.
Managed PKI services stand to play an important role in rolling out the technology at government agencies. In the past GAO has recognized the potential of PKI to ensure information security, but it has also acknowledged that deploying PKI is a complex undertaking. As a result, Rhodes wrote, agencies have expressed interest in outsourcing PKI services.
In June, VeriSign Inc. of Mountain View, Calif., became the first commercial company certified by the Federal Identity Credentialing Committee to provide managed PKI services to federal departments and agencies. In March, the FICC established the Shared Service Provider program and published the requirements and processes by which managed service providers can qualify to be federal PKI service providers.
'VeriSign's managed PKI can be deployed across an enterprise or agency in a matter of days, as opposed to the months spent implementing a proprietary system,' said George Schu, vice president of VeriSign's public sector. 'The federal government has raised the bar for meeting rigorous security standards, and this program recognizes that buying proven security solutions--not building them--is the preferred way to acquire and deploy PKI.'
To mitigate any risks of using a managed PKI service, GAO recommends agency personnel be closely involved with the commercial implementation.
Rhodes emphasized that GAO's position amounted to informal advice and the group wouldn't express a formal position until it was asked to review an actual commercial service provider on behalf of a government agency. So far, the watchdog agency has not received such a request.