eSecure recently asked a panel of industry insiders to think about 'the role of PKI in the e-business space. What can security professionals and business executives expect from the technology and where does it fit within the context of emerging e-business models?'
The exact answers are of course unclear. But to get at least an impression of what is ahead, read on. This is part 2 of 'PKI, a discussion on its strategic role,' Part 1
of which was published in the eSecure July 2001 issue. eSecure and RSA Security will continue to host the RSA Security Roundtable in an effort to dig beneath the marketing hype and tackle the issues that really matter.
Margie Cashwell, RSA Security
Michael Horn, AST Security Management
Adriaan Graaf, VelocIT-e
Clive Handley, VelocIT-e
Kevin Robberts, VelocIT-e
Drix Pretorius, SACA
Maeson Maherry, SACA
Ian Clark, FBCI
of this discussion finished off by posing the question 'What factors do you feel are most important in the process of selecting partners and solutions? For example:
* The selection of vendors, suppliers and system integrators on the basis of their management team and what drives them, what their ambitions are and their involvement in the business.
* The market strategy of the vendors, where are they headed and what is their track record, will they be around in a few years time.
* What is the company's core business, is it focused exclusively in this area or is it one of a number of product areas that it is involved in?'
Margie Cashwell of RSA Security was emphatic in suggesting that all of the above points are critical factors. "Anytime you select a solution, the vendor behind that solution should be merited on each one of those points," she said. "Failure on any one of those could mean long-term trouble but on an overall average, if the vendor can meet those to a satisfactory degree, then I think you are in a fairly good position that that vendor is going to be there for a while if they can meet all the criteria."
Cashwell suggested that she had been involved in responding to a lot of proposals and each one that is serious about PKI has those questions in it. "They want that information and if an RFP (request for proposal) does not have those questions in it, then they are not really serious about PKI."
eSecure: In the proposals that you have had put in front of you, to what extent has cost of the implementation been a key factor?
Margie: Well, they all want PKI for nothing. In terms of costing, because we are talking about a solution and not a shrink-wrapped package, we have approached it from providing a basic list price, with caveats that there are underlying costs that are involved that cannot be quantified or even identified, in the RFP process.
So we like to position it that if the solution will be met in terms of the technology that is offered, those other costs will need to be negotiated and ironed out after the fact.
But most of the time you have to sit down and really work out what the customer's requirements are and that there are no hidden costs in it. And the only way you can do that is assume the customers must know what they want. And when an RFP comes out you need to assume that they have done their homework and know what they want.
eSecure: To what extent does a customer need to understand the technology to be able to articulate what he wants? To what extent must there be an understanding of PKI and the technical issues that are involved in PKI?
Margie:When I say that a customer needs to know what they want, they do not need to know the technical requirements, they need to know what their business drivers are. What do we need to do with PKI? What applications do we have that need to be PKI-enabled. Where do we want to go with this strategy? Those are the requirements I am talking about as being identifiable.
When we as a vendor or solutions provider understand what those business drivers are, we can then walk in and deal with their technical people and provide the input they need in order to make the technical part happen to support those requirements - that is what we need to know.
eSecure:To what extent are you finding RFP/RFQs of PKI implementations driven by the IT operations of a business as opposed to driven by the strategic executive business requirements?
Michael: It is crucial that it comes from the business side, although there is still many from the technical side. Getting to the point of successfully bidding and deploying, it is crucial that there is senior management buy-in from the company. If we do not have that we are not going to have successful deployment.
Maeson: Let me add to that. It is clear that our ideal audience has changed. Three years ago, when the US export restrictions were still in place, the ideal audience was very technical and you could still convince him you could deliver a highly secure solution. Now the ideal audience includes the CIO and risk management people, perhaps even legal people. They are your ideal audience because you are addressing business risk issues.
Margie: What I have also seen from the request for proposal/quotation process is that it is put out by the IT technical folk for us to provide input for them to put together a proposal to shoot up the chain so they can get executive sign-off in terms of justifying why they need it, rather than the other way round.
Up until recently, this has epitomised probably 90% of all the RFPs we have responded to. The real reason behind the proposal was not because there was a business need, the IT people identified an area which they were concerned about but in order for them to pull it off they needed the input from us to be able to justify it up to their executive branch and management to get the project funded or sign-off on.
Which is fine and I think we can provide a valuable service to corporations doing that. However, I would prefer it the other way around.
eSecure: It makes sense to me that the other way around driven - by the business reasons for implementing goes a long way to ensuring that your ROI is much easier to quantify and you get to it quicker than the other way around.
Michael: I think that companies need to do a PKI assessment even before they get into the RFQ/RFP phase. They need to look internally to see if the environment is correct for secure messaging systems, for a VPN solution and seeing where a PKI can benefit their environment. They need to look at some of the soft issues, such as whether their legal team supports digital signatures, or if their HR team is aware of digital signatures and how they would enforce their use through hiring procedures etc.
eSecure: One issue that has not been talked about is that of the liability of the integrators and the vendors themselves in implementing a solution on behalf of the customer and what the ramifications are of the implementation failing. Obviously service level agreements (SLAs) are put in place to safeguard both parties but does anyone have a comment on this issue?
Margie: In terms of deploying PKI, you have to have strong policies in place and all participating parties have to comply with these policies. There has to be some contractual obligation by all parties involved that they will comply with policies, lack of which will lead to liability. The question is, where will the liability lie? Is it going to be in the fact that the policies failed to be complied with or is it that we deployed a solution that did not allow the policy to be enforced? So that all has to be looked at when implementing a PKI solution. And in terms of an integrator and the company coming back to considering the vendor of choice, it should be taken into account as to what due diligence the vendor does provide in that kind of deployment.
Drix: The liability in my real world is a big issue. But in my ideal world, I hope that things like knowledge management and being customer-centric will actually make us think about customers, providing privacy and respect for them. Respect means you encrypt their information. This is not the same as being forced to because of liability issues. In reality we are far from this, but hopefully some leading companies worldwide will start going that way, not as a baseline standard but as a value-add.
Maeson: It is about vendors having a track record because to a large extent a portion of the risk is mitigated by the fact that it is a well-scrutinised solution. It comes down once again who you choose to partner with and what track record they have.