Interview : HMRC fiasco highlights need for PKI

OpenTrust chief executive David Terry explains why PKI may finally become ubiquitous

IT Week: As chief executive of identity management specialist OpenTrust, what do you think is holding back public key infrastructure (PKI) uptake ­ rollout and management complexity or is it just too expensive?

David Terry: PKI has been around for more than 10 years now, and in the early days it was always seen as the golden solution for security needs. But in order to realise this potential, it needed a killer application that would drive the technology forward ­ this never happened. In the past few years, PKI has been rolled out by stealth in governments, large financial organisations and, of course, on the web through Secure Sockets Layer (SSL). Elsewhere, PKI has still been seen as too expensive and complex to deploy.

Do you expect this situation to change any time soon?

Yes, and for several reasons. First, where PKI has been deployed in government and large organisations, we are now seeing their supply chains wanting to interact with these governmental and financial organisations. A good example of this is the MoD and its supply chain. The fact that Microsoft has now embraced the technology [in Certificate Services for Windows Server 2003] has raised its profile and standards such as PCI are forcing people to look at encryption for data at rest and also in transit. The rise of, and increased publicity surrounding, identity theft has raised these issues and brought them into the public eye. More recently, the HMRC saga has also reignited the issue in a very public way.

Could the HMRC data loss have been prevented by a public sector PKI infrastructure?

There are two fundamental issues that should have prevented the HMRC disaster. First, businesses or government departments should have security protocols in place to ensure that it is not possible for sensitive data to be written to removable media. Secondly, if there is a requirement to transfer data, whether on CD or by email, it is imperative that this is heavily encrypted, with PKI technology for example. The responsibility lies with the organisation, which must ensure it has the correct protocols in place to allow employees to continue their day-to-day work without security breaches.

How does OpenTrust differentiate itself from its competitors?

PKI products should make management of encryption and authentication certificates cost effective and easy. We use open standards to ensure that deployment is quick and simple, and our systems are built with recent internet technology and standards using service-oriented architecture rather than the old legacy technologies. Our licensing is also not restricted to number of users.