A public key infrastructure project can be costly and demanding. And bottom line—it’s not for everybody.

We talked with PKI experts John O’Leary of the Computer Security Institute and Mylissa Tsai, a research analyst of information security for the Aberdeen Group. They recommended that any company considering PKI start by asking these questions:

  • Do I need PKI?
  • What are my major business partners and suppliers using?
  • Should I create my own certificates?

Read on to see why you must answer these three questions.
To find out how one enterprise put its PKI plans to work, read “Case study: How I implemented PKI.”
For more information on PKI technology, check out these recent TechRepublic articles:

Do I need PKI?
In some ways, PKI is more of a legal issue than a technology issue. It will not end all your security worries, analysts say, but it is the best protection you can buy at the moment.

How can you determine whether you need PKI?

“You need it if you are operating in a higher risk environment,” said Tsai. “It’s really to protect yourself.”

Leading adopters of PKI are financial institutions and health care. It’s also a good idea to consider PKI if you are engaging heavily in e-commerce, according to O’Leary. “If you’re going to do significant electronic commerce, and you don’t know personally all of the people you’re dealing with, you are a candidate for this.”

Even if you’re not in a position to implement PKI, you should research it, O’Leary said. You may be required by business partners to implement it in the future, and you’ll need to be prepared.

What are my major business partners and suppliers using?
PKI systems face a major compatibility barrier that, thus far, vendors have not resolved. This means you need to be on the same PKI system as your major business suppliers and partners, according to Tsai. This also means that for smaller companies, a PKI system will be chosen for them by larger business partners.

How should my certificates be created?
While creating your own certificates is certainly possible, it may not be advisable, Tsai said. One reason: Your business partners won’t be able to use a proprietary certificates system.

It’s best to use one system across your organization that can grow with your business. What happens when accounting wants to move payroll to PKI and your financial institution already uses a different and incompatible PKI system?
Some companies are starting to hire chief security officers, but CSOs are still pretty rare. Who is ultimately responsible for security in your company? Do you think the CIO should be responsible for security? E-mail us or start a discussion below.