Monday, December 01, 2003

PKIneffective?

The week before last, I sat in on a session chaired by Tom Standage, Tech Editor at the Economist (and an old school friend, or a friend from my old school perhaps), where Bruce Schneier (type that fast) briefly featured (sadly he was delayed en route). The broad topic was security, but his being there prompted me to check his eponymous website. I came across an essay he co-wrote in 2000 on the risks of PKI .... you know, PKI - the technology that has taken 30 years to reach Gartner's trough of discontent and is struggling to emerge onto the plateau of utter disillusionment. I wish I'd read it back then because it might have saved a lot of pain. But it's still current and worth reading, as if you needed more to read. It's still hard to disagree with any of the issues that he raised all that time ago (well, nearly 4 years, seems like 4 lifetimes to me right now). Skip to the bit about Single Sign On at the end if you're familar with the issues generally, and then the conclusion: Our assessment is that security is very difficult, both to understand and to implement. Busy system administrators and IT managers don't have the time to really understand security. They read the trade press. The trade press, influenced by PKI vendors, sings the praises of PKIs. And PKI vendors know what busy people need: a minimal-impact solution. "Here, buy this one thing and it will make you secure." So that's what they offer. Reality falls far short of this promise, but then, this is a business and the prominent voices are those with something to sell. Caveat emptor. Buy this one thing and life gets easy. Isn't that so often the message? And talking of buying, you could do (far, far) worse than buy either or both of Bruce's books. I can vouch for the first, Secrets and Lies, the new one, "Beyond Fear" is on my list when I'm done reading Gerstner's book on IBM.

No comments:

Post a Comment