The key to e-government

Well before the arrival of the new year, it seemed that the eyes of the

federal information technology community had begun to shift from the Year

2000 problem to the topic of IT security.

Although security is a broad concept encompassing a variety of concepts

and technologies, one solution that likely will gain prominence in the lives

of federal IT managers during the coming months is public-key infrastructure.

For most of us, the extent of our experience with PKI is the appearance

of that little image of a lock that appears at the bottom of our World Wide

Web browsers when we are buying something online. Yet as government agencies

continue to ramp up their electronic government initiatives, PKI's role

in facilitating the security of those initiatives will increase dramatically.

In its most basic form, PKI allows secure communication between two

parties. Specifically, it can be used to guarantee the identity of the message

sender, ensuring that only the message recipient can read it and assuring

both parties that the message was not tampered with during transmission.

The most pervasive application of PKI is securing credit card transactions

via the Web, but that only scratches the surface of PKI's usefulness and

applicability to the online world.

In the past year, federal agencies have put forth a variety of programs

using PKI:

* The Patent and Trademark Office is using PKI for securely communicating

the status of patent applications.

* The Internal Revenue Service is piloting a program to allow tax filings

via the Web using PKI.

* The General Services Administration recently awarded several contracts

under its Access Certificates for Electronic Services program for the provision

of digital certificates to facilitate e-government initiatives across the

federal government.

Despite the rapid increase in acceptance of PKI, it is not without its limitations.

As with any security solution, it is only as secure as its weakest link.

If the key for unlocking the encryption code of a message, called the private

key, is lost or compromised, you can no longer be assured of the privacy

of your message.

Similarly, there is a "people" factor involved in maintaining the integrity

of PKI. Just as an employee can inadvertently leave a door unlocked to a

secure office, an employee also can leave a private key insufficiently protected.

Unlike your car keys, which have to be physically duplicated, private keys

exist electronically and can be copied over a network as easily as any other

electronic file. That makes it just as important for agencies to create

sound security procedures for employees as it is for them to build an effective

technical infrastructure.

We may be far from the days when citizens have personal certificates

as a means of doing business with the federal government. PKI is still too

cumbersome for the average citizen, and support is not yet widespread enough

to make it worthwhile. However, the technology is ripe for rapid expansion

in the federal government for business-to-business applications.

Indeed, from secure e-mail to intranet access control, we can expect

to hear a lot about PKI in the coming year.

— Plexico is vice president and chief technology officer at Input, an IT market

research and marketing services firm.

Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.