- Firewalls established the fortress for a corporation, of which intrusion detection served to enhance this capability
- Antivirus protected hosts and desktops to the threat of infection;
- VPN’s ensured secure communications over public networks;
- PKI steps in to provide application level security, and removes the inherent weaknesses of ID’s and passwords, by linking the identify of users to their Internet hosts through digital certificates
But PKI goes further, and crossed the boundaries of security by enabling a host of services which were not previously enabled due to the lack of infrastructure;
- Digital Signing of electronic documents
- Electronic supply chain management
- Electronic (e)Ordering & eProcurement
- Online eGovernment Services
- Healthcare & National ID Services
These are only a few examples of new applications which were not previously acceptable on the Internet, but have enabled new services due to the enhanced security offered of PKI. How do we bridge the gap from our current IT infrastructure, to enhanced security using PKI? This article outlines two fundamental implementations referred to as in-house PKI and outsourced (cloud-based) PKI solutions. The purpose of this article is to describe the value proposition and intrinsic differentiation of these two approaches.
Setting the Stage
PKI is one of the few technologies today which integrates the disciplines of Legal Practices & Information Technology. This results in several unique challenges in deployment, but also is a reflection of the distinctive nature that PKI serves the Internet. Namely, our ability to identify the existence of a company, recognize individuals through the use of digital certificates, and legally binding digital signatures to the same validity as a hand written signature. To overcome the legal and technological obstacles, implementing a PKI solution has resulted in two fundamentally different approaches, described as follows:
In-house PKI
- This involves the implementation of a managed in-house PKI solution. In this approach the customer purchases PKI software and hardware which is used to deploy digital certificates to individuals in the company. Dedicated staff are responsible for defining their own certificate practices and policies for the creation and distribution of digital certificates throughout the corporate infrastructure. Companies perceive that this approach offers inherent “ownership” and flexibility. But typically this option requires a large upfront investment in both time and money.
Outsourced PKI
- This cloud-based approach is analogous to the service provider market whereby the ownership of infrastructure is with an external entity know as a Certificate Authority (CA). The CA is responsible for setting policy, managing information technology (IT), and owning liability on behalf of the customer. But we don’t stop there. The advantage here is control of their certificate issuance, co-branding, and management, while moving the responsibility of maintenance, scalability, and policy management to the back-end (commonly referred to as the processing center).
Furthermore, outsourced solutions cover all aspects of the PKI infrastructure such as:
Legal
- Certificate Policy Statement (CPS), Certificate Practices (CP) which establishes the legal framework of PKI. In Europe conformance is to the EU Signature Law Directive.
Technical
- The CA maintains the ability to migrate PKI to new standards. Since the PKI processing center is upgraded once in the back-end, all customers take advantage of new features simultaneously. This also applies to technological upgrades such as the up-in-coming XKMS standard developed jointly by VeriSign, Microsoft and WebMethods, allowing for an open standard for PKI in XML environments.
Human Resources
- Project management, Policy management, and certificate deployment costs are often lost in the overall cost of ownership model. All of these costs are substantially reduced when outsourcing, since the expertise of PKI deployment are off-loaded to the CA.
Outsourcing has becoming increasingly attractive as it removes the burden of a large upfront investment, and takes the emphasis off licensing as the main revenue stream. This has become even more important during times of economic difficulty, as cost-cutting becomes a primary concern. “The primary benefit of this [cloud] business model for end-user businesses is avoiding the administrative, project management and IT integration demands that an in-house implementation would require without relinquishing control over the solution.” Data monitor
Spending
Decisions around eSecurity spending are often compared to metrics of lowing cost, flexibility, control, and deployment speed. In-housed deployments are sold on the perceived merits of greater control, flexibility and lower costs in the long term. In-house certificates are expected to be issued and revoked quickly, and security policies tailored to business needs. Ironically, outsourced solutions are up and running in a much shorter time-frame, result in lower capita and operationall investment, when the total cost of ownership (TCO) is taken into account. In fact, allowing companies to outsource their security gives them more flexibility to concentrate on their core business. IDC estimates that the global IT management services market will expand from 95.3 billion US$ in 2000 to 214.9 billion US$ in 2005. This is a compounded growth rate of 17.5%. The trade-off is often judged on “up front costs”, since proponents of in-house solutions have the customer compare their proposal cost to that of a cloud-based service provider.
Customers are often caught up in the shadow of proposal costs, ignoring tangible factors such as Total Cost of ownership, and Investment Protection of a given solution. For certificate services, total deployment costs can be grouped into four main areas:
Human Resources
- Project management costs to deploy the overall infrastructure and services
- Operational & maintenance support includes costs associated with application integration
- Costs of managing the Registration Authority and Certificate authority should not be overlooked
- Human resources need to build PKI expertise and maintain these in-house systems
Infrastructure
- Hardware and Software costs which form the basis of the PKI infrastructure
- Secure Processing facilities are critical to ensure that the root key (or CA private key) is protected against theft or fraudulent threats.
- Upgrades due to technology evolution and scalability
Services
- Training costs should be taken into account,. Both during the initial deployment as well as further education needed as legislation and this technology evolves.
- External consultant services are often require significant investment for an in-house solution.
- Security Audits are required to ensure compliance to national or internationally recognised standards.
Legal & Policy Requirements
- Trust practices which include legal conformance to local signature laws as well as establishing PKI policies and procedures
- Liability to the company in the event of a legal dispute
Figure #1 shows the inherent costs associated with an in-house solution. All components of a. Services, b. Human Resources, c. Infrastructure and d. Legal are the responsibility of the customer. In this cost analysis the thickness of the bars is a relative representation of the cost incurred to the customer. This figure shows a total cost of ownership when all costs are taken into account. When the same analysis of total cost of ownership is applied to the outsourced model, we arrive at the analysis in Figure #2. In this model, the customer incurs a much smaller investment in human resources, consultancy, and infrastructure since the bulk of the investment lies in the Certificate Authority (CA) Infrastructure. As part of this service offering, the customer takes advantage of the CA infrastructure as part of the service provided by the Trusted Third party. The ownership of a carrier class processing facility, operations, and maintenance, and the legal framework become the responsibility of the CA. As a result, when combining the various components of cost – outsourcing results in a 40% to 60% savings in cost over a three year period when compared to an in-house solution (Figure #3).
In the in-house model, the customer must manage their own root key, private keys of deployed certificates, and audit logs. In other words, since the infrastructure is not protected by a highly secure facility, there is a high risk of the CA being compromised. This could result in fraudulent activates such as false certificate issuance, private keys being stolen, or digital signatures not being legally binding. Also, since the company has set their own policies and practices, there is no inherent trust established with any other company which may have set different standards. This is a fundamental flaw in what is to be consider a “trusted” environment between companies wishing to establish a business relationship. If a true layer of trust is to be realized, then the customer must rely on a CA or Trusted Third Party (TTP), which ensure that common standards are enforced. Policies and procedures are managed outside of the organisation – within the TTP. Therefore, if two companies utilize the same standards of PKI from the same TTP, then they can inherently trust each other. In-housed PKI vendors do not sell policy infrastructure as part of their PKI solution. Customers generally need to determine their own policy – then document and implement it. This results in customers taking the risk and responsibility of certificate issuance and authentication. Outsourcing PKI has the customer offloading this risk to the TTP.
Proponents of in-house solutions attempt to convince customers that outsourcing may be viable in the short term, but there is lack of flexibility in moving to an in-house solution over time. In fact, this is a contradiction in logic, since flexibility is lacking in the in-house approach. Customers are locked into a proprietary solution which often results in continuous hardware upgrades as more users are added, or software upgrades are needed as new standards are implemented. An outsourced solution transfers the responsibly of managing scalability and evolving standards to the TTP, without dramatic changes to their infrastructure. In the outsourcing model the TTP is located at the top of the trust hierarchy, which may branch to smaller CA’s managed by individual companies. At the tail-end of this hierarchy is the end-user community, which might consist of distributors, suppliers or manufactures in business to business (B2B) or individuals in a business to consumer (B2C) market. This hierarchy imparts the underlying value which a TTP provides. All uses within this umbrella have comfort in knowing that one consistent standard of trust are utilized.
“Outsourced PKI solutions provide a multitude of benefits for businesses. Although the underlying idea for businesses is to transfer the ‘headache’ of having to implement, maintain and administer a PKI solution to a service provider, there are significant strategic and financial advantages in outsourcing security in general and PKI in particular.” Datamonitor
Outsourcing Value Proposition
Further support for the cloud-based PKI model can be found from various analyst reports. According to Datamonitor this market is expected to grow at 110% CAGR (Compounded Annual Growth Rate) over the next three years. By the year 2006, outsourced PKI market share is expected to be 60% compared to in-house deployments. The importance of Outsourcing can be summarized as follows:
- Customers can focus on their core business – Leave the expertise of PKI to the experts
- No need to buy hardware & software since the infrastructure is owned by the CA
- There is a reduced Total Cost of Ownership – No hidden costs are incurred by the customer
- Liability is transferred to a trusted third party (TTP)
- Seamless scalability – Upgrades to infrastructure due to additional users and technology changes are owned by the CA
- There is a reduction in training, hardware, and software investments. Expertise is left to the CA, so only minimal training is required to administer certificates.
- Minimize consultancy fees are needed, due to faster project implementation
- Trust is enabled with other companies. The value of the TTP provides a common denominator of trust for all companies.
About the Author
Gabriel Dusil is VeriSign’s Marketing Director responsible for the Europe, Middle East and African region. Mr. Dusil’s role includes the management of Channel and Direct Marketing, as well as Marketing Communications. His responsibilities also include the development of product strategies and market positioning throughout the emerging markets.
Prior to VeriSign, Mr. Dusil had been with Motorola for six years, as their EMEA Marketing Director for its Internet and Networking Group. He has over 10 years of experience in the communications industry, and over nine years of international marketing experience. Mr. Dusil has a degree in Engineering Physics from the University of McMaster, in Canada.