Tag: PKI

VeriSign – Milestones for Sustaining eBusiness Growth

Portfolio - VeriSign, Milestones for Sustaining eBusiness Growth (title)

Adapting to Change

As a new year unfolds, we continue to observe continued growth in eBusiness opportunities.  Even as the Internet expansion trend overcomes slumps in world economy, and defies political and religious strife, the momentum generated so far is force too big to ignore.  Regardless, continued growth is faced with tangible milestones if this trend is to sustain itself throughout the decade.

  • Achieving End-to-end Connectivity – Although the internet may be considered “end-to-end”, many companies continue to struggle with connectivity within their own enterprise.  Let alone achieving the same goals externally with their suppliers, partners, and customers.  Despite the false start of Supply Chain Management initiatives (SCM), and struggles to achieve Business Process Re-automation (BPR) in the late 90’s,.such solutions still offer promise.  Although this promise has somewhat morphed into up-in-coming business solutions such as Web Services.
  • Implementing Change in Corporate Culture – In moving to new business models, companies need to instill fundamental changes to how employees conduct their daily activities.  New processes and procedures need to integrate into corporate culture, in eBusiness applications, as well as the eSecurity protecting this infrastructure.  This is undoubtedly a significant challenge for large enterprises, than for smaller, more agile businesses.  The migration of an enterprise to online commerce, or the implementation of a modern security infrastructure such as managed security services, or Identity Management.  The effort for management to implement such new solutions is a mere 20% technical verses 80% organizational.
  • Implementing Enterprise-wide Identity Management – A continued expansion of channels relationships now dictates a more aggressive approach to identifying the individuals we conduct our daily business.  Identity management has made it’s mark on a national and global scale as governments are evolving to new border control security, in efforts to flank terrorism.  Likewise, the corporate industry continues to struggle with an ever increasing sophistication of fraud methods and hacker attacks.  Individual enterprises need to establish trust in authentication (who you are) and authorization (what I will allow you to do).  For these reasons, identity is fundamental to an ever increasing importance of establishing trust.  This is the ultimate drivers;  Trust in knowing who is transacting with you, and trusting who you are allowing into your confidential data.  Especially in the modern age of business relations between people which have never met in person, and may never meet face to face in their lifetime, for that matter.  Trust is fundamental to eBusiness growth.

Government Connectivity

If the nineties were about bringing enterprises online, then this decade is surely dedicated to Government achieving the same.

In Germany for instance, the public sector is driving the “BundOnline 2005” initiative which is targeted to offering 24×7 eGovernment services to citizens.  The German government is set to invest € 1,65 billion until 2005 in order to migrate online its 400 public services. This offers potential for online payment, electronic form signing and data security through digital signature.  200,000 German employees of ministries and federal agencies will be supplied with smartcards and readers by 2005.  A quarter of the 400 targeted services — including, for example, bidding for federal procurement contracts – are expected to utilize electronic signatures.

European countries are working towards similar initiatives by the same time frame, of which many countries; France, Greece, Sweden, Denmark & Netherlands have already begun.  The need to offer nation-wide online services in G2B (government to business), G2C (government to citizen), and G2E (government to employee) are driving towards the use of eSecurity for authentication, encryption, trust and non-repudiation.  Initial adoption of online services has begun in services such online Value Added Tax (VAT) reporting for businesses to government.  A classic win-win approach to online G2B, as it creates cost and time efficiency to both the enterprise and the government.  In addition, on a regional scale, local municipality portals are being created for the purposes of allowing citizens 24×7 access to government services, as well as the use of identity cards for access to various community services .  Examples to date have revolved around online form submissions for social services, income tax, land registration, and other legal documentation. It sure beats standing in line for 4 hours, at your local city hall.

Aggressive internet initiatives are forthcoming in the healthcare sectors as well.  Online medical services are being driven by several reasons:

  • Privacy of patient records required to meet legislative requirements, and well as European Union (EU) data protection expectations
  • Ensuring the integrity of online prescriptions, validated by a digital signature, authenticating the identity of the patient’s doctor.
  • Electronic workflow in the communication of patient records via the internet, as well as transfer of prescriptions online.  This also applies to the pharmaceuticals industry, interested in using eWorkflow solutions and identity management solutions to streamline their time to market for new drugs.
  • End-to-End Connectivity – Online connectivity of hospitals, doctors, pharmacies, and patients continues to be the vision moving forward.
  • New services capabilities enabling faster response times and enhancing communication methods through mobile devices is considered longer term milestones.

Such eHealthcare initiatives may be monumental but not insurmountable.  Comparing our three eBusiness milestones, end-to-end connectivity may be the least of our worries, through well-established co-ordination between the public and private sector.  Establishing identity and privacy are clearly fundamental to healthcare projects, and various legislative initiatives in both the USA and Europe have stepped up to mandate such requirements.  Cultural acceptance will be incrementally achievable through a solid communications strategy, and migration plan.  Ultimately, the ongoing sophistication of internet usage will be the catalyst in modernizing an existing healthcare infrastructure.  But time-scales for such migration should be realistic.

Both the public and private sectors are driving towards change and modernization. Although it is fair to say that the private sector is ahead of government initiatives by at least five years.

Consumers and the Enterprise

Business drivers are somewhat different for the corporate market.  Whereby the private sector is focuses on market share, profitability, and channel expansion.  The public sector mandates revolve around service quality, efficiency, and legislation compliance.  Although governments are not motivated by profit, there is a significant amount accountability and measurement to ensuring the success of G2B, G2E, or G2C initiatives.

The Private sector accelerated forward in eBusiness initiatives throughout the nineties, widening the gap of sophisticated compared to government initiatives at that time.  Even today Business to Business (B2B) eMarketplaces continue to fuel success in selected markets, whereby Business to Consumer (B2C) is still in its infancy with respect to revenue and profit expectations.  This is partially attributed to the lack of technical sophistication of online consumers today (i.e. the challenges of educating the greater public to the overly complex usage requirements of computers and the internet).  In many societies these struggles continue, but times are changing, and mass-markets have proven resilient in its ability to adapt.  This is evidenced by the estimated one billion online users expected by the year 2006, from the 600 million users today.  Modern society continues to adjust to the Internet culture, but possibly not in the same time scales we all desire.

Planning Next Steps

The gap between eSecurity threats and corresponding countermeasures continues to grow.  Attacker continue to find new holes in our networks and applications, and we just can’t seem to plug them fast enough.  This is undoubtedly a red flag, and my wishful thinking hopes that such a trend not sustainable.  As eSecurity is at the forefront of the Internet’s concerns, we need to evolve our expectations from taking a defensive role to security threats (reactive approach), to offensive measures (proactive) in order to prevent attacks before they happen.  Security prevention is a distant goal for many corporations which continue the philosophy of investing in security only after an attack.  But when the damage is done, it may possibly be irreversible. This leads to loss of revenue (which in some industries is measured in seconds of downtime), loss of time (to recover from the attack), and loss of reputation (it takes years to build a brand, but only days have it crash down on you).

An enterprise trying to manage all threats themselves, is simply unrealistic.  It’s the classic man-in-the-middle attack – You need to protect themselves from all known vulnerabilities, whereas the attacker only needs to know the one vulnerability which compromises your fortress.

  • Where do we find the expertise to block all threats?
  • Where do you find the time to ensure 24×7 protection?
  • How does the enterprise source the adequate funds to protect ourselves?

Both the public and private sectors should consider security solutions outside of their fortress to find these answers. For instance, Managed Security Services (MSS), offers a central Security Operation Center (SOC) of experts to assess vulnerabilities, threats and potential solutions.  Outsourcing eSecurity ensures a significantly lower total cost of ownership (TCO) – As much as 40%-60% savings compared to creating a department to achieve the same level of 24×7 protection.  But more importantly, CTO’s can sleep at night knowing that their network and applications are protected by the best level of defense.

As security threats meet us both inside and outside the enterprise, identity management and access control become essential elements to eSecurity strategies.  Whether it be access to internets, extranet & intranet environments, or access to critical data via your mobile phone, PDA, laptop, wireless LAN, or smartcard. Or enabling access connectivity for customers, employees, suppliers, and partners.  Customers will be challenged to choose solutions which provide identity management and access control to meet both present and future needs.  Managing privacy verses security, while maintaining a reasonable low cost of ownership (COO) will be an influencer.  Connecting disparate IT platforms,  directories, applications, and back end systems will be deciding factors.  The decision to consolidate systems such as directories and applications becomes strategic to the organization.

History has taught us that IT implementations which tear out the old, to bring in the new, just isn’t cost justified nor realistic.  For these reasons the approach to implementing new eBusiness initiatives involves an incremental migration path, and not a replacement strategy.  With today’s tighter IT budgets, investment protection for existing assets is essential.  For example, access control has evolved from a Single Sign On (SSO) approach into what is now referred to as “reduced sign-on (RSO)”.  SSO was simply impractical and unrealistic.

A focus on phased implementations is important. Especially as it pertains to end-to-end connectivity.  “Start Small, Think Big” is the latest mantra.  Consider this approach to an eBusiness deployment:

  • Understand and document your business pains and your strategy to solving them.  Treating your IT infrastructure as strategic, and taking an end-to-end view will lead to greater eBusiness success
  • Establish the right leadership, and cross departmental teams.  Understand where your organization cultural dynamics are today, and how it will affect your deployment.  Ensure that departmental owners are accountable for driving change.
  • Design your architecture and transition strategy and document in an RFP.  Concentrate on achieving a solid foundation, through internal connectivity between heterogeneous systems.  Then look externally to connecting, suppliers, partners, and customers.
  • Project plan into multiple phases.  Identify incremental milestones.  Select a list of target suppliers & short list though your requirements.  Choose your suppliers and Implement in phases
  • Treat your project as organic – constantly changing and evolving to the evolving changes in IT and demands of the market.

Achieving End-to-end Connectivity, Organizational Culture, and Identity Management, is driven by leadership.  Change is always achievable, but the real the questions is “when” rather than “if” it will occur.  Leadership will be a deciding factor towards such transformation, and help generate cultural harmony to evolving eBusiness approaches.

About the Author

Gabriel Dusil is VeriSign’s Marketing Director responsible for the Europe, Middle East and African region. Mr. Dusil’s role includes the management of Channel and Direct Marketing, as well as Marketing Communications. His responsibilities also include the development of product strategies and market positioning throughout the emerging markets.

Prior to VeriSign, Mr. Dusil had been with Motorola for six years, as their EMEA Marketing Director for its Internet and Networking Group.  He has over 10 years of experience in the communications industry, and over nine years of international marketing experience. Mr. Dusil has a degree in Engineering Physics from the University of McMaster, in Canada.

VeriSign – The PKI Value Proposition

Portfolio - VeriSign, PKI Value Proposition ('02, Symposium Globe)

The eSecurity Evolution

The Internet’s rapid growth brought forth a multitude of innovative service offerings.  In it’s early life cycle the Internet experience defined new products, and ultimately new market segments.  One of the most important of these markets in recent years has evolved around the consumer demands of “Trust”, and the value of trusting the Internet.  The industry answered this demand through a market segment now called eSecurity, and vendors worked hard to clearly differentiate themselves in this space.  Each providing either a service or a product that clearly distinguished their value proposition from competitors.  But in the last few years eSecurity has blurred the distinction between various products and services as it evolves and accelerates as the fastest growing market segment in cyberspace.  The sub-segments within this market such as firewalls, virtual private networks (VPN), anti-virus, and authentication services have become critical components of a security policy. eSecurity continues to rapidly evolving to the demands of eCommerce, as transaction based services is expected to infuse new growth trends.  This is a reflection of the increased importance that consumers give to confidence, and in the value of trust with the vendors they wish to do business.  Recent awareness towards managing and protecting privacy is a further reflection of how consumers value their supplier relationships.  Governments have also stepped up to the plate throughout Europe in finalizing legislation around the protection of privacy and the legal recognition of electronic signatures.  All these dynamics are raising the fundamental awareness of eSecurity, and the importance of high security, of which the PKI (Public Key Infrastructure) sub-segment plays a critical role. PKI has grown beyond the traditional offering of a eSecurity, and is now considered a basic enabler of new eBusiness revenue streams.  Early in its life-cycle PKI establishes itself with a clear value when compared to it’s neighbors;
  • Firewalls established the fortress for a corporation, of which intrusion detection served to enhance this capability
  • Antivirus protected hosts and desktops to the threat of infection;
  • VPN’s ensured secure communications over public networks;
  • PKI steps in to provide application level security, and removes the inherent weaknesses of ID’s and passwords, by linking the identify of users to their Internet hosts through digital certificates

But PKI goes further, and crossed the boundaries of security by enabling a host of services which were not previously enabled due to the lack of infrastructure;

  • Digital Signing of electronic documents
  • Electronic supply chain management
  • Electronic (e)Ordering & eProcurement
  • Online eGovernment Services
  • Healthcare & National ID Services

These are only a few examples of new applications which were not previously acceptable on the Internet, but have enabled new services due to the enhanced security offered of PKI. How do we bridge the gap from our current IT infrastructure, to enhanced security using PKI?  This article outlines two fundamental implementations referred to as in-house PKI and outsourced (cloud-based) PKI solutions. The purpose of this article is to describe the value proposition and intrinsic differentiation of these two approaches.

Setting the Stage

PKI is one of the few technologies today which integrates the disciplines of Legal Practices & Information Technology.  This results in several unique challenges in deployment, but also is a reflection of the distinctive nature that PKI serves the Internet. Namely, our ability to identify the existence of a company, recognize individuals through the use of digital certificates, and legally binding digital signatures to the same validity as a hand written signature. To overcome the legal and technological obstacles, implementing a PKI solution has resulted in two fundamentally different approaches, described as follows:

In-house PKI
  • This involves the implementation of a managed in-house PKI solution. In this approach the customer purchases PKI software and hardware which is used to deploy digital certificates to individuals in the company.  Dedicated staff are responsible for defining their own certificate practices and policies for the creation and distribution of digital certificates throughout the corporate infrastructure.  Companies perceive that this approach offers inherent “ownership” and flexibility. But typically this option requires a large upfront investment in both time and money.
Outsourced PKI
  • This cloud-based approach is analogous to the service provider market whereby the ownership of infrastructure is with an external entity know as a Certificate Authority (CA).  The CA is responsible for setting policy, managing information technology (IT), and owning liability on behalf of the customer.  But we don’t stop there.  The advantage here is control of their certificate issuance, co-branding, and management, while moving the responsibility of maintenance, scalability, and policy management to the back-end (commonly referred to as the processing center).

Furthermore, outsourced solutions cover all aspects of the PKI infrastructure such as:

Legal
  • Certificate Policy Statement (CPS), Certificate Practices (CP) which establishes the legal framework of PKI.  In Europe conformance is to the EU Signature Law Directive.
Technical
  • The CA maintains the ability to migrate PKI to new standards.  Since the PKI processing center is upgraded once in the back-end, all customers take advantage of new features simultaneously.  This also applies to technological upgrades such as the up-in-coming XKMS standard developed jointly by VeriSign, Microsoft and WebMethods, allowing for an open standard for PKI in XML environments.
Human Resources
  • Project management, Policy management, and certificate deployment costs are often lost in the overall cost of ownership model.  All of these costs are substantially reduced when outsourcing, since the expertise of PKI deployment are off-loaded to the CA.

Outsourcing has becoming increasingly attractive as it removes the burden of a large upfront investment, and takes the emphasis off licensing as the main revenue stream.  This has become even more important during times of economic difficulty, as cost-cutting becomes a primary concern. “The primary benefit of this [cloud] business model for end-user businesses is avoiding the administrative, project management and IT integration demands that an in-house implementation would require without relinquishing control over the solution.” Data monitor

Spending

Figure #1: In-house PKI Investment

Figure #1: In-house PKI Investment

Decisions around eSecurity spending are often compared to metrics of lowing cost, flexibility, control, and deployment speed.  In-housed deployments are sold on the perceived merits of greater control, flexibility and lower costs in the long term.  In-house certificates are expected to be issued and revoked quickly, and security policies tailored to business needs. Ironically, outsourced solutions are up and running in a much shorter time-frame, result in lower capita and operationall investment, when the total cost of ownership (TCO) is taken into account.   In fact, allowing companies to outsource their security gives them more flexibility to concentrate on their core business.  IDC estimates that the global IT management services market will expand from 95.3 billion US$ in 2000 to 214.9 billion US$ in 2005.  This is a compounded growth rate of 17.5%. The trade-off is often judged on “up front costs”, since proponents of in-house solutions have the customer compare their proposal cost to that of a cloud-based service provider.

Figure #2: Outsourced PKI Investment

Figure #2: Outsourced PKI Investment


Customers are often caught up in the shadow of proposal costs, ignoring tangible factors such as Total Cost of ownership, and Investment Protection of a given solution.  For certificate services, total deployment costs can be grouped into four main areas:

Human Resources
  • Project management costs to deploy the overall infrastructure and services
  • Operational & maintenance support includes costs associated with application integration
  • Costs of managing the Registration Authority and Certificate authority should not be overlooked
  • Human resources need to build PKI expertise and maintain these in-house systems
Infrastructure
  • Hardware and Software costs which form the basis of  the PKI infrastructure
  • Secure Processing facilities are critical to ensure that the root key (or CA private key) is protected against theft or fraudulent threats.
  • Upgrades due to technology evolution and scalability
Services
  • Training costs should be taken into account,.  Both during the initial deployment as well as further education needed as legislation and this technology evolves.
  • External consultant services are often require significant investment for an in-house solution.
  • Security Audits are required to ensure compliance to national or internationally recognised standards.
Legal & Policy Requirements
  • Trust practices which include legal conformance to local signature laws as well as establishing PKI policies and procedures
  • Liability to the company in the event of a legal dispute

Figure #1 shows the inherent costs associated with an in-house solution.  All components of a. Services, b. Human Resources, c. Infrastructure and d. Legal are the responsibility of the customer.  In this cost analysis the thickness of the bars is a relative representation of the cost incurred to the customer.  This figure shows a total cost of ownership when all costs are taken into account. When the same analysis of total cost of ownership is applied to the outsourced model, we arrive at the analysis in Figure #2.  In this model, the customer incurs a much smaller investment in human resources, consultancy, and infrastructure since the bulk of the investment lies in the Certificate Authority (CA) Infrastructure.  As part of this service offering, the customer takes advantage of the CA infrastructure as part of the service provided by the Trusted Third party.  The ownership of a carrier class processing facility, operations, and maintenance, and the legal framework become the responsibility of the CA. As a result, when combining the various components of cost – outsourcing results in a 40% to  60% savings in cost over a three year period when compared to an in-house solution (Figure #3).

In the in-house model, the customer must manage their own root key, private keys of deployed certificates, and audit logs.  In other words, since the infrastructure is not protected by a highly secure facility, there is a high risk of the CA being compromised.  This could result in fraudulent activates such as false certificate issuance, private keys being stolen, or digital signatures not being legally binding.  Also, since the company has set their own policies and practices, there is no inherent trust established with any other company which may have set different standards.  This is a fundamental flaw in what is to be consider a “trusted” environment between companies wishing to establish a business relationship.  If a true layer of trust is to be realized, then the customer must rely on a CA or Trusted Third Party (TTP), which ensure that common standards are enforced.  Policies and procedures are managed outside of the organisation – within the TTP.  Therefore, if two companies utilize the same standards of PKI from the same TTP, then they can inherently trust each other. In-housed  PKI vendors do not sell policy infrastructure as part of their PKI solution.  Customers generally need to determine their own policy – then document and implement it.  This results in customers taking the risk and responsibility of certificate issuance and authentication. Outsourcing PKI has the customer offloading this risk to the TTP.

Figure #3:  In-house vs. Outsourced PKI Total Cost of Ownership

Figure #3: In-house vs. Outsourced PKI Total Cost of Ownership

Proponents of in-house solutions attempt to convince customers that outsourcing may be viable in the short term, but there is lack of flexibility in moving to an in-house solution over time. In fact, this is a contradiction in logic, since flexibility is lacking in the in-house approach.  Customers are locked into a proprietary solution which often results in continuous hardware upgrades as more users are added, or software upgrades are needed as new standards are implemented.  An outsourced solution transfers the responsibly of managing scalability and evolving standards to the TTP, without dramatic changes to their infrastructure. In the outsourcing model the TTP is located at the top of the trust hierarchy, which may branch to smaller CA’s managed by individual companies.  At the tail-end of this hierarchy is the end-user community, which might consist of distributors, suppliers or manufactures in business to business (B2B) or individuals in a business to consumer (B2C) market.  This hierarchy imparts the underlying value which a TTP provides.  All uses within this umbrella have comfort in knowing that one consistent standard of trust are utilized.

“Outsourced PKI solutions provide a multitude of benefits for businesses. Although the underlying idea for businesses is to transfer the ‘headache’ of having to implement, maintain and administer a PKI solution to a service provider, there are significant strategic and financial advantages in outsourcing security in general and PKI in particular.” Datamonitor

Outsourcing Value Proposition

Figure #4: In-house vs. Outsourced Revenue Growth

Figure #4: In-house vs. Outsourced Revenue Growth

Further support for the cloud-based PKI model can be found from various analyst reports.  According to Datamonitor  this market is expected to grow at 110% CAGR (Compounded Annual Growth Rate) over the next three years.  By the year 2006, outsourced PKI market share is expected to be 60% compared to in-house deployments. The importance of Outsourcing can be summarized as follows:

  • Customers can focus on their core business – Leave the expertise of PKI to the experts
  • No need to buy hardware & software since the infrastructure is owned by the CA
  • There is a reduced Total Cost of Ownership – No hidden costs are incurred by the customer
  • Liability is transferred to a trusted third party (TTP)
  • Seamless scalability – Upgrades to infrastructure due to additional users and technology changes are owned by the CA
  • There is a reduction in training, hardware, and software investments.  Expertise is left to the CA, so only minimal training is required to administer certificates.
  • Minimize consultancy fees are needed, due to faster project implementation
  • Trust is enabled with other companies.  The value of the TTP provides a common denominator of trust for all companies.

About the Author

Gabriel Dusil is VeriSign’s Marketing Director responsible for the Europe, Middle East and African region. Mr. Dusil’s role includes the management of Channel and Direct Marketing, as well as Marketing Communications. His responsibilities also include the development of product strategies and market positioning throughout the emerging markets.

Prior to VeriSign, Mr. Dusil had been with Motorola for six years, as their EMEA Marketing Director for its Internet and Networking Group.  He has over 10 years of experience in the communications industry, and over nine years of international marketing experience. Mr. Dusil has a degree in Engineering Physics from the University of McMaster, in Canada.