With higher responsibilities and risk placed on the shoulders of in-house certificate authorities (CAs), it has become more cost-effective and efficient to outsource the role to external vendors, insiders observed. One analyst argued that CAs still have role to play in "multi-layered defense" strategies, though.
According to Aliza Shima Kasim, research analyst of ICT Asia-Pacific at Frost & Sullivan, companies have traditionally set up their own CA departments to issue Web certificates to users who required these. Likening this to setting up a driving license department and issuing licenses to all drivers, she said this is no longer a valid arrangement.
Elaborating, she said in her e-mail that should the department fail or issue a faulty certificate, this might compromise the company's entire security system. The organization's Web sites would also not be authenticated until other authorities replace the certificate, she added.
With evolving security needs and increasing responsibility and risk placed on these CAs, Kasim stated that outsourcing the function to external CA vendors would be a more cost-effective measure to adopt.
Besides, the in-house CA role is always subsumed into another position, particularly among smaller organizations where shared roles are increasingly seen, noted Graham Titterington, principal analyst at Ovum. In many cases, external authorities are only contracted to certify more security-sensitive applications, he added.
Their points were reiterated by Thio Fu Wang, security practice manager of domain & technology at CrimsonLogic. He said setting up a CA department requires cost and competent resources to manage and run the operations.
"The implementation of security policies and procedures would have been taken on by the commercial vendors. [This] relieves the organization and [enables it] to focus on its core competencies," he noted.
Unless the company has the internal competencies and awareness, Thio argued, it should engage external vendors to help set up digital certification and public key infrastructure capabilities. This would help minimize the risk of errors or failures during the implementation phase as erroneous deployments can be very costly to remedy, he said.
Kasim also pointed out that organizations are realizing that their certificate authorities have too much power and too little accountability, which in turn leads to over-dependence on the department.
"With CAs given too much power in issuing certificates, many of them were starting to take it lightly and gave approval to the certificate without making proper verifications," she said.
CAs needed in "multi-layer defense"
Ang Poon-Wei, senior market analyst of enterprise infrastructure ICT security at IDC Asia-Pacific, took a different stance however. He maintained that the internal CA role is still important as it provides a layer of security to any organization. Even with other IT security measures in place, a "multi-layered defense", which includes the CA function, adds value to any organization, Ang added.
Thio added that such CA roles are still required for "special purpose work" within the organization.