PKI is dead if you are looking for unbreakable!
The truth if you can handle it!!
The Secret Diark of Steve
Ballmer and my band Balm
Unbreakable: PKI is alive and kicking
Summary
Many organizations are starting to deploy certificates to secure critical pieces of business including e-mail, mobile access, and digital signaturs. The SaaS model is key factor for PKI comeback says ChosenSecurity's John Adams
Topics
Commentary--Today, there is a wide range of technology, products and solutions for securing an enterpris'’s electronic infrastructure. As with physical access security, the levels of security implemented should be commensurate with the level of complexity of the enterprise, the applications in use, the data in play, and the measurement of the overall risk at stake. Many organizations are starting to deploy certificates to secure a number of different pieces of the enterprise. Certificates are used to encrypt and sign e-mail, authenticate both people and machines to remote access servers, and to digitally sign documents and transactions. Traditionally provisioning certificates has been complex and costly due to the need to set up a PKI (public key infrastructure) system. This has proved to be a significant undertaking and required a significant commitment in both people and dollars. Now it is possible to use a different approach, by implementing “PKI On-Demand” using the software as a service (SaaS) model. In this approach, an organization only needs a Web browser to interact with the PKI services. End users enroll for their credentials using a browser, and administrators perform management tasks using a browser. The PKI services are delivered by a managed service supplier, using a virtual PKI configured for the customer.
Companies clearly need to protect sensitive digital data that is central to their operations. Some examples are the storage of customer transaction records, electronic notarization of documents via the Web, and the authentication of bank transfers. In short, any exchange or storage of digital information where there is a requirement to ensure the information is secure, or to know that the entity on the other end of the digital universe is the entity they claim to be. Certificates and public key cryptography are widely recognized as the only practical mechanism capable of securing a broad range of applications in a controlled and managed way.
A full enterprise PKI-based security system may not be a fit for all business environments, but more and more companies are finding that they can benefit from using PKI to secure some aspects of an enterprise’s electronic infrastructure. A PKI deployment offers a unique value in managing the risk of both internal and external communications between employees, partners and customers, and can help to secure transactions and communications across a wide range of disparate platforms, applications and devices.
How are Digital Certificates used in today’s enterprise?
There are numerous applications that incorporate PKI in a typical corporate enterprise today. Some of the more common applications are as follows:
- Web Server Authentication through Secure Socket Layer (SSL)
- Virtual Private Network (VPN) Server Authentication (IPSec and SSL)
- Client Authentication to Web Servers (Internet/Intranet/Extranet) and VPNs
- Digital signing of e-mails, forms, documents and invoices
- Encryption of e-mails, documents, forms, transactions and files in transit
- Encryption of data at rest on laptops, thumb drives, mobile phones, etc.
- Code signing / mobile phone code signing
Some of the many benefits of implementing a PKI include:
- A single credential (certificate) per user which can be used for multiple processes and applications, in lieu of having multiple usernames and passwords. This is a significant administration benefit as user groups grow.
- Use of digital signatures to provide a persistent and auditable record of transactions.
- The same PKI investment can also be used to secure site-to-site connections, extranets, server-to-server communications, device authentication, etc.
- Simplifying password management. With PKI, there is no longer the need for constant password management and continual user support when passwords are forgotten.
Back to the future: The new old school
Traditionally a PKI implementation has required a significant upfront investment, and involved a commitment to install a dedicated security infrastructure. This is no longer true, and it is now possible to obtain PKI services in an on demand model, where you pay only for the portion of the infrastructure you use, and need not install any dedicated systems on you site. This enables organizations to cost effectively do implementations of fewer than 500 users.
PKI is emerging as the best balance of strong security, commercial availability, and cost effectiveness. Time tested and continuously improved since its commercial introduction, the On-Demand PKI delivery model drives the cost down dramatically without sacrificing protection and guaranteed service levels. This SaaS model has been a key to the renaissance of this old school security solution, a.k.a. in-house PKI or traditional managed PKI.
On-Demand PKI removes the complexity of setting up and configuring the initial system. Because the backend security infrastructure is all ready up and running, getting a new PKI running is simply a matter of setting the appropriate configuration parameters. Once the system has been configured, the customer can administer the system from a Web browser, enrolling users and issuing certificates, without having to install and manage any of the underlying security infrastructure.
In general, a managed PKI is more cost effective and easier to implement than an in-house solution, with over a 50 percent difference in cost between in-house PKI and a traditional Managed PKI. The new On-Demand PKI model, however, drives these costs down by an additional 50 percent for the same PKI functionality. The combination of a faster implementation time, with a lower cost to implement significantly improves the ROI on using PKI.
The implications are significant. Companies who could not previously afford PKI can now have the same security used by the world’s largest organizations. Customers can get their system up and running more quickly, and "pay as they grow"--rather than "paying up front."
biography
John Adams is CTO of ChosenSecurity, Inc., a provider of on-demand PKI security services.
Talkback Most Recent of 6 Talkback(s)
-
nasalnerd@...10th Jan 2008 -
RE: Unbreakable: PKI is alive and kicking
PKI is meaningless unless the credentials presented are authenticated for revocation status. Not only the lead entry, but the root authorities as well. You would be surprised at the number of root authorities that do not have a CRLdp embedded in its certificate, the CRLdp is coded incorrectly or worse yet, points to a distribution point that does not exist. Many servers that have a certificate installed are expired and only surface when someone uses software that checks the validity of the certificate.
czfweb@...11th Jan 2008 -
RE: Unbreakable: PKI is alive and kicking
An editorial from a senior exec at a PKI firm that pleads for the recognition of PKI as a viable commercial product family? The very definition of self-serving.
ZDNet: don't bother giving me any more of this tripe. If I want it, I can download brochureware to my heart's content.
Give me an editorial from seasoned IT managers who will tell me--warts and all--why the PKI they've implemented is good, bad, and can be made better.
donn@...14th Jan 2008 -
RE: Unbreakable: PKI is alive and kicking
Take a look at the Legion of Bouncy Castle native C# or Java code. This Open Source is a really cost effective way to implement, administrate and use you own PKI.
We used it to create the first French archive system with a legal value what permit the destruction of paper.
bob.legrand@...14th Jan 2008 -
Try it for yourself.
Microsoft gives you PKI for FREE with any server operating system since NT 4.0.
Don't need to resort to 'scripts' of any kind to set up and test a simple PKI system.
Where you are held by the balls -- is by the public CAs such as Verisign, who charge extortionist prices for public certificates. (And don't even ask what it costs to buy a certificate that would allow you to issue your own certs.)
Marty R. Milette15th Jan 2008 -
More info on Digital Signatures
I wanted to point out to a Digital Signature FAQ that provides the history, technical explanations on how it works etc. @ http://www.arx.com/electronic-signatures-faq.php
Ramel@...17th Jan 2008
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
