Digital Certificates in Action
by Lisa Pretty
Around the globe, organisations are taking the plunge and investing in a Public Key Infrastructure (PKI) to support Digital Certificates.
It is clear that when all technologies are assessed, digital signatures and the corresponding digital certificates offer much greater assurances than other methods to meet the requirements of digital security for entity authentication, non-repudiation, data integrity, data confidentiality and access control.
Brief Introduction to PKI
A PKI is comprised of several components, policies, and users that combine to perform the tasks required for digital security. Core to many of the security services of a PKI is the notion of a "digital signature". Designed to duplicate the value of a hand written signature in the brick and mortar world, it is based on the use of the unique private key (secret). The 'signing' process involves the use of the private key in a mathematical formula that ties the secret to the data being signed. The widely disseminated public counterpart, in the form of a digital certificate, can be used to verify that data is strongly associated with the sender of the data. This construct can be indispensable in establishing and conducting business relationships. The use of digital signatures is supported by recent legislative actions that provide credibility to the concept of electronic signatures and recognition to the need for such a capability. The U.S. E-Sign Law, passed in 2000, and the EU Digital Signature Law, passed in 2001, are examples of this trend.
Real World Deployments
Applications are key when it comes to actually putting a PKI to work. There is no point in investing the time and money of creating a PKI and issuing Digital Certificates if no one is going to use them. In the early days of PKI this seemed to be a bit of a problem - security technologists fell in love with the technology based on the technical merits and began launching pilots without a lot of thought to the business case or end use. The result was a lot of money spent and several aborted projects when the tough questions like "What are we going to use this for?" could not be answered.
Over the past couple of years we have seen a shift in the way organisations are spending their IT dollars and a good look at the end use and Return on Investment (ROI) is certainly a starting point. We have seen organisations stop talking about PKI and instead looking at the security problems and applications - requirements for digital certificates and the underlying PKI fold into the solution instead of being a technology looking for a place to be implemented.
At the PKI Forum, we meet face-to-face 3-4 times a year and dedicate a full day to real world case studies. Although not an exhaustive list, here are a few examples of real world solutions presented at recent meetings where the business case, the technology and the application all came together in a success story:
Singapore, Finland -- PKI for national ID
Australia, Ireland - PKI for secure tax filing
NATO -- a PKI to support electronic procurement
Various European Governments - PKI for controlling the drive and rest hours for road transport
Canadian Department of Defense -- PKI for accessing and communicating sensitive information
Canadian Government - PKI for secure government to citizen transactions
Wells Fargo Bank, Robobank, Identrus, Visa International, Canadian Payments Association, United States Department of Defense - PKI for supporting secure e-business
Johnson & Johnson -- enterprise PKI to support operating companies, external contractors, partners, and customers
Fannie Mae - PKI for secure loan processing
Viacode -- PKI for Identification
Phyve, Kaiser Permanente - PKI for secure medical solutions
Clearly a wide range of applications across government, healthcare and financial sectors have been deployed. Digital certificates and PKI have become part of many active solutions.
How does a "Hyped" Technology Become An Active Solution
As PKI has become more widely deployed, and as more hands-on experience makes the total cost of ownership for PKI more accurately understood, attention is turned to the topic that generates the most enthusiasm in the corner offices: the financial returns made possible from PKI-enabled business processes.
What financial returns does public-key infrastructure really provide? Here, we provide a general framework for unlocking the financial returns that are made possible by implementing PKI-enabled applications. In considering this framework, the following simple, step-by-step approach should be kept in mind:
Focus on the Business Process.
It's worth repeating that PKI is an e-security infrastructure, and infrastructure in the absence of a specific business process returns nothing. For example, if we invest in telephones, facsimile machines, and e-mail systems but never place a call, transmit a document, or send a message, what have we gained? Moreover, returns from e-security infrastructures are generally difficult (if not impossible) to separate from the returns from the business processes themselves. The primary focus - once it has been determined that authentication, data privacy, data integrity, digital signatures, or other e-security capabilities provided by PKI are important business requirements - should therefore be on the financial returns from the successful implementation of a particular (security-enabled) business process. This approach also accommodates the reality that financial returns are typically application-specific, company-specific, industry-specific, and so on.
Establish Appropriate Metrics. With a proper focus on security-enabled business process, the next step is to establish the appropriate metrics for determining potential financial returns. The metrics chosen will logically be a function of not only the particular business process under analysis (i.e., is it an internal process? A customer-facing process? A partner-facing process?), but also the specific business objectives we have in mind (e.g., are we aiming to increase revenues? Lower costs? Improve efficiency?).
Establish a Baseline for the Current State. Having established an appropriate set of metrics, the next step is to use them to establish a baseline for the business process under analysis, based on the way things are today. This is the "business as usual" scenario.
Compare to the Desired Future State. The same metrics can then be used to compute the financial impact of implementing a new or improved business process that meets the specific business objectives we have in mind. This is the "business as a result of" scenario, i.e., the desired future state that will result from the successful implementation of a new or improved PKI-enabled business process.
If this straightforward approach sounds familiar, it should come as no surprise - it's a time-honored method for establishing value, a process we've all gone through (consciously or otherwise) countless times before. We can step back and observe that PKI is not uniquely complex or difficult to analyse in this regard - on the contrary, this approach for computing financial returns for PKI-enabled applications is the same one used for virtually any other significant investment. All we need, given the relatively early stage of PKI market development, is a general framework to help organise the approach and jump-start a detailed discussion of potential financial returns.
The first, critical step is to frame the ROI discussion in the context of the key e-security enablers for a particular e-business process/application. The next step is to establish an appropriate set of metrics for determining potential financial returns. (The PKI Forum has recently published a paper authored by Derek Brink discussing the ROI framework briefly introduced here. The paper may be accessed at www.pkiforum.org/resources.html.)
By following the framework, it can be seen the total cost of ownership for implementing an enabling e-security infrastructure such as PKI is significantly less than the financial returns made possible by PKI-enabled applications, when revenues, costs, compliance and risks are understood and quantified.