- Email: [email protected]
Deciding Whether or not to use a Third Party Certificate Authority
feature
Deciding Whether or not to use a Third Party Certificate Authority Michael Spalding The decision to outsource security is difficult and touchy at best, due to cost constraints it may be the only viable solution for some companies wanting to utilize PKI and make use of digital certificates. The concept of the third party certificate authority has been around for quite some time. Starting with BBN Planet (now GTE Cybertrust) doing PKI services for the United States Federal Government since the late 1970s. Firms like VeriSign and Thawte have begun to offer server-side certificates for companies wanting to authenticate servers on the Internet. Finally, you get to firms such as Entrust or Baltimore, which allow a company to build its own private certificate authority (CA). The debate of a privatized CA versus a third party CA is often heated. The most difficult item comes down to control. How much control can a company allow a third party to have over its operations? Allowing a third party to hold the keys to the kingdom requires a great deal of trust between the CA and the company. Third party CAs are often referred to as service firms or could be thought of as an Internet utility company. Those firms that advocate private CAs within companies can be thought of as software companies due to their proprietary software necessary to integrate PKI in the company. These two models (private vs public) are at odds with one another. First, let’s examine what is needed to produce a private certificate authority. Let’s start with the operating PKI infrastructure. The company must secure the entire physical structure and network computing elements. These costs could be anywhere from two to three times the actual cost of the software from the provider. The infrastructure must be unquestionably secure. If a person could walk into a building and follow a person through a cracked door and gain access to the root keys, then what would be the point of using PKI and digital certificates? The PKI infrastructure should never be brought into question or taken into court to decide if it is penetrable.
Physical security needs to be at or close to military grade security. The next area is legal/risk management. The privatized PKI will have to address all of the legal issues that a third party CA has already addressed. The company will most likely need to hire specialized personnel to formulate key legal issues and then have their legal team review their findings. This process could also be time consuming as it has to be repeated several times. The company also assumes 100% risk in the private model. The company will assume all responsibilities in the event that the PKI infrastructure becomes abused or misused. Another area which will need to be addressed is the integration of PKI into the existing infrastructure/applications of the company. With the private model, proprietary software will be necessary for all users and applications. This will most likely require some specialized software developers to aid in the integration of the existing applications into the PKI structure. E-commerce/extranet will also be proprietary and private only. There will be no ability to use a public trust network on a global scale. If there were a need to use S/MIME or a secure E-mail client with outside companies, then this would almost immediately negate the use of a private CA. The final area which will need to be addressed is the operation of the CA. The
company will have to get up to speed quickly on how to operate their CA and begin to design, build and deploy their supporting infrastructure. The software vendor has no PKI operating experience, thus the company will have to go it alone or hire in specialized personnel. In addition to operating the CA, the company will have to address high availability and disaster recovery for the PKI backbone services, scalability of the design, and all other services infrastructure. Now let’s examine the third party CA option. The PKI infrastructure is set up as an Integrated PKI Platform meaning that the company has limited ability in running the PKI infrastructure and limited liability with the PKI platform. The third party CA does all of the backend number crunching and holding/maintenance of the root keys for the company. The company does not have to build a secure facility to maintain its own CA. The liability of securing the root keys becomes the responsibility of the third party CA. The company also does not have to address all of the legal obligations of becoming a private CA. The third party CA has already done this and will be liable for their portion of it. The third party CA is contractually obligated to maintain certain levels of security and operational status. The company can focus on its particular situation to address only its legal responsibilities. The risk is now shared between the CA and the company, not the company holding 100% liability as in the private CA model. Integrating the PKI platform into the existing applications: browsers, mail clients and other enterprise applications can be done with ease. Third party CAs such as VeriSign are now integrating with E-mail servers such as Microsoft Exchange and Lotus Notes. With installations much like a standard install, this will introduce the amount of custom coding that will be necessary for integration. It will also be necessary for the company to develop a certificate practices statement so that a foundation will be in place for design, legal and other issues such as who should get
7
feature certificates and how they will be initially authenticated. Finally, the operation of the CA is left to the third party to maintain. The company will be left only to manage who should get Digital Certificates or updates to their server certificates. The third party is ultimately responsible for high availability and disaster recovery for all PKI backbone services, scalability of the PKI platform and all infrastructure services. The costs of maintaining a private CA can run literally into millions of dollars. Being a private CA comes at a cost. In a white paper produced by the Aberdeen Group, where the study compared VeriSign (third party CA), Netscape (Private CA) and Entrust (Private CA), the total cost of ownership was unquestionably lower with the third party CA than either one of the two private CAs. To accommodate various sizes of companies, the study used a 500-seat licence, 50 000-seat licence and a 500 000-seat licence. A quick breakdown of numbers shows: VeriSign 5000 — total cost: $256 894 ($51.4 per seat) 50 000 — total cost: $541 127 (10.8 per seat) 500 000 — total cost: $1 276 904 ($2.6 per seat) Netscape 5000 — total cost: $631 612 ($126.3 per seat) 50 000 — total cost: $1 452 895 ($29.1 per seat) 500 000 — not scalable/applicable Entrust 5000 — total cost: $993 602 (198.7 per seat) 50 000 — total cost: $3 158 983 ($63.2 per seat) 500 000 — total cost: $11 093 098 ($22.2 per seat) This study took into account project differences and used a baseline set of products and services that are commonly incurred with the deployment, management and maintenance of digital certificates.
8
One noticeable comparison is the cost between VeriSign and Entrust. The Entrust members are significantly higher due to the software, which must be purchased with the private CA model. In addition to these costs, expenses will be incurred with the construction of the CA facility and the operations associated with it. In addition to this, salary expenses associated with this operation will also need to be allocated. A cost which also needs to be considered with the third party CA model is the yearly maintenance fee. These fees, which range anywhere from a dollar to five dollars per digital ID, need to be considered when evaluating the two models. The yearly maintenance fees are generally quite normal when compared to salary costs of maintaining the private CA. Time to market for most third party PKI platforms is generally faster than that of private CAs. In the case of Texas Instruments total install time was approximately two weeks (March 1998). By April 1998, Texas Instruments was testing with approximately 2000 users. In most private CA situations, the rollouts take longer due to the integration process of existing applications and interoperability issues between different manufacturers of software (i.e. Microsoft Explorer, Netscape Navigator). Complexity of PKI installations is also another issue to address when deciding which route to take. If a private CA is chosen, expert staff will be needed to design, implement and maintain the CA. In addition to this, existing staff will have to be trained thoroughly on PKIspecific issues. This training on and ramp-up of expertise will be costly and time consuming. At this point let’s address some of the issues that need to be considered when interviewing a PKI vendor. • Total costs — what is the total cost (including hidden or less addressed issues) of design, deployment and maintenance? What other items will have to be in order to set up the CA properly? How much can I expect to
spend over year one, through year five, and year 10 etc.? • Legal/risk management — what is going to be my total liability with (your) solution? What can I expect from my vendor in the event that something detrimental would happen? Who is responsible for what; as it pertains to security, infrastructure, legal, lost revenue/ reputation? • Infrastructure — how strong is your infrastructure? Who has audited your operations/infrastructure? What particular types of designs/devices are you using for physical security, i.e. mantraps, motion detectors, cameras, security guards etc.? • Application integration — what support can I expect with the integration of the PKI platform into my company? How much proprietary software will be needed to implement my PKI platform? What protocols/standards are supported? When will it be functional if not now? • Operation of the CA — how much technical expertise will I have to bring in-house in order to set up and maintain my CA? Who else has done similar operations? What other third party security devices will I need? The ultimate decision to use a third party CA comes down to control. Cost and complexity would justify a third party CA, however, certain entities, such as governments, military and certain global fortune 100 corporations could possibly justify building their own CAs. In most third party CAs, they are independent of government operations and maintain a high degree of independent status. They ultimately report to the customer who wants privacy, security and accountability. The key difference between third party CAs and private CA vendors is that third party CAs are service firms, while private CAs are software firms. The keys to the kingdom may be more secure in another castle than your own!!
Deciding Whether or not to use a Third Party Certificate Authority Michael Spalding The decision to outsource security is difficult and touchy at best, due to cost constraints it may be the only viable solution for some companies wanting to utilize PKI and make use of digital certificates. The concept of the third party certificate authority has been around for quite some time. Starting with BBN Planet (now GTE Cybertrust) doing PKI services for the United States Federal Government since the late 1970s. Firms like VeriSign and Thawte have begun to offer server-side certificates for companies wanting to authenticate servers on the Internet. Finally, you get to firms such as Entrust or Baltimore, which allow a company to build its own private certificate authority (CA). The debate of a privatized CA versus a third party CA is often heated. The most difficult item comes down to control. How much control can a company allow a third party to have over its operations? Allowing a third party to hold the keys to the kingdom requires a great deal of trust between the CA and the company. Third party CAs are often referred to as service firms or could be thought of as an Internet utility company. Those firms that advocate private CAs within companies can be thought of as software companies due to their proprietary software necessary to integrate PKI in the company. These two models (private vs public) are at odds with one another. First, let’s examine what is needed to produce a private certificate authority. Let’s start with the operating PKI infrastructure. The company must secure the entire physical structure and network computing elements. These costs could be anywhere from two to three times the actual cost of the software from the provider. The infrastructure must be unquestionably secure. If a person could walk into a building and follow a person through a cracked door and gain access to the root keys, then what would be the point of using PKI and digital certificates? The PKI infrastructure should never be brought into question or taken into court to decide if it is penetrable.
Physical security needs to be at or close to military grade security. The next area is legal/risk management. The privatized PKI will have to address all of the legal issues that a third party CA has already addressed. The company will most likely need to hire specialized personnel to formulate key legal issues and then have their legal team review their findings. This process could also be time consuming as it has to be repeated several times. The company also assumes 100% risk in the private model. The company will assume all responsibilities in the event that the PKI infrastructure becomes abused or misused. Another area which will need to be addressed is the integration of PKI into the existing infrastructure/applications of the company. With the private model, proprietary software will be necessary for all users and applications. This will most likely require some specialized software developers to aid in the integration of the existing applications into the PKI structure. E-commerce/extranet will also be proprietary and private only. There will be no ability to use a public trust network on a global scale. If there were a need to use S/MIME or a secure E-mail client with outside companies, then this would almost immediately negate the use of a private CA. The final area which will need to be addressed is the operation of the CA. The
company will have to get up to speed quickly on how to operate their CA and begin to design, build and deploy their supporting infrastructure. The software vendor has no PKI operating experience, thus the company will have to go it alone or hire in specialized personnel. In addition to operating the CA, the company will have to address high availability and disaster recovery for the PKI backbone services, scalability of the design, and all other services infrastructure. Now let’s examine the third party CA option. The PKI infrastructure is set up as an Integrated PKI Platform meaning that the company has limited ability in running the PKI infrastructure and limited liability with the PKI platform. The third party CA does all of the backend number crunching and holding/maintenance of the root keys for the company. The company does not have to build a secure facility to maintain its own CA. The liability of securing the root keys becomes the responsibility of the third party CA. The company also does not have to address all of the legal obligations of becoming a private CA. The third party CA has already done this and will be liable for their portion of it. The third party CA is contractually obligated to maintain certain levels of security and operational status. The company can focus on its particular situation to address only its legal responsibilities. The risk is now shared between the CA and the company, not the company holding 100% liability as in the private CA model. Integrating the PKI platform into the existing applications: browsers, mail clients and other enterprise applications can be done with ease. Third party CAs such as VeriSign are now integrating with E-mail servers such as Microsoft Exchange and Lotus Notes. With installations much like a standard install, this will introduce the amount of custom coding that will be necessary for integration. It will also be necessary for the company to develop a certificate practices statement so that a foundation will be in place for design, legal and other issues such as who should get
7
feature certificates and how they will be initially authenticated. Finally, the operation of the CA is left to the third party to maintain. The company will be left only to manage who should get Digital Certificates or updates to their server certificates. The third party is ultimately responsible for high availability and disaster recovery for all PKI backbone services, scalability of the PKI platform and all infrastructure services. The costs of maintaining a private CA can run literally into millions of dollars. Being a private CA comes at a cost. In a white paper produced by the Aberdeen Group, where the study compared VeriSign (third party CA), Netscape (Private CA) and Entrust (Private CA), the total cost of ownership was unquestionably lower with the third party CA than either one of the two private CAs. To accommodate various sizes of companies, the study used a 500-seat licence, 50 000-seat licence and a 500 000-seat licence. A quick breakdown of numbers shows: VeriSign 5000 — total cost: $256 894 ($51.4 per seat) 50 000 — total cost: $541 127 (10.8 per seat) 500 000 — total cost: $1 276 904 ($2.6 per seat) Netscape 5000 — total cost: $631 612 ($126.3 per seat) 50 000 — total cost: $1 452 895 ($29.1 per seat) 500 000 — not scalable/applicable Entrust 5000 — total cost: $993 602 (198.7 per seat) 50 000 — total cost: $3 158 983 ($63.2 per seat) 500 000 — total cost: $11 093 098 ($22.2 per seat) This study took into account project differences and used a baseline set of products and services that are commonly incurred with the deployment, management and maintenance of digital certificates.
8
One noticeable comparison is the cost between VeriSign and Entrust. The Entrust members are significantly higher due to the software, which must be purchased with the private CA model. In addition to these costs, expenses will be incurred with the construction of the CA facility and the operations associated with it. In addition to this, salary expenses associated with this operation will also need to be allocated. A cost which also needs to be considered with the third party CA model is the yearly maintenance fee. These fees, which range anywhere from a dollar to five dollars per digital ID, need to be considered when evaluating the two models. The yearly maintenance fees are generally quite normal when compared to salary costs of maintaining the private CA. Time to market for most third party PKI platforms is generally faster than that of private CAs. In the case of Texas Instruments total install time was approximately two weeks (March 1998). By April 1998, Texas Instruments was testing with approximately 2000 users. In most private CA situations, the rollouts take longer due to the integration process of existing applications and interoperability issues between different manufacturers of software (i.e. Microsoft Explorer, Netscape Navigator). Complexity of PKI installations is also another issue to address when deciding which route to take. If a private CA is chosen, expert staff will be needed to design, implement and maintain the CA. In addition to this, existing staff will have to be trained thoroughly on PKIspecific issues. This training on and ramp-up of expertise will be costly and time consuming. At this point let’s address some of the issues that need to be considered when interviewing a PKI vendor. • Total costs — what is the total cost (including hidden or less addressed issues) of design, deployment and maintenance? What other items will have to be in order to set up the CA properly? How much can I expect to
spend over year one, through year five, and year 10 etc.? • Legal/risk management — what is going to be my total liability with (your) solution? What can I expect from my vendor in the event that something detrimental would happen? Who is responsible for what; as it pertains to security, infrastructure, legal, lost revenue/ reputation? • Infrastructure — how strong is your infrastructure? Who has audited your operations/infrastructure? What particular types of designs/devices are you using for physical security, i.e. mantraps, motion detectors, cameras, security guards etc.? • Application integration — what support can I expect with the integration of the PKI platform into my company? How much proprietary software will be needed to implement my PKI platform? What protocols/standards are supported? When will it be functional if not now? • Operation of the CA — how much technical expertise will I have to bring in-house in order to set up and maintain my CA? Who else has done similar operations? What other third party security devices will I need? The ultimate decision to use a third party CA comes down to control. Cost and complexity would justify a third party CA, however, certain entities, such as governments, military and certain global fortune 100 corporations could possibly justify building their own CAs. In most third party CAs, they are independent of government operations and maintain a high degree of independent status. They ultimately report to the customer who wants privacy, security and accountability. The key difference between third party CAs and private CA vendors is that third party CAs are service firms, while private CAs are software firms. The keys to the kingdom may be more secure in another castle than your own!!