to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News - Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y		 We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX - BCS Security Forum
'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example
A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use
basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

Enhancing PKI Security – Outsourcing vs. In-House Deployments

compliance and privacy

Current News Updates

'Enhancing PKI Security – Outsourcing vs. In-House Deployments'
By Andrew Horbury, VeriSign UK Marketing Manage

[Also Read: "Double lasts longer" | "Improving Confidence in Online Security"]

The eSecurity Evolution

The Internet's rapid growth, accompanied by an increase in security attacks globally, has meant the requirements for eSecurity are continually evolving. Firewalls, virtual private networks (VPN), anti-virus, and public key infrastructure (PKI) are now critical components of any strong security policy.

Consumers are also placing increased importance on eSecurity, and many view this as a key component to building trust with the vendors they wish to do business. At the same time, European governments have stepped up finalising legislation around the protection of privacy and the legal recognition of electronic signatures.

All these dynamics are raising the fundamental awareness of eSecurity, and the importance of high security, of which PKI plays a critical role. PKI is now considered a basic enabler of new eBusiness revenue streams, and has crossed the boundaries of security over the years. It has enabled a host of new services which were not acceptable for the Internet in the past due to the lack of enhanced security, for example:

•  Digital Signing of electronic documents

•  Electronic supply chain management

•  Electronic (e)Ordering & eProcurement

•  Online eGovernment Services

Today, the challenge for many organisations is how to bridge the gap from their current IT infrastructure, to enhanced security using PKI. The decision organisations need to make is whether to invest in a PKI solution in-house or outsource it to a trusted third party provider. Both approaches are intrinsically different and offer organisations a unique value proposition.

The challenge for IT decision makers is to weigh the pros and cons of each approach, and determine which model is best suited to continually deliver the highest level of security to their organisation.

Setting the Stage - Outsourced vs. In-house PKI

PKI is one of the few technologies integrating Legal Practices & Information Technology disciplines. This results in several unique challenges in deployment, but is also a reflection of the distinctive nature that PKI serves the Internet, namely:

•  identifying the existence of a company, and recognising individuals through the use of digital certificates, and

•  binding digital signatures to the same legal validity as a hand written signature.

To overcome the legal and technological obstacles, implementing a PKI solution has resulted in two fundamentally different approaches referred to as in-house PKI and outsourced PKI solutions, both offering unique value propositions .

In-house PKI

In-house PKI involves the implementation of a managed in-house PKI solution. A company purchases PKI software and hardware which is used to deploy digital certificates to individuals. Dedicated staff are responsible for defining their own certificate practices and policies for the creation and distribution of digital certificates throughout the corporate infrastructure. Companies perceive that this approach offers inherent ownership and flexibility, but typically this option requires a large upfront investment in both time and money.

Outsourced PKI

Outsourced PKI is analogous to the service provider market whereby the ownership of infrastructure is with an external entity known as a Certificate Authority (CA). The CA is responsible for setting policy, managing information technology (IT), and owning liability ownership on behalf of the customer. The advantage to the customer is control of their certificate issuance, co-branding, and management, while moving the responsibility of maintenance, scalability, and policy management to the back-end (commonly referred to as the processing centre).

Furthermore, outsourced solutions cover all aspects of the PKI infrastructure, including:

•  Legal : Certificate Policy Statement (CPS) and Certificate Practices (CP) establish the legal framework of PKI

•  Technical : The CA maintains the ability to migrate PKI to new standards and technological upgrades

•  Human Resources: Project management, policy management, and certificate deployment costs are off-loaded to the CA

Weighing the Pros and Cons in Order to Get it Right

The decisions around eSecurity spending are often compared to the metrics of low cost, flexibility, control, and speed of deployment. In-house deployments are sold on the perceived merits of greater control, flexibility and lower costs in the long term. In house certificates are expected to be issued and revoked quickly, and security policies tailored to business needs.

On the other hand, allowing companies to outsource their security gives them more flexibility to concentrate on their core business, and results in lower cost when the total cost of ownership is taken into account.

The trade-off is often judged on "up front costs", since companies will often compare their in-house proposal cost to that of an out-sourced vendor. But businesses should avoid getting caught up in the shadow of proposal costs, ignoring tangible factors such as Total Cost of ownership (TCO), and investment protection of a given solution.

Consider the following example. For certificate services, businesses typically need to take the following total deployment costs into consideration:

•  Human Resources : Project management and operational and maintenance support costs

•  Infrastructure : Hardware and software costs which form the basis of the PKI infrastructure

•  Services : Training costs, external consultant services, and security audits

•  Legal and policy requirements

In the case of an in-house PKI solution, all the services, HR, infrastructure and legal components are the responsibility of the organisation hosting the PKI solution.

On the other hand, in the typical outsourced PKI model, the organisation will incur a much smaller investment in HR, consultancy, and infrastructure since the bulk of the investment lies in the CA Infrastructure. The ownership of a carrier class processing facility, operations, and maintenance, and the legal framework also become the responsibility of the CA.

Organisations looking to invest in an in-house PKI model must also consider several other factors to ensure they adhere to the highest level of security.

•  Take Responsibility for Security: Organisations need to manage their own root key, private keys of deployed certificates, and audit logs

•  Ensure that a common standard is being enforced: Organisations must set their own policies and practices. Yet its only when two companies utilise the same standards of PKI that they can inherently trust each other

•  Determine policy: Organisations need to determine, document and implement their own policy, and take the responsibility (and risk) of certificate issuance and authentication

•  Continually invest in the PKI solution: Organisations must be prepared to make investments in hardware upgrades as more users are added, and software upgrades as new standards are implemented.

For organisations considering the outsourcing model , the benefits are summarised as follows:

•  Organisations can focus on their core business

•  No hardware and software investment is required for PKI infrastructure

•  TCO is reduced

•  Third party is liable for security

•  CA is responsible for technology changes

•  Enable trust with other companies through common PKI standard

What's the Market Demanding?

So how has the market responded recently to PKI? Several analyst reports are showing a trend towards the outsourced PKI model. According to Datamonitor, estimated revenues for outsourced vs. in-house PKI deployments are going to reach 53% against 42% this year. Datamonitor also predicts further growth in outsourced PKI market share, and expects it to reach 60% share by 2006.

It appears outsourcing is becoming increasingly attractive as it removes the burden of a large upfront investment, and takes the emphasis off licensing as the main revenue stream. This has become even more important during times of economic difficulty, as cost-cutting becomes a primary concern.

But regardless of whether organisations choose to outsource or deploy a PKI solution in-house, taking advantage of PKI to deliver enhanced levels of security will require a strong commitment, and solid security policies.

Into the future

The inability to share data over a network without an increased security risk limits the ability of organizations to conduct business in the most efficient way, and the lack of a viable single sign-on framework is inhibiting the growth of electronic commerce and networked operations. Launched at the 2004 RSA conference in San Francisco the Initiative for Open Authentication (OATH) addresses these challenges with standard, open technology that is available to all. OATH is taking an all-encompassing approach, delivering solutions that allow for strong authentication of all users on all devices, across all networks.

OATH's vision is of the network of the future where consumers feel secure entering personal information online, where business partners can safely collaborate and share data across domains, and where devices constitute secure threads in a tightly-woven network fabric. Open Authentication reference architecture (OATH), a revolutionary approach designed to accelerate the adoption of strong authentication technology across all networks. Leveraging existing standards and an open reference platform, OATH will ensure that secure user and device credentials can be provisioned and verified by a wide variety of industry-leading software and hardware solutions, removing traditional barriers to widespread adoption.

OATH is comprised of industry leaders working with other standards groups toward the propagation of ubiquitous strong authentication, enabling eBusiness and giving customers the confidence to conduct secure commerce and communication online. An OATH ecosystem consists of devices, chip sets, platforms, applications, integrators, and customers, all working together in a strongly authenticated, highly secure environment

For more information about OATH, please visit www.openauthentication.org

[Also Read: "Double lasts longer" | Back to "Improving Confidence in Online Security"]

VeriSign Enterprise PKI Solution

[Also Read: "Double lasts longer" | Back to "Improving Confidence in Online Security"]

 


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.