Business Impact of Public Key Infrastructures (PKIs)

Business Impact
of Public Key Infrastructures
(PKIs)
by Chris Voice and John Samuel, Entrust Technologies
(Originally published in Messaging Magazine, September/October 1999)

Organizations are increasingly recognizing the benefits of doing business on the Internet. Compared to conventional operations, the Internet offers a low-cost, open, real-time alternative to conducting business transactions and communications. However, whether an organization uses the Web, e-mail, remote access, or other applications, all e-business transactions are vulnerable to a variety of computer attacks.

A 1999 survey by the Computer Security Institute (CSI) and the Federal Bureau of Investigation (FBI) polled over 500 companies and found that 62 percent had suffered an attack in the previous 12 months.¹ These attacks were attributed to saboteurs, viruses, laptop thefts, financial fraud, and theft of proprietary information. The survey also reported, for the third straight year, that financial losses resulting from computer security breaches exceeded $100 million.

As people continue to rely on the Internet, intranets, and extranets for mission-critical transactions, easy-to-use, yet sophisticated security tools are essential. It is now clear that the economic and social benefits of the "information highway" can never be fully realized without the underpinnings of a security infrastructure such as a Public Key Infrastructure (PKI).

Security is a fundamental requirement for e-business applications such as private e-mail, purchase orders, transmission of credit card information, and workflow automation using signature-based forms. According to the Giga Group, "Given the growing importance of public key cryptography to many applications from encryption and secure e-mail to electronic commerce, a Public Key Infrastructure (PKI) is probably the most critical enterprise security investment a company will make in the next three years."²

PKI — The Cornerstone of E-Business
A PKI is emerging as the cornerstone of e-business. It can improve the operational effectiveness of an organization, while providing an attractive return on its security investment. For example, organizations are increasingly recognizing the competitive advantages of using a PKI for trusted Web-based transactions. Such solutions can improve customer service, while decreasing costs by quickly and securely distributing information, products, and services. According to a 1998 survey of the information security market by CSI and Zona Market Research, 58 percent of respondents use encryption in a variety of ways, while 43 percent plan to buy encryption products this year.

Public key technology is a combination of algorithms, protocols, and derived tools designed for secure communications. A PKI is a comprehensive infrastructure supported by a common set of security services that enables seamless and trustworthy e-business transactions in a manner that is almost transparent to the users involved in the transaction. In addition to user transparency, a PKI must include the following features to provide the required key and certificate management services:

a Certification Authority (CA) to issue public key certificates;
a certificate repository, which maintains an organization’s directory of certificate users (whether they are customers, business partners, or employees);
an effective certificate revocation system, which ensures ongoing trust and validity by automatically and transparently checking the appropriate certificate revocation list (CRL) each time a certificate is used;
a key backup and recovery mechanism to allow the organization to recover encrypted information and validate digital signatures even if the user leaves the organization or simply forgets his or her password;
support for non-repudiation of digital signatures through the use of separate key pairs for encryption and digital signatures;
automatic update of key pairs and certificates prior to expiration to ensure that service is not disrupted;
management of key histories to transparently retrieve historical encrypted data;
support for cross-certification to allow organizations to extend their domain of trust to include other organizations; and
application software interacting with all of the above features in a secure, consistent, and trustworthy manner.

In addition, to provide an effective solution that is feasible in real-world implementations, a PKI must be effectively managed. A managed PKI enables the organization to administer security only once for all e-business transactions including Web, e-mail, remote access, enterprise resource planning (ERP), and so on. For the end user, this means only one password for all applications and policies that are automatically and consistently enforced across all transactions.

The table to the right identifies the basic security elements that are generally addressed by a PKI.

With these elements, a wide range of applications can leverage the power of a PKI, thereby enabling organizations to optimize their security investments by providing secure e-business transactions and communications, as described in the following examples.

Secure E-Mail Applications
Expanding global business has created the need for cost-effective and confidential methods of communication. Previous attempts at confidential communication have included confidential faxes, diskettes delivered via courier, and closed-door meetings. Secure e-mail alleviates the need for these inadequate communication methods, and enables confidential information to be shared between enterprises, customers, and partners over private and public networks.

Streamlining Log-on Procedures
Digital certificates can safely allow a user to log-on to multiple applications without having to re-key passwords. Streamlining log-on procedures may also help to reduce the number of help desk calls about lost or forgotten passwords. (Estimates vary, but it is reasonable to assume that 30 percent of help desk calls are password-related.) In fact, a PKI-based log-on system could reduce the number of help desk calls by 50 percent, thereby improving employee productivity and satisfaction.

Enabling Workflow Applications
Enabling workflow applications is another way that a PKI can help to reduce operational costs. Digital signatures enable employees to sign forms electronically. For example, it is estimated that processing a single hard copy expense report in a large company may cost as much as $36. That cost could drop to as low as $4 per report with the use of digital signatures.³

Security Element	Description	Analogy in a Non-Electronic World
Confidentiality	Ensures that information is not disclosed to unauthorized parties	A sealed envelope in a diplomatic pouch, personally hand-delivered by a governmental courier, provides reasonable assurance that the information conveyed is not disclosed to anyone and the confidentiality of the message is maintained.
User Authentication	Ensures that the parties involved in the transaction are who they say they are	A person's passport is a secure document issued by a Passport Office, certifying that the person is who he or she claims to be. This provides a moderate degree of user authentication when a traveler is asked to present his or her passport upon entering a foreign country.
Access Control	Ensures that only authorized persons can access certain electronic information	The security clearances issued to certain government officials and consultants working in government departments allow the individuals to access certain levels of information, thereby controlling access to sensitive information.
Data Integrity	Ensures that data has not been modified or tampered with during transit, from the time it left the originator to the time it reached the recipient	A traditional signed message enclosed in a sealed envelope supports a moderate degree of integrity. Provided that the envelope does not have obvious signs of tampering, the recipient can be reasonably confident that the message inside is that which the sender actually enclosed.
Non-Repudiation (User Accountability)	Ensures that neither party can revoke or deny their role in a transaction, or make false claims about posing or accepting an offer	A handwritten, signed message in a sealed envelope, delivered by registered mail, supports a moderate degree of non-repudiation. Handwritten signatures contain attributes that permit moderately strong authentication. They are difficult to forge, and permit verification of the signer's identity. The sealed envelope retains the integrity of the message, and a return receipt generated on delivery can confirm its delivery to the intended recipient. Thus, neither party can deny their participation in the transaction, since the existence of a clear audit trail makes it very difficult for either party to state any false claims about sending or receiving the letter.

Other Real-World Benefits of a Comprehensive and Managed PKI Solution
The benefits of implementing a comprehensive and managed PKI solution have yielded other tangible returns for many organizations. The applications range from extending personalized banking services to reducing the turnaround time for application forms. Organizations like the Bank of Nova Scotia, J.P. Morgan, and U.S. Electric Utilities are using PKI technology for a secure and cost-effective means of communicating with customers.

End-to-End Online Banking Solution—ScotiaBank^Ž
For the Bank of Nova Scotia (ScotiaBank^Ž), one of Canada’s Big Five banks, an easy-to-use solution to ensure secure transactions was a prerequisite for the innovative Scotia OnLine service. through a single log-on session, Scotia OnLine lets customers use their Web browsers any time of the day to get up-to-the-minute bank account balances, pay bills, transfer funds, or even view their latest Visa transactions and statement. Customers can move freely between banking and brokerage transactions during the same session, without having to enter separate passwords.

The bank determined that public key cryptography was the best-of-breed technology for developing the required security solution. Based on international standards, this technology uses electronic certificates to authenticate customers, and mathematical "keys" to encrypt and digitally sign each transaction. This technology ensures the integrity and confidentiality of information transmitted over the Internet.

To guarantee the highest possible level of security, ScotiaBank required an integrated public key solution that combines encryption and digital signature capabilities with fully automated key management. In addition, the solution had to be based on "best practices" and open standards, fully scalable, and as transparent to the end users as possible. Today, more than 65,000 ScotiaBank customers are using the Scotia OnLine banking services.

Transmission of Confidential Customer Information—J.P. Morgan
J.P. Morgan also uses a PKI to better communicate sensitive financial statements to customers. Prior to using a PKI, J.P. Morgan used a combination of custom hardware encryptors via private lines and regular dial-up access. The links were point-to-point, and as the links went down, the transactions would be discontinued. J.P. Morgan was able to eliminate the hardware encryptors, thereby yielding savings of $1 million.

J.P. Morgan has also expanded the PKI to its commercial mortgage underwriting business. Previously, documents were hand-delivered, but now the company can securely e-mail the documents. This has cut the time it takes to negotiate the terms of a transaction from 3 weeks to no more than 3 days.⁴

Posting and Bidding of Surplus Electricity—U.S. Electric Utilities
The Federal Energy Regulatory Commission (FERC) mandated that all electric utilities must post surplus electrical transmission capacity on the Internet, so that the bidding and exchange of information can take place in a public forum. The World Wide Web (WWW) was chosen as the means of communicating and doing business because it was accessible and easy to use. However, the industry had serious concerns regarding the lack of security that is inherent in an unmanaged and unaffiliated network like the Web.

To resolve this problem, a task force representing over 200 electric utilities and utility cooperatives (the Joint Transmission Services Information Network, or JTSIN), responded to the FERC mandate using a PKI designed to provide the needed security.

The Bottom Line
The Internet is growing in popularity and an increasing number of organizations and individuals see the Web as an efficient, inexpensive means of distributing information, products, and services. A recent report by Forrester Research indicated that the global corporate e-commerce market would be on the order of $3.2 trillion (U.S.) by 2003. However, organizations that wish to share information with business partners, clients, and employees over the Internet must implement security infrastructures, such as a PKI, to prevent electronic fraud such as data tampering, eavesdropping, and masquerading.

The ideal PKI solution should provide ease of use, a flexible and scalable architecture, low administrative overhead, and simplicity in enforcing and auditing a security policy. Such a solution allows an organization to leverage its existing network and realize tangible benefits from adopting a security infrastructure that effectively manages the communication and storage of confidential and proprietary information.

Integral metrics in purchasing a PKI are the return on investment (ROI) and the total cost of ownership (TCO) of the solution. Further focusing on particular business applications and the potential cost savings will enable organizations to identify any additional return on their PKI investments. This could include the cost savings realized by replacing a paper-based transaction with a more effective electronic transaction. In addition, organizations can generate new revenues with applications that deliver new services to partners and customers.

A PKI can provide a comprehensive security umbrella for a range of crucial business applications and services such as Web security, secure e-mail, remote access, electronic forms, workflow, and other e-business applications. Administration of business applications can be made relatively simple and seamless. With a PKI, organizations can administer security once for all business applications, rather than separately for each one.

The business benefits of reduced costs, streamlined business processes, and improved customer service provide tangible returns on an investment in PKI. Organizations have already realized cost savings of $1 to $4.4 million per year. A focus on particular business applications will ensure that a PKI provides the returns that an organization seeks. Only a comprehensive, managed PKI can achieve the goal of enabling trust in e-business transactions and communication, while providing a solution that is both automatic and transparent for end users. MM

Footnotes:

1. Computer Security Issues & Trends; Vol. V, No. 1, Winter 1999.
2. Ira Machefsky, Giga Information Group, September 1998.
3. Data Communications, November 7, 1998, Issue 2716.
4. Information Week, March 23, 1998.

For information on article reprints, contact Jay Devine, Communications Manager at jay.devine@ema.org.

Back to Table of Contents