In the second of our two-part series, Bob Walder, director of network
security specialist the NSS Group, asks whether an in-house or outsourced PKI is the safer
When it comes to implementing a public key infrastructure, companies can choose between using a public certification authority (CA), operating a private CA, or using a public CA organisation to operate an outsourced private CA on their behalf.
Where a managed solution is adopted, the internal CA is replaced with a local registration authority that handles enrolment, authentication and key-pair generation for the outsourced CA component. The external CA then receives certificate requests from the local registration authority, issues, distributes and stores the certificates and keeps the certificate revocation list (CRL) up-to-date.
The in-house approach provides the maximum level of control, but the cost of software licences, maintenance fees and funds needed to purchase and deploy the entire supporting infrastructure can be prohibitive.
The technical aspects of whether a company hosts its own CA or uses an outsourced service is usually down to operational capacity:
- Does the organisation have a 24 x 7 support capability?
- Does the expertise for security policy creation and management exist in-house?
- Are there internal IT staff who are qualified and capable of running a CA?
- Are physical security measures sufficient?
- Can the security and integrity of the root signing keys be guaranteed?
- Is the company equipped to handle user registration to the required standard, particularly when
physical registration is demanded by the environment or the sensitivity of the applications?
- Can the company provide an adequate quality of service for the required number of digital ID
- Is the company better equipped through strategic advantage or core competence to provide this service, rather than a CA specialising in outsourcing?
If the answer to any of these questions is no, the company should carefully weigh the costs of the necessary hardware, staff and infrastructure against the costs of outsourcing.
Responsibility and liability
Because of the mission-critical nature of a PKI, the competence of the end-user organisation to perform the critical operations correctly should be carefully considered. However, if an organisation's IT department can successfully demonstrate its ability to operate other vital systems, such as an accounting, billing or corporate messaging systems, the issues encountered in operating a PKI should be familiar and represent no unusual risk.
There are points in favour of an in-house solution, the main advantage being total control over what is a very sensitive area. If a PKI is only required to support confidentiality, integrity and authenticity services for the organisation's own employees, the considerations are much more relaxed and there is no reason not to in-source the service.
Bringing the operation in-house will ensure that interoperability problems between the CA and the corporate applications are eliminated and the issue of CRLs is greatly simplified. There is also no risk of breaching an outsourcer's certificate practices statement (CPS) either intentionally or otherwise.
Consider the case of a hybrid outsourced service where certificates are signed by the company's root signing key, which in turn is signed with the outsourcer's root signing key.
What would happen if the outsourcer either unintentionally or intentionally (following a breach of the CPS) revoked the organisation's root signing certificate? All the certificates issued by the organisation would be instantly invalid and there is no way back following revocation. Once the problem had been resolved, the organisation would have to re-issue every certificate.
While this may not be a big problem in a trial implementation, a year or so down the line in a live banking application it could present a single point of failure for the entire business. This may be unlikely, but is the risk too high?
Damage resulting from a failure by the certificate issuing body can far outweigh any direct costs. Therefore, if the certification is outsourced, the service provider must be insured for any consequential damage and it must be demonstrated that this insurance is continuously in place.
Entering into a contract that puts liability on the provider is insufficient, as this does not guarantee the provider's ability to assume liability for consequential damage in the event of a failure. Causing the service provider to go out of business brings no satisfaction when the corporation's systems have been compromised.
In PKI, as with all securityimplementations, the issues of policy and procedure are crucial. These issues are covered by two key documents: the certificate policy and the certificate practice statement, which every PKI has.
It is here that the trust model the PKI supports is documented, and this is one area that must be approached very carefully when considering an outsourced PKI.
The CPS details the policies governing the issue of certificates, the level of security to validate a certificate applicant's identity, how long certificates remain valid, the rules governing their revocation, and so on.
The policies, responsibilities and liabilities defined in the CPS form the bedrock upon which a PKI is built. Importantly, it outlines the warranty and liabilities that must be clearly understood and addressed by those providing the service and those benefiting from it. The CPS is written by the issuing authority, one of the three authorities that form a fully working PKI.
Most generic managed PKI solutions will force the customer into a "one size fits all" CPS. However, a single trust model will never secure all applications adequately, and while this approach may be valid for pilot projects, it is unlikely to provide adequate cover for a complete PKI.
An inadequate CP and CPS could well compromise an entire trust model and the certificates issued against that CPS could be worthless. This is somewhat ironic, given that the supplier's revenue stream is based on charging for the certificates.
The only way it is acceptable to buy a PKI under these circumstances is if an off-the-shelf trust model exactly matches the CPS the company requires, or is so close the supplier can upgrade the software in order to reflect it.
Even though you will still have to accept full liability, the chances of exposure to risk should be minimised, given the appropriate nature of the trust model.
However, such a scenario is highly unlikely and may deliver a technology that can handle only one of your trust models, making it impossible to leverage that technology investment as more applications seek PKI services.
Although the outsourcing approach is cheaper because suppliers in this area have already made the necessary investment in hardware, software and staff, the ugly issue of liability raises its head.
Will an outsourcing company be liable for failures? If the potential exposure to risk is too high they will almost certainly limit their liability to an agreed figure. At this point the customer must weigh up the cost of a full in-house implementation against the outsourcing and make an informed decision based on possible losses against system costs.
Whichever route is selected, it is vitally important to take responsibility for security at the outset and ensure there is a well-thought-out CP and CPS in place. Deciding on that policy is something only the customer can do. Numerous technology suppliers will offer advice, maybe for a fee or as part of the sales process.
One indication of how firmly a supplier believes in its own advice will be the amount of liability it is willing to take for any security failure. It is essential that both parties clearly understand the level of risk involved and any respective responsibilities.
The division of authority
There are three separate roles in the provision of a PKI:
The issuing authority defines the rules, liabilities and processes for a particular PKI. The issuing authority is the author of the certificate practice statement that governs the operation of the PKI.
The registration authority authenticates individuals and organisations using
documented and agreed procedures by performing ID and credit checks, for example. The output from
the registration authority is a list of individuals or organisations that have clearance to be
issued with proof of identity by the CA.
The CA creates and manages the certificates and associated directory, revocation and re-issue processes on a day-to-day basis.
It is important to note that the roles above are "logical" in nature. There are often no distinct authorities in place, but rather a set of processes that fulfil a role.
PKI suppliers often talk of the three authorities in a way that makes them appear separate to the organisation. Some may try to sell software products that claim to be a "certification authority in a box", for example.
It should be recognised that such an approach may be too simplistic for many organisations as all three roles must be integrated and cannot be regarded as islands of automation.
However, when it comes to making decisions about PKI implementation, it is important to consider who will handle the roles of the issuing authority, the registration authority and the CA. Once again, some commercial PKI solutions can make assumptions, giving control of both the certificate policy and its management to a single entity, thus failing to identify the separate role of the policy maker or issuing authority. This is because many PKI business models give control of the certification policy to the CA, and while this may seem sensible in some instances, it could be a dangerous practice in others.
A company's brand is its most valuable asset and therefore it is imperative to protect an organisation's brand online. If your PKI provider suffers a crisis of confidence, then so does a company's brand - the certificate represents your company in cyberspace. If the certificates become questionable, so does the company. Simply put, the guardianship of a company's brand name is trusted to a third party.
Crucial to any decisions about a digital certificate policy is defining who owns the CPS. If somebody else fulfils the role of the issuing authority, then that somebody has taken over some of the responsibility for a company's brand and there are inescapable restrictions to the usefulness of the certificates.
Given that somebody else is unlikely to understand and prioritise a company's business as much as a company would, giving this level of control may not always be wise.
Brand implications can be very visible too. For example, when customers view certificates issued by a company, should they see a company's name or the name of the managed PKI supplier issuing the certificates?
What is PKI?
Public key infrastructures enable users of unsecure public networks such as the internet to securely exchange data through the use of a public and a private cryptographic key pair. A PKI consists of:
- A certificate authority that issues and verifies digital certificates.
- A registration authority that verifies the certificate authority before a digital certificate
- Directories where certificates and their public keys are held
- A certificate management system.
Bob Walder and the NSS Group
Bob Walder, a leading authority on network security, is one of the founders of the NSS Group and author of the NSS report, Gigabit IDS Group Test (Edition 1), which is available from the NSS website.
The NSS Group is Europe's foremost independent security testing facility. Based in the UK with separate security and network infrastructure testing facilities in the South of France, the NSS Group offers a range of specialist IT, networking and security-related services to suppliers and end-user organisations throughout Europe and the US.
Output from the labs, including detailed research reports, articles and white papers on the latest network and security technologies, are made available on the NSS website. A new report providing a detailed examination and extensive benchmarking of all the major players in the intrusion prevention systems market is currently in the testing phase, with publication due in the autumn of 2003.
In-house or outsourced?
- The company has the maximum level of control over security
- Costs of software licences and purchasing the necessary infrastructure can be expensive
- Interoperability between the certification authority and the company is simplified
- There is no risk of breaching the certificate practices statement
- Ultimate control over a company's online image.
- The supplier must be continuously and adequately insured
- The liability of the supplier must be stated clearly - the more liability a supplier will accept can reflect their belief in their services
- Suppliers can force customers into a "one size fits all" model which cannot be modified as the business grows
- A company cannot directly control its online image and integrity
This was first published in July 2003