Why PKI? TC ENTERPRISE ID Determining the Business Value of Deploying
Transcription
Why PKI? TC ENTERPRISE ID Determining the Business Value of Deploying
TC ENTERPRISE ID Why PKI? Determining the Business Value of Deploying Digital Certificates © 2007 TC TrustCenter GmbH · A TC TrustCenter Whitepaper TC ENTERPRISE ID Why PKI? Whitepaper Introduction Today there is a wide range of technology, products and solutions for securing an enterprise’s electronic infrastructure. As with physical access security, the levels of security implemented should be commensurate with the level of complexity of the enterprise, the applications in use, the data in play, and the measurement of the overall risk at stake. The most basic method of electronic security, the password, is often the default authentication method for granting access to computing resources. While appropriate for some resources, it does not mean that this method alone is well suited where securing sensitive data is vital. This paper discusses some of the methods currently in use today to secure the electronic enterprise, and highlights the relevance of using Public Key Infrastructure (PKI) as a security mechanism for securing data, identifying users, and establishing a chain of trust. Today, PKI is most widely known and linked to Secure Sockets Layer (SSL) deployments. In this most prevalent use of PKI, a strong encrypted tunnel between two points is created and used for the duration of a connected session. This allows for the secure exchange of information from an end-user to a particular website, such as entering one’s username/password and credit card details. The use of SSL for on-line business has been widely adopted and generally works quite well for securely purchasing items over the Internet. However, there is much more to PKI than just SSL deployment. While SSL and PKI enable a secure environment to exchange information, SSL does not verify the individual on the other end of the transaction. A person can purchase goods on the Internet using SSL and still be sending over stolen credit card numbers. SSL will ensure that nobody else steals them while they are being transmitted! PKI, on the other hand, deployed with digital certificates associated to the individual, will automatically verify that the individual on the other side of the transaction is in fact the person you want to exchange information with. The ability to clearly verify the individual on the other side of a transaction opens up a much larger universe of information and applications that can be shared and processed. Companies routinely expose highly sensitive digital data that are central to their operations. This can range from storing transaction records of customers on laptops to electronic notarization of documents via the Web, to bank transfers, to any exchange or storage of digital information that you need to ensure is genuine, or that the person on the other end of the digital universe is the person they say they are. For those many and varied purposes, public key cryptography is widely recognized as the only practical mechanism capable of addressing this challenge in a controlled and managed way in a commercial environment. A full enterprise PKI-based security system may not be a fit for all business environments, but more and more companies are finding that they can benefit from using PKI to secure enterprise’s electronic infrastructure. According to a recent survey by the Aberdeen Group, the issuance of new certificates is growing over 50% each year and more technology solutions are providing native PKI support out-of-the-box.1 A full Enterprise PKI deployment offers a unique value in managing the risk of both internal and external communications between employees, partners and customers, and to secure transactions and communications across a wide range of disparate platforms, applications and devices. Definition of a PKI The concept of PKI has been around since 1976 and commercially available since 1994. A PKI enables users of a public network, such as the Internet, to securely and privately exchange data and business transactions through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority, also known as a Certificate Authority (CA). The public key infrastructure provides for a digital certificate that can identify an individual, an organization, or a device, and directory services that can store and, when necessary, revoke the certificates. 1 Derek E. Brink, (2007). Encryption and Key Management , retrieved October 16 http://www.aberdeen.com/summary/report/benchmark/4262-RA-encryption-key-management.asp 2/11 Along on Page 3 » en. 12 | 2007 TC TrustCenter GmbH Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de TC ENTERPRISE ID Why PKI? Whitepaper » » The basic idea is that sensitive data is protected through encryption. Each end-user device has encryption software and two keys: a public key for distribution to other users, and a private key, which is kept and protected by the owner. A user encrypts a message using the recipient's public key. When the message is received, the user will decrypt it with his private key. Users may have multiple key pairs to maintain discrete communications with different groups. « Barton McKinley, The ABCs of PKI, CNN.com « How are Digital Certificates used in Today’s Enterprise? There are numerous applications that incorporate PKI in a typical corporate enterprise today. Some of the more common applications are as follows: > Web Server Authentication through Secure Socket Layer (SSL) > Virtual Private Network (VPN) Server Authentication (IPSec and SSL) > Client Authentication to Web Servers (Internet/Intranet/Extranet) and VPNs > Digital signing of e-mails, forms, documents and invoices > Encryption of e-mails, documents, forms, transactions and files in transit > Encryption of data at rest on laptops, thumb drives, mobile phones, etc. > Code signing / mobile phone code signing Electronic vs. Digital Signatures: There is generally much confusion between the terms “electronic signature” and “digital signature”, and often these terms are improperly used interchangeably. There is a major distinction between the two terms and they can be distinguished through the following definitions: > Electronic Signature: The Uniform Electronic Transactions Act2 (UETA) defines an electronic signature as "an electronic sound, symbol, or process, attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." The use of electronic signatures may broadly comply with some government signature legislations, but this process does not necessarily allow for data integrity assurance, or enforcement at a later time of the origin and time of the transaction. 2 UNIFORM ELECTRONIC TRANSACTIONS ACT (1999), http://www.law.upenn.edu/bll/archives/ulc/fnact99/1990s/ueta99.htm 3/11 Along on Page 4 » en. 12 | 2007 TC TrustCenter GmbH Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de TC ENTERPRISE ID Why PKI? Whitepaper > Digital Signature: A digital signature is PKI-based and provides the controls required by organizations that must retain and prove the integrity, authenticity and reliability of electronically signed records (through real-time certificate and signature verification, timestamps, etc.). A digital signature is a form of electronic signature but implements asymmetric cryptography. Crypto-based digital signatures remain the only genuine way to secure valuable or sensitive communications and can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are: 1. Easily transportable; 2. Cannot be imitated by someone else; and 3. Can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later. Evaluating Your Enterprise Security Requirements Before evaluating any security technology and solutions, it is a good idea for a company to first assess all existing and forecasted security requirements. The following questions can assist you in your process to decide which technology may be right for your company: > Is there any sensitive information that needs to be protected? If so, what? > Make an inventory. Are they transaction based, forms based, data at rest? > How widely distributed is this sensitive data? Data Center, PCs, thumb drives? > What risks and liabilities are you looking to mitigate? > What are the consequences if this system or process is compromised? > Are these systems and data used internally, externally or a combination of both? > Do you project the number of users and applications to increase over time? > Do you need to allow external users access to data and applications? > How are these processes managed today? > What are the plans now, or in the future, for conducting on-line business? > Is there a current or future need for digitally signing forms, documents, invoices or eails? Is non-repudiation a requirement for any part of your enterprise? > Is there a current or future need for encrypting any data and/or e-mails? > Are there regulatory requirements applicable to your company pertaining to digital security? By answering the above questions, it becomes easier to determine the importance and priority of implementing security, including PKI initiatives, within your organization. General Security Practices in Place Today The following sections examine several methods of securing data and applications currently available today and some of the pros and cons of each for an organization. Passwords: Simple, but easy to foil The most commonly used authentication and access control in place at organizations today is the use of username and password. This is inexpensive to deploy and can be scaled to large numbers of users in an open IT environment. Unfortunately, 4/11 Along on Page 5 » en. 12 | 2007 TC TrustCenter GmbH Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de TC ENTERPRISE ID Why PKI? Whitepaper password-based security controls are notoriously weak and susceptible to a range of well known attacks such as dictionary attacks, brute force hacking of central password repositories or even social engineering. One of the more common problems with using username and passwords is that users often cannot remember all of the various passwords required in day to day activities. These range from logging on to corporate networks, gaining remote access, accessing Intranets and portals, and the many other resources that now require username and password logins. This leads to users writing down their passwords on notes that are visible in their work space, as well as users forgetting their passwords and locking themselves out after numerous incorrect attempts at logging in. Password resets are the second most common reason workers call help desks, accounting for about one in four help desk requests3. Password resets alone require staffing and resources to handle 25% of help desk call volume. Given this reality, organizations will rarely, if ever, move valuable business on-line implementing only username/password security. Instead, these companies will opt for the use of secure socket layer (SSL) encryption to secure these transactions, with many now also coupling SSL with enduser client authentication certificates. One Time Password (OTP) Tokens: Two-factor authentication OTP Tokens, such as the RSA’s SecureID, address issues associated with using only username/passwords by implementing a second level of authentication control. This is known as ‘two-factor authentication’, allowing for ‘something you have’ (the OTP token) and ‘something you know’ (username and password) before authentication can be established. Dynamic tokens are generally key ring devices, or USB tokens, displaying a password that dynamically changes every 60 seconds upon entry of a PIN. Users must input both pieces of data to authenticate themselves, thus making this a much more secure authentication that is more difficult to crack. Although the resulting security is much greater, a big drawback is that this technology is expensive to deploy, requires an additional desktop and server component, and can only be effectively used for authentication (no digital signature or encryption capabilities). Some of the things that should be brought to attention before investing in this technology are: > It is expensive to deploy (particularly when a large number of users and/or external users are involved) > It is expensive to maintain (again, if large or external user groups involved) > Often requires proprietary desktop component > Authentication only (limited investment payback) > Limited to what it can support in terms of supporting broader online and enterprise security issues and challenges Biometrics: Promising, but not yet ready Biometrics measure and analyze physical characteristics that can be applied to authentication purposes. Some examples of these physical characteristics include fingerprints, eye retinas and irises, facial patterns and hand measurements. The main advantages of using biometrics are: > Biometric characteristics cannot be lost or forgotten (while passwords can) > Biometric traits are difficult to copy, share and distribute (passwords can be visibly posted or shared with people that shouldn’t have access) > Biometrics require the person being authenticated to be physically present at the time and point of authentication 3 Microsoft Speech Solutions: Password Reset, retrieved October 17, 2007, http://www.microsoft.com/speech/solutions/pword/default.mspx 5/11 Along on Page 6 » en. 12 | 2007 TC TrustCenter GmbH Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de TC ENTERPRISE ID Why PKI? Whitepaper Biometric systems can also be used in conjunction with passwords or tokens, thus improving the security of existing systems without replacing them. The biggest concern about using biometrics is the fact that once a fingerprint or other biometric source has been compromised, it is compromised for life since users can never change their fingerprints. Theoretically, a stolen biometric could cause a victim many problems for a very long period of time. There have also been a few recent concerns regarding the systems in use that authenticate biometrics. For example, a recent television episode of “Mythbusters” focused on attempts to break into a commercial security door equipped with biometric authentication. After experimenting with a few different techniques, the crew was able to bypass the security door’s authentication system with a printed scan of a fingerprint after it had been dampened. Bypassing this biometric system so easily suggests that biometrics may not yet be a reliable strong form of authentication. Smart Cards: Powerful authentication in a small card The use of smart cards not only improves security through its two-factor authentication, but it also makes life easier for employees since they no longer have to remember a different password for every application. Contact smart cards have a small gold chip about 1/2 inch in diameter on the front. When inserted into a reader, the chip makes contact with electrical connectors that can read information from the chip and write information back. Contact smart card readers are used as a communications medium between the smart card and a host, e.g. a computer, a point of sale terminal, or a mobile telephone. Smart cards can be used with passwords only (PINs) or used with PKI to contain certificates and keys. Some of the more common uses of PKI enabled smart cards are for single sign on, digital signing, encryption and remote access authentication. The costs for help desk support can be reduced significantly using smart card-based single sign on, eliminating many passwords that do not have to be remembered and therefore reset when forgotten. Some examples of large scale deployments of smart cards in use today include the U.S. Department of Defense’s Common Access Card (CAC), and the use of various smart cards by many world governments as identification cards for their citizens. Microsoft has also recently promoted the use of smart cards as a way to enhance security, and most laptops are now shipping with smart card readers already built in. Smart cards require a smart card management system to manage all possible processes and events – from the loss of a card or password, to renewing, revoking or issuing a recovery card. For this system to work successfully in an enterprise, the management system has to be simple to use and able to fully manage the various workflows of smart card use. One such smart card management system is TC TrustCenter’s TC Enterprise ID Smart Card Manager (EID SCM). EID SCM is a perfected system which enables the cost effective management of smart cards or tokens based on its integrated workflows. EID SCM also integrates fully into existing corporate or Meta directories and ties in with a PKI for efficient delivery of PKI enabled smart cards. PKI and Digital Certificates: Combines ease of use with strong authentication PKI systems are widely acknowledged by enterprise security analysts as the best security available to control strong authentication, secure data and communications, and provide for digital signing to meet data integrity and non-repudiation requirements. Additionally, companies who need a single security technology that can support multiple applications, processes and platforms, choose PKI. A Public Key Infrastructure is a comprehensive system for managing the lifecycle of digital certificates and the corresponding public and private key pairs. A PKI system is generally composed of the following: > A Certificate Authority (CA) to issue end user certificates (trusted or private) > Support of the X.509 framework where a Certificate Authority issues a certificate that binds a public key to a particular distinguished name (e-mail address, DNS address, IP address) 6/11 Along on Page 7 » en. 12 | 2007 TC TrustCenter GmbH Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de TC ENTERPRISE ID Why PKI? Whitepaper > End user registration process (face-to-face, pre-authorization) > A certificate repository (such as LDAP) > Certificate revocation process > Current list of revoked certificates available for lookups (CRL, OSCP) > Key backup and recovery At the core of a PKI is a Certificate Authority (CA), which issues unique digital certificates to each individual user. Certificates contain two keys, a public key and a private key, which are used for various authentication, signature, and encryption procedures. Digital certificates can be used for many electronic processes such as authentication to a web resource, signing e-mails or forms, and encryption of e-mail messages. Whenever a certificate is being used, it is validated to confirm the current status of the credential to ensure that it has not been revoked or suspended. Throughout these processes, individual certificates can only be used in accordance with the policy associated with it. Different certificates (and users) will naturally have different rights and entitlements, which are agreed and defined by the organization at the outset. Some of the many benefits of implementing a PKI include: > A single credential (certificate) per user which can be used for multiple processes and applications, in lieu of having multiple usernames and passwords. This is a significant administration benefit as user groups grow. > Use of digital signatures to provide a persistent and auditable record of transactions. > The same PKI investment can also be used to secure site-to-site connections, extranets, server-to-server communications, device authentication, etc. > Digital certificates, either on smart cards, tokens or the desktop, can use a strong passphrase to protect access to the private key/certificate itself. Although using a passphrase, there are still clear differences over the use of standard weaknesses associated with passwords in general. Not only would someone have to guess the password, but the certificate must be present, valid and not revoked. Organizations can also mandate ‘two-factor’ authentication to unlock access to the certificate (e.g. use USB token + passphrase). > Social engineering attacks to find passwords are a major issue for corporations. With PKI, support administrators may suspend your certificate while an issue is resolved, but they will not have the right to revoke/access your passphrase. Certificate revocation is a central PKI function and the authorized security system operators are the only people that can do this. > Another common password attack is through brute force on a central password repository where hackers can compromise a large number of user accounts. These active attacks are often perpetrated by internal parties. With PKI, there is no central password/passphrase repository. Once end users are issued unique passphrases (e.g. through a PIN delivery mechanism such as a mailer, e-mail or SMS text), there is no duplicate store. This prevents any single point of attack and preserves the integrity of the system. Challenges of implementing PKI Valid criticisms of PKI in the past have been: 1. It is often difficult and expensive to implement and manage in-house. 2. The time it takes to build, deploy and begin to see return on the investment. 3. Your staff has to integrate PKI into the portfolio of applications. Until recently, organizations desiring to implement PKI were faced with two choices: they could build it, staff it, and operate it themselves or have somebody else build it, staff it, and operate it for them through a managed service. Both involved physically building infrastructure capital expenditures, perpetual license fees, changes to existing IT infrastructure as well as hardware and software purchases. All involved undertaking projects that could last many months before benefits could begin to be realized. 7/11 Along on Page 8 » en. 12 | 2007 TC TrustCenter GmbH Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de TC ENTERPRISE ID Why PKI? Whitepaper TC TrustCenter offers a new alternative – On-Demand PKI. Unlike traditional in-house PKI implementations or traditional managed services, TC TrustCenter is the world’s first PKI platform that can be deployed across multiple clients in a web-based Security as a Service model, enabling any sized enterprise to achieve PKI security in as little as 2 weeks with no capital costs, hardware or network changes. TC TrustCenter’s unique platform enables many organizations to share PKI without the need for additional dedicated hardware, software, personnel and their related costs. TC TrustCenter was also designed to be highly configurable by each customer, so they do not have to tradeoff functionality for cost. Additionally, On-Demand PKI is faster to install. Since all the enabling infrastructure exists, On-Demand PKI is configurable and can be online within a few weeks. While TC TrustCenter has addressed the first two adoption issues, the application vendor community has addressed the 3rd. The vast majority of today’s commercially available applications and infrastructure support PKI natively out-of-the-box, dramatically reducing the need for in-house integration and further reducing the time to realize returns from a PKI investment. The Financial Returns of Using PKI Similar to any infrastructure, a PKI will not, in itself, deliver a return on investment – but the applications that benefit from PKI will. The financial return will therefore be application specific, company-specific and industry-specific. Organizations can improve business performance and achieve significant efficiencies by securing common, everyday office applications (such as Windowsbased applications). The real benefits, however, lie in leveraging PKI technology with business-critical applications; applications that play a core role in your company’s day-to-day business activity. Public Key-enabled applications typically deliver business benefits within four high-level categories: 1. New Revenue Opportunities The central issue to consider is the range of business processes that can be brought on-line with PKI (relative to the more limited range available if ‘lesser’ security technologies are employed). There are many more applications than ever that are now PKI-aware. The ability to exchange information securely over a public network opens up a vast array of digital business opportunities not previously possible. One example is a 50 year old organization in a very staid business that has dramatically expanded revenue opportunities for its members. The National Notary Association (NNA), established in 1957, added an Electronic Notary Seal (ENS™) program to provide a digital certificate that confirms a notary’s commission to speed submission of sensitive documents to financial institutions and help prevent forgeries. The ability to connect with all your stakeholders over a ubiquitous network (the internet) securely and with mutual confidence is the key. 2. Cost Savings Reducing internal costs also represents a key driver for implementing PKI. Cost-based financial returns are typically achieved through some combination of the following: > Cost Savings: The new or improved business process is less expensive. > Cost Avoidance: The new or improved business process scales to higher levels. > Efficiency: The new or improved business process saves time. > Effectiveness: The new or improved business process increases productivity. 3. Compliance Compliance generally refers to one of the following four categories: Regulatory, Partner, Customer, and Competitive. 8/11 weiter auf Seite 9 » en. 12 | 2007 TC TrustCenter GmbH Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de TC ENTERPRISE ID Inbetriebnahme Why PKI? Whitepaper der Chipkarte TC QSign > Regulatory Compliance: where failure to implement could mean fines, loss of revenues, jail terms, etc. Examples of regulatory compliance include HIPAA regulations for the U.S. healthcare industry, SAFE for Bio-Pharma industry, and HSPD-12 for the U.S. federal government. > Partner Compliance: where failure to implement could mean losing your ability to participate with a key partner or group of partners. Some examples would be the IdenTrust model for financial companies, and the Federal Bridge cross-certification for the U.S. federal government. > Customer Compliance: where failure to implement could mean the loss of a business relationship with a key account. An example would be that in order to continue to be a supplier with a certain company, all contracts renewed must implement technology, such as digital signatures of all invoices by a certain date. > Competitive Compliance: where failure to implement could mean the loss of competitiveness. 4. Risk Mitigation Risk mitigation investments should be focused on things that are worth protecting, such as highvalue information and high-value, or high-volume, transactions. Some examples would be any information that is related to generating revenue, operational or administrative information, research, new product plans, marketing plans, customer databases, and any information that must be protected by law (such as personnel and financial records). Once the information component itself has been identified, companies must quantify the impact (or risk) of this data being compromised in any way. For example: > Productivity Loss: What would the financial impact be if a security breach caused a sustained disruption of internal processes and communications? > Monetary Loss: What would the financial impact be if there was a security-related corruption of an accounting or financial system? > Indirect Loss: What would the financial impact be if a security breach happened? Examples of this could be the loss of potential sales, competitive advantage, negative publicity, goodwill and trust. Indirect losses are among the most difficult to quantify but also among the most compelling in the risk-mitigation category, especially for those businesses built on the fundamental foundation of “trust.” > Legal Exposure: What would be the financial impact of failure to meet contractual milestones or meet statutory regulations for the privacy of data? Proven Success Unlike other vendors of PKI, TC TrustCenter’s product offerings have been proven in the marketplace with a large range of quality PKI deployments – covering numerous vertical markets and geographical regions. Some of the benefits of working with TC TrustCenter for your On-Demand PKI deployment are: > On-Demand PKI dramatically reduces set-up expenses, operating costs, and deployment time. > Extensive deployment experience in a variety of automotive, financial, utility, service, and healthcare industries. > More than 10+ years experience and 3.500 customers worldwide. > TC TrustCenter has several Trusted Roots embedded in 99% of the world’s web browsers (Internet Explorer, FireFox, Netscape, Opera, etc.). > National and International accreditations: European Signature law, German Digital Signature law, SISAC, and ETSI. > On-Demand PKI that offers a “pay as you grow” pricing model. 9/11 weiter auf Seite 10 » en. 12 | 2007 TC TrustCenter GmbH Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de TC ENTERPRISE ID Why PKI? Whitepaper Summary Understanding your current and future business environment is key to making the correct decision with regard to enterprise security. Easy alternatives are plentiful, but an enterprise must balance immediate challenges with broader initiatives and current projects with emerging IT trends. Once this is understood, your security investment can be sustainable, productive, and ultimately deliver a solid return on technology investment. PKI has emerged as the best balance of strong security, commercial availability, and cost effectiveness. Time tested and continuously improved since its commercial introduction in 1994, the introduction of TC TrustCenter’s On-Demand PKI delivery model drives the cost down dramatically without sacrificing protection and guaranteed service levels. Not unlike insurance, digital security has become a required expense in doing digital business. Also like insurance, if the same coverage can be purchased for less with the same or better service, then it is the responsibility of those who control security spending to investigate. If PKI is the path for your organization, then you must ask yourself the best way to implement it. Today you have three choices: 1. Build and manage the PKI in-house 2. Use a traditional Managed Service PKI 3. On-Demand PKI with TC TrustCenter In general, a managed PKI is more cost effective and easier to implement than an in-house solution, with over a 50% difference in cost between in-house PKI and a traditional Managed PKI. The new On-Demand PKI model, however, drives these costs down by an additional 50% for the same PKI functionality. When combined with a faster implementation time, the ROI on PKI is dramatically altered in favor of the using organization. The implications are wide spread. Companies who could not previously afford PKI can now have the same security used by the world’s largest organizations. Customers can get their system up and running more quickly, and “pay as they grow”…rather than “paying up front”. Another important detail to point out is that in-house deployments are most times established using a self-signed Root, which is not trusted outside of their enterprise. So, in addition to the costs associated with establishing an in-house deployment, when any company wants to communicate outside of their own organization these certificates will not be trusted. However, using a trusted Root, such as TC TrustCenter’s, you can ensure securing of your certificates and transactions. As a part of your investment decision, we recommend a similar analysis be conducted using your projected number of users and specific costing for your organization. A TC TrustCenter representative is prepared to assist. Contact Us About TC TrustCenter TC TrustCenter GmbH, a wholly owned subsidiary of ChosenSecurity, Inc., is a leading specialist for certificates and security solutions along the entire value chain of identity verification. The portfolio includes web security services for the protection of e-commerce transactions, managed security services, and complex PKI solutions including comprehensive consulting services. TC TrustCenter has experience in many national, international and global projects in various industries for more than ten years. TC TrustCenter is an accredited certification service provider according to German signature law, European signature law, IdenTrust and SISAC. For more information, please visit www.trustcenter.de. 10/11 weiter auf Seite 11 » en. 12 | 2007 TC TrustCenter GmbH Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de All rights reserved. No information or images, fully or partially, in any form or by any means, may be reproduced, copied, duplicated, published or used in electronic systems or translations without the prior written consent of TC TrustCenter. This represents a crime, excluding printing and duplicating for one's own use. All information in this document is compiled with great care. Neither TC TrustCenter nor the author is liable for any damages may occur in connection with the use of this document. All brands, product names and trademarks used in this document, are trademarks or service marks of the respective owners. Copyright © 2007 TC TrustCenter GmbH, Sonninstrasse 24 - 28, 20097 Hamburg, Germany. All rights reserved