Why PKI? TC ENTERPRISE ID Determining the Business Value of Deploying

Transcription

Why PKI? TC ENTERPRISE ID Determining the Business Value of Deploying
TC ENTERPRISE ID
Why PKI?
Determining the Business Value of Deploying
Digital Certificates
© 2007 TC TrustCenter GmbH · A TC TrustCenter Whitepaper
TC ENTERPRISE ID
Why PKI?
Whitepaper
Introduction
Today there is a wide range of technology, products and solutions for securing an enterprise’s electronic infrastructure. As
with physical access security, the levels of security implemented should be commensurate with the level of complexity of the
enterprise, the applications in use, the data in play, and the measurement of the overall risk at stake. The most basic method
of electronic security, the password, is often the default authentication method for granting access to computing resources.
While appropriate for some resources, it does not mean that this method alone is well suited where securing sensitive data
is vital. This paper discusses some of the methods currently in use today to secure the electronic enterprise, and highlights
the relevance of using Public Key Infrastructure (PKI) as a security mechanism for securing data, identifying users, and establishing a chain of trust.
Today, PKI is most widely known and linked to Secure Sockets Layer (SSL) deployments. In this most prevalent use of PKI, a
strong encrypted tunnel between two points is created and used for the duration of a connected session. This allows for the
secure exchange of information from an end-user to a particular website, such as entering one’s username/password and
credit card details. The use of SSL for on-line business has been widely adopted and generally works quite well for securely
purchasing items over the Internet. However, there is much more to PKI than just SSL deployment.
While SSL and PKI enable a secure environment to exchange information, SSL does not verify the individual on the other end
of the transaction. A person can purchase goods on the Internet using SSL and still be sending over stolen credit card numbers.
SSL will ensure that nobody else steals them while they are being transmitted! PKI, on the other hand, deployed with digital
certificates associated to the individual, will automatically verify that the individual on the other side of the transaction is in
fact the person you want to exchange information with. The ability to clearly verify the individual on the other side of a
transaction opens up a much larger universe of information and applications that can be shared and processed.
Companies routinely expose highly sensitive digital data that are central to their operations. This can range from storing
transaction records of customers on laptops to electronic notarization of documents via the Web, to bank transfers, to any
exchange or storage of digital information that you need to ensure is genuine, or that the person on the other end of the
digital universe is the person they say they are. For those many and varied purposes, public key cryptography is widely
recognized as the only practical mechanism capable of addressing this challenge in a controlled and managed way in a
commercial environment.
A full enterprise PKI-based security system may not be a fit for all business environments, but more and more companies are
finding that they can benefit from using PKI to secure enterprise’s electronic infrastructure. According to a recent survey by
the Aberdeen Group, the issuance of new certificates is growing over 50% each year and more technology solutions are
providing native PKI support out-of-the-box.1 A full Enterprise PKI deployment offers a unique value in managing the risk of
both internal and external communications between employees, partners and customers, and to secure transactions and
communications across a wide range of disparate platforms, applications and devices.
Definition of a PKI
The concept of PKI has been around since 1976 and commercially available since 1994.
A PKI enables users of a public network, such as the Internet, to securely and privately exchange data and business transactions
through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority, also
known as a Certificate Authority (CA). The public key infrastructure provides for a digital certificate that can identify an individual, an organization, or a device, and directory services that can store and, when necessary, revoke the certificates.
1
Derek E. Brink, (2007). Encryption and Key Management , retrieved October 16
http://www.aberdeen.com/summary/report/benchmark/4262-RA-encryption-key-management.asp
2/11
Along on Page 3 »
en. 12 | 2007
TC TrustCenter GmbH
Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de
TC ENTERPRISE ID
Why PKI?
Whitepaper
»
» The basic idea is that sensitive data is protected through encryption.
Each end-user device has encryption software and two keys: a public key
for distribution to other users, and a private key, which is kept and
protected by the owner.
A user encrypts a message using the recipient's public key.
When the message is received, the user will decrypt it with his private key.
Users may have multiple key pairs to maintain discrete communications
with different groups. «
Barton McKinley, The ABCs of PKI, CNN.com
«
How are Digital Certificates used in Today’s Enterprise?
There are numerous applications that incorporate PKI in a typical corporate enterprise today. Some of the more common
applications are as follows:
> Web Server Authentication through Secure Socket Layer (SSL)
> Virtual Private Network (VPN) Server Authentication (IPSec and SSL)
> Client Authentication to Web Servers (Internet/Intranet/Extranet) and VPNs
> Digital signing of e-mails, forms, documents and invoices
> Encryption of e-mails, documents, forms, transactions and files in transit
> Encryption of data at rest on laptops, thumb drives, mobile phones, etc.
> Code signing / mobile phone code signing
Electronic vs. Digital Signatures:
There is generally much confusion between the terms “electronic signature” and “digital signature”, and often these terms
are improperly used interchangeably. There is a major distinction between the two terms and they can be distinguished
through the following definitions:
> Electronic Signature: The Uniform Electronic Transactions Act2 (UETA) defines an electronic
signature as "an electronic sound, symbol, or process, attached to or logically associated with
a record and executed or adopted by a person with the intent to sign the record." The use of
electronic signatures may broadly comply with some government signature legislations,
but this process does not necessarily allow for data integrity assurance, or enforcement at
a later time of the origin and time of the transaction.
2
UNIFORM ELECTRONIC TRANSACTIONS ACT (1999),
http://www.law.upenn.edu/bll/archives/ulc/fnact99/1990s/ueta99.htm
3/11
Along on Page 4 »
en. 12 | 2007
TC TrustCenter GmbH
Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de
TC ENTERPRISE ID
Why PKI?
Whitepaper
> Digital Signature: A digital signature is PKI-based and provides the controls required by organizations
that must retain and prove the integrity, authenticity and reliability of electronically signed records
(through real-time certificate and signature verification, timestamps, etc.). A digital signature is a form
of electronic signature but implements asymmetric cryptography. Crypto-based digital signatures remain
the only genuine way to secure valuable or sensitive communications and can be used to authenticate
the identity of the sender of a message or the signer of a document, and possibly to ensure that the
original content of the message or document that has been sent is unchanged. Digital signatures are:
1. Easily transportable;
2. Cannot be imitated by someone else; and
3. Can be automatically time-stamped.
The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.
Evaluating Your Enterprise Security Requirements
Before evaluating any security technology and solutions, it is a good idea for a company to first assess all existing and forecasted
security requirements. The following questions can assist you in your process to decide which technology may be right for
your company:
> Is there any sensitive information that needs to be protected? If so, what?
> Make an inventory. Are they transaction based, forms based, data at rest?
> How widely distributed is this sensitive data? Data Center, PCs, thumb drives?
> What risks and liabilities are you looking to mitigate?
> What are the consequences if this system or process is compromised?
> Are these systems and data used internally, externally or a combination of both?
> Do you project the number of users and applications to increase over time?
> Do you need to allow external users access to data and applications?
> How are these processes managed today?
> What are the plans now, or in the future, for conducting on-line business?
> Is there a current or future need for digitally signing forms, documents, invoices or eails?
Is non-repudiation a requirement for any part of your enterprise?
> Is there a current or future need for encrypting any data and/or e-mails?
> Are there regulatory requirements applicable to your company pertaining to digital security?
By answering the above questions, it becomes easier to determine the importance and priority of implementing security,
including PKI initiatives, within your organization.
General Security Practices in Place Today
The following sections examine several methods of securing data and applications currently available today and some of
the pros and cons of each for an organization.
Passwords: Simple, but easy to foil
The most commonly used authentication and access control in place at organizations today is the use of username and password. This is inexpensive to deploy and can be scaled to large numbers of users in an open IT environment. Unfortunately,
4/11
Along on Page 5 »
en. 12 | 2007
TC TrustCenter GmbH
Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de
TC ENTERPRISE ID
Why PKI?
Whitepaper
password-based security controls are notoriously weak and susceptible to a range of well known attacks such as dictionary
attacks, brute force hacking of central password repositories or even social engineering.
One of the more common problems with using username and passwords is that users often cannot remember all of the
various passwords required in day to day activities. These range from logging on to corporate networks, gaining remote
access, accessing Intranets and portals, and the many other resources that now require username and password logins. This
leads to users writing down their passwords on notes that are visible in their work space, as well as users forgetting their passwords and locking themselves out after numerous incorrect attempts at logging in. Password resets are the second most
common reason workers call help desks, accounting for about one in four help desk requests3. Password resets alone require staffing and resources to handle 25% of help desk call volume.
Given this reality, organizations will rarely, if ever, move valuable business on-line implementing only username/password
security. Instead, these companies will opt for the use of secure socket layer (SSL) encryption to secure these transactions,
with many now also coupling SSL with enduser client authentication certificates.
One Time Password (OTP) Tokens: Two-factor authentication
OTP Tokens, such as the RSA’s SecureID, address issues associated with using only username/passwords by implementing a
second level of authentication control. This is known as ‘two-factor authentication’, allowing for ‘something you have’ (the OTP
token) and ‘something you know’ (username and password) before authentication can be established. Dynamic tokens are
generally key ring devices, or USB tokens, displaying a password that dynamically changes every 60 seconds upon entry of a
PIN. Users must input both pieces of data to authenticate themselves, thus making this a much more secure authentication
that is more difficult to crack. Although the resulting security is much greater, a big drawback is that this technology is expensive to deploy, requires an additional desktop and server component, and can only be effectively used for authentication (no
digital signature or encryption capabilities).
Some of the things that should be brought to attention before investing in this technology are:
> It is expensive to deploy (particularly when a large number of users and/or external users are involved)
> It is expensive to maintain (again, if large or external user groups involved)
> Often requires proprietary desktop component
> Authentication only (limited investment payback)
> Limited to what it can support in terms of supporting broader online and enterprise security issues and challenges
Biometrics: Promising, but not yet ready
Biometrics measure and analyze physical characteristics that can be applied to authentication purposes. Some examples of
these physical characteristics include fingerprints, eye retinas and irises, facial patterns and hand measurements.
The main advantages of using biometrics are:
> Biometric characteristics cannot be lost or forgotten (while passwords can)
> Biometric traits are difficult to copy, share and distribute (passwords can be visibly posted
or shared with people that shouldn’t have access)
> Biometrics require the person being authenticated to be physically present at the time
and point of authentication
3
Microsoft Speech Solutions: Password Reset, retrieved October 17, 2007,
http://www.microsoft.com/speech/solutions/pword/default.mspx
5/11
Along on Page 6 »
en. 12 | 2007
TC TrustCenter GmbH
Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de
TC ENTERPRISE ID
Why PKI?
Whitepaper
Biometric systems can also be used in conjunction with passwords or tokens, thus improving the security of existing systems
without replacing them.
The biggest concern about using biometrics is the fact that once a fingerprint or other biometric source has been compromised,
it is compromised for life since users can never change their fingerprints. Theoretically, a stolen biometric could cause a victim
many problems for a very long period of time.
There have also been a few recent concerns regarding the systems in use that authenticate biometrics. For example, a recent
television episode of “Mythbusters” focused on attempts to break into a commercial security door equipped with biometric
authentication. After experimenting with a few different techniques, the crew was able to bypass the security door’s
authentication system with a printed scan of a fingerprint after it had been dampened. Bypassing this biometric system so
easily suggests that biometrics may not yet be a reliable strong form of authentication.
Smart Cards: Powerful authentication in a small card
The use of smart cards not only improves security through its two-factor authentication, but it also makes life easier for
employees since they no longer have to remember a different password for every application.
Contact smart cards have a small gold chip about 1/2 inch in diameter on the front. When inserted into a reader, the chip
makes contact with electrical connectors that can read information from the chip and write information back. Contact smart
card readers are used as a communications medium between the smart card and a host, e.g. a computer, a point of sale
terminal, or a mobile telephone.
Smart cards can be used with passwords only (PINs) or used with PKI to contain certificates and keys. Some of the more
common uses of PKI enabled smart cards are for single sign on, digital signing, encryption and remote access authentication.
The costs for help desk support can be reduced significantly using smart card-based single sign on, eliminating many passwords
that do not have to be remembered and therefore reset when forgotten.
Some examples of large scale deployments of smart cards in use today include the U.S. Department of Defense’s Common
Access Card (CAC), and the use of various smart cards by many world governments as identification cards for their citizens.
Microsoft has also recently promoted the use of smart cards as a way to enhance security, and most laptops are now shipping
with smart card readers already built in.
Smart cards require a smart card management system to manage all possible processes and events – from the loss of a card
or password, to renewing, revoking or issuing a recovery card. For this system to work successfully in an enterprise, the management system has to be simple to use and able to fully manage the various workflows of smart card use.
One such smart card management system is TC TrustCenter’s TC Enterprise ID Smart Card Manager (EID SCM). EID SCM is a
perfected system which enables the cost effective management of smart cards or tokens based on its integrated workflows.
EID SCM also integrates fully into existing corporate or Meta directories and ties in with a PKI for efficient delivery of PKI
enabled smart cards.
PKI and Digital Certificates: Combines ease of use with strong authentication
PKI systems are widely acknowledged by enterprise security analysts as the best security available to control strong
authentication, secure data and communications, and provide for digital signing to meet data integrity and non-repudiation
requirements. Additionally, companies who need a single security technology that can support multiple applications, processes
and platforms, choose PKI.
A Public Key Infrastructure is a comprehensive system for managing the lifecycle of digital certificates and the corresponding
public and private key pairs. A PKI system is generally composed of the following:
> A Certificate Authority (CA) to issue end user certificates (trusted or private)
> Support of the X.509 framework where a Certificate Authority issues a certificate that binds
a public key to a particular distinguished name (e-mail address, DNS address, IP address)
6/11
Along on Page 7 »
en. 12 | 2007
TC TrustCenter GmbH
Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de
TC ENTERPRISE ID
Why PKI?
Whitepaper
> End user registration process (face-to-face, pre-authorization)
> A certificate repository (such as LDAP)
> Certificate revocation process
> Current list of revoked certificates available for lookups (CRL, OSCP)
> Key backup and recovery
At the core of a PKI is a Certificate Authority (CA), which issues unique digital certificates to each individual user. Certificates
contain two keys, a public key and a private key, which are used for various authentication, signature, and encryption procedures. Digital certificates can be used for many electronic processes such as authentication to a web resource, signing e-mails
or forms, and encryption of e-mail messages. Whenever a certificate is being used, it is validated to confirm the current status of the credential to ensure that it has not been revoked or suspended. Throughout these processes, individual certificates can only be used in accordance with the policy associated with it. Different certificates (and users) will naturally have different rights and entitlements, which are agreed and defined by the organization at the outset.
Some of the many benefits of implementing a PKI include:
> A single credential (certificate) per user which can be used for multiple processes and applications,
in lieu of having multiple usernames and passwords. This is a significant administration benefit as user
groups grow.
> Use of digital signatures to provide a persistent and auditable record of transactions.
> The same PKI investment can also be used to secure site-to-site connections, extranets, server-to-server
communications, device authentication, etc.
> Digital certificates, either on smart cards, tokens or the desktop, can use a strong passphrase to
protect access to the private key/certificate itself. Although using a passphrase, there are still clear
differences over the use of standard weaknesses associated with passwords in general. Not only
would someone have to guess the password, but the certificate must be present, valid and not
revoked. Organizations can also mandate ‘two-factor’ authentication to unlock access to the
certificate (e.g. use USB token + passphrase).
> Social engineering attacks to find passwords are a major issue for corporations. With PKI, support
administrators may suspend your certificate while an issue is resolved, but they will not have the right
to revoke/access your passphrase. Certificate revocation is a central PKI function and the authorized
security system operators are the only people that can do this.
> Another common password attack is through brute force on a central password repository where
hackers can compromise a large number of user accounts. These active attacks are often perpetrated
by internal parties. With PKI, there is no central password/passphrase repository. Once end users are
issued unique passphrases (e.g. through a PIN delivery mechanism such as a mailer, e-mail or SMS text),
there is no duplicate store. This prevents any single point of attack and preserves the integrity of the system.
Challenges of implementing PKI
Valid criticisms of PKI in the past have been:
1. It is often difficult and expensive to implement and manage in-house.
2. The time it takes to build, deploy and begin to see return on the investment.
3. Your staff has to integrate PKI into the portfolio of applications.
Until recently, organizations desiring to implement PKI were faced with two choices: they could build it, staff it, and operate
it themselves or have somebody else build it, staff it, and operate it for them through a managed service. Both involved
physically building infrastructure capital expenditures, perpetual license fees, changes to existing IT infrastructure as well
as hardware and software purchases. All involved undertaking projects that could last many months before benefits could
begin to be realized.
7/11
Along on Page 8 »
en. 12 | 2007
TC TrustCenter GmbH
Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de
TC ENTERPRISE ID
Why PKI?
Whitepaper
TC TrustCenter offers a new alternative – On-Demand PKI. Unlike traditional in-house PKI implementations or traditional
managed services, TC TrustCenter is the world’s first PKI platform that can be deployed across multiple clients in a web-based
Security as a Service model, enabling any sized enterprise to achieve PKI security in as little as 2 weeks with no capital costs,
hardware or network changes.
TC TrustCenter’s unique platform enables many organizations to share PKI without the need for additional dedicated hardware,
software, personnel and their related costs. TC TrustCenter was also designed to be highly configurable by each customer, so
they do not have to tradeoff functionality for cost. Additionally, On-Demand PKI is faster to install. Since all the enabling
infrastructure exists, On-Demand PKI is configurable and can be online within a few weeks.
While TC TrustCenter has addressed the first two adoption issues, the application vendor community has addressed the 3rd.
The vast majority of today’s commercially available applications and infrastructure support PKI natively out-of-the-box,
dramatically reducing the need for in-house integration and further reducing the time to realize returns from a PKI investment.
The Financial Returns of Using PKI
Similar to any infrastructure, a PKI will not, in itself, deliver a return on investment – but the applications that benefit from
PKI will. The financial return will therefore be application specific, company-specific and industry-specific. Organizations
can improve business performance and achieve significant efficiencies by securing common, everyday office applications
(such as Windowsbased applications). The real benefits, however, lie in leveraging PKI technology with business-critical
applications; applications that play a core role in your company’s day-to-day business activity.
Public Key-enabled applications typically deliver business benefits within four high-level categories:
1. New Revenue Opportunities
The central issue to consider is the range of business processes that can be brought on-line with PKI (relative to the more
limited range available if ‘lesser’ security technologies are employed). There are many more applications than ever that are
now PKI-aware. The ability to exchange information securely over a public network opens up a vast array of digital business
opportunities not previously possible. One example is a 50 year old organization in a very staid business that has dramatically expanded revenue opportunities for its members. The National Notary Association (NNA), established in 1957, added
an Electronic Notary Seal (ENS™) program to provide a digital certificate that confirms a notary’s commission to speed
submission of sensitive documents to financial institutions and help prevent forgeries. The ability to connect with all your
stakeholders over a ubiquitous network (the internet) securely and with mutual confidence is the key.
2. Cost Savings
Reducing internal costs also represents a key driver for implementing PKI. Cost-based financial returns are typically achieved
through some combination of the following:
> Cost Savings: The new or improved business process is less expensive.
> Cost Avoidance: The new or improved business process scales to higher levels.
> Efficiency: The new or improved business process saves time.
> Effectiveness: The new or improved business process increases productivity.
3. Compliance
Compliance generally refers to one of the following four categories: Regulatory, Partner, Customer, and Competitive.
8/11
weiter auf Seite 9 »
en. 12 | 2007
TC TrustCenter GmbH
Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de
TC ENTERPRISE ID
Inbetriebnahme
Why
PKI? Whitepaper
der Chipkarte
TC QSign
> Regulatory Compliance: where failure to implement could mean fines, loss of revenues, jail terms, etc.
Examples of regulatory compliance include HIPAA regulations for the U.S. healthcare industry,
SAFE for Bio-Pharma industry, and HSPD-12 for the U.S. federal government.
> Partner Compliance: where failure to implement could mean losing your ability to participate with
a key partner or group of partners. Some examples would be the IdenTrust model for financial companies,
and the Federal Bridge cross-certification for the U.S. federal government.
> Customer Compliance: where failure to implement could mean the loss of a business relationship with a key
account. An example would be that in order to continue to be a supplier with a certain company, all contracts
renewed must implement technology, such as digital signatures of all invoices by a certain date.
> Competitive Compliance: where failure to implement could mean the loss of competitiveness.
4. Risk Mitigation
Risk mitigation investments should be focused on things that are worth protecting, such as highvalue information and
high-value, or high-volume, transactions. Some examples would be any information that is related to generating revenue,
operational or administrative information, research, new product plans, marketing plans, customer databases, and any
information that must be protected by law (such as personnel and financial records).
Once the information component itself has been identified, companies must quantify the impact (or risk) of this data
being compromised in any way. For example:
> Productivity Loss: What would the financial impact be if a security breach caused a sustained disruption
of internal processes and communications?
> Monetary Loss: What would the financial impact be if there was a security-related corruption of an
accounting or financial system?
> Indirect Loss: What would the financial impact be if a security breach happened? Examples of this
could be the loss of potential sales, competitive advantage, negative publicity, goodwill and trust.
Indirect losses are among the most difficult to quantify but also among the most compelling in the
risk-mitigation category, especially for those businesses built on the fundamental foundation of “trust.”
> Legal Exposure: What would be the financial impact of failure to meet contractual milestones or meet
statutory regulations for the privacy of data?
Proven Success
Unlike other vendors of PKI, TC TrustCenter’s product offerings have been proven in the marketplace with a large range of
quality PKI deployments – covering numerous vertical markets and geographical regions. Some of the benefits of working
with TC TrustCenter for your On-Demand PKI deployment are:
> On-Demand PKI dramatically reduces set-up expenses, operating costs, and deployment time.
> Extensive deployment experience in a variety of automotive, financial, utility, service,
and healthcare industries.
> More than 10+ years experience and 3.500 customers worldwide.
> TC TrustCenter has several Trusted Roots embedded in 99% of the world’s web browsers
(Internet Explorer, FireFox, Netscape, Opera, etc.).
> National and International accreditations: European Signature law,
German Digital Signature law, SISAC, and ETSI.
> On-Demand PKI that offers a “pay as you grow” pricing model.
9/11
weiter auf Seite 10 »
en. 12 | 2007
TC TrustCenter GmbH
Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de
TC ENTERPRISE ID
Why PKI?
Whitepaper
Summary
Understanding your current and future business environment is key to making the correct decision with regard to enterprise
security. Easy alternatives are plentiful, but an enterprise must balance immediate challenges with broader initiatives and
current projects with emerging IT trends. Once this is understood, your security investment can be sustainable, productive,
and ultimately deliver a solid return on technology investment.
PKI has emerged as the best balance of strong security, commercial availability, and cost effectiveness. Time tested and
continuously improved since its commercial introduction in 1994, the introduction of TC TrustCenter’s On-Demand PKI
delivery model drives the cost down dramatically without sacrificing protection and guaranteed service levels.
Not unlike insurance, digital security has become a required expense in doing digital business. Also like insurance, if the
same coverage can be purchased for less with the same or better service, then it is the responsibility of those who control
security spending to investigate.
If PKI is the path for your organization, then you must ask yourself the best way to implement it. Today you have three choices:
1. Build and manage the PKI in-house
2. Use a traditional Managed Service PKI
3. On-Demand PKI with TC TrustCenter
In general, a managed PKI is more cost effective and easier to implement than an in-house solution, with over a 50%
difference in cost between in-house PKI and a traditional Managed PKI. The new On-Demand PKI model, however, drives
these costs down by an additional 50% for the same PKI functionality. When combined with a faster implementation time,
the ROI on PKI is dramatically altered in favor of the using organization. The implications are wide spread. Companies who
could not previously afford PKI can now have the same security used by the world’s largest organizations. Customers can
get their system up and running more quickly, and “pay as they grow”…rather than “paying up front”.
Another important detail to point out is that in-house deployments are most times established using a self-signed Root,
which is not trusted outside of their enterprise. So, in addition to the costs associated with establishing an in-house
deployment, when any company wants to communicate outside of their own organization these certificates will not be
trusted. However, using a trusted Root, such as TC TrustCenter’s, you can ensure securing of your certificates and transactions.
As a part of your investment decision, we recommend a similar analysis be conducted using your projected number of
users and specific costing for your organization. A TC TrustCenter representative is prepared to assist.
Contact Us
About TC TrustCenter
TC TrustCenter GmbH, a wholly owned subsidiary of ChosenSecurity, Inc., is a leading specialist for certificates and security
solutions along the entire value chain of identity verification.
The portfolio includes web security services for the protection of e-commerce transactions, managed security services, and
complex PKI solutions including comprehensive consulting services. TC TrustCenter has experience in many national,
international and global projects in various industries for more than ten years. TC TrustCenter is an accredited certification
service provider according to German signature law, European signature law, IdenTrust and SISAC. For more information,
please visit www.trustcenter.de.
10/11
weiter auf Seite 11 »
en. 12 | 2007
TC TrustCenter GmbH
Sonninstrasse 24-28 | 20097 Hamburg | Telefon +49 40 80 80 26 0 | Fax +49 40 80 80 26 126 | [email protected] | www.trustcenter.de
All rights reserved. No information or images, fully or partially, in any form or by any means, may be reproduced, copied,
duplicated, published or used in electronic systems or translations without the prior written consent of TC TrustCenter.
This represents a crime, excluding printing and duplicating for one's own use.
All information in this document is compiled with great care. Neither TC TrustCenter nor the author is liable for any damages
may occur in connection with the use of this document.
All brands, product names and trademarks used in this document, are trademarks or service marks of the respective owners.
Copyright © 2007 TC TrustCenter GmbH, Sonninstrasse 24 - 28, 20097 Hamburg, Germany. All rights reserved