Time to get Secure



Are we moving toward paperless legal transactions? If recent events are any
indication, this sure seems to be the case. SafeScrypt, a company promoted by
Satyam Infoway and an affiliate of VeriSign, was awarded India’s first digital
signature certificate in February 2002. This marked India’s entry into the age
of secure electronic transactions. Digital signatures are the backbone on which
digital contracts rest.

Watching the events closely were enterprises. While many were educated
regarding the benefits of adopting digital certificates and public key
infrastructure (PKI) architecture, most others were unsure about the procedural
aspects of the same.

Confidence needs to be built
Although electronic mail has replaced paper-based communications in most
cases, sensitive documents are still sent the old-fashioned way for greater
security. Digital signature-based messaging allows sensitive documents to be
sent by e-mail, eliminating the processing costs, mailing costs, and the time
delays which are inevitable with traditional snail mail.

A
must for organizations
Ten
procedural aspects that CIOs need to consider before opting for
digital certificate deployment
While
the procedural steps would vary to some extent depending upon the
organization type, there are a few concepts that are common.
Inventory
the transactions that can benefit from the use of digital
certificates. This could include employee sign-on, workflow,
procurement etc.
Identify
the applications and technology that currently facilitate
these transactions.
Identify
which applications and technologies are readily integrated
with digital certificates.
Quantify
the risk associated with each transaction category.
Based
on the above information determine whether to rely on an external
third party CA or to create one’s own certification authority.
If
an external CA is being considered, review their PKI framework. The
more private the private key and the more public the public key, the
better it is from the point of view of PKI. Compliance with
standards is a must.
There
needs to be the necessary framework to create the certificate
policies and the certificate practice statements. Different tiers/
types of certificates need to be associated with each transaction
type.
Adopt
a scalable PKI since future requirements also need to be met.
The
decision to go for a digital signature should be based on an ROI
model and not just security concerns alone. To customize the ROI
analysis for an enterprise, it is necessary to determine the number
of users expected for the PKI applications and also the time frame
in terms of payoff. If the ROI model for an organization suggests
substantial cost savings, then the next step of selecting the right
technology and right vendor should be taken.
Client
software: When evaluating digital signature technology it is
important to understand to what extent client software is involved
in the solution. Is the PKI solution flexible enough to operate with
a thin or no client if desired?

Digital certificates can enable one to build the same level of confidence in
digital transactions that one would usually associate with physical
transactions. This would include the issues of privacy, integrity,
non-repudiation, and authenticity.

The key benefit for a CIO in adopting a digital certificate would be to
ensure the security of the enterprise’s data and communications. According to
Surendra Singh, country manager, RSA Security, digital certificates would be
central to two major transitions every enterprise either has begun to make or
will make in the next few years. These include the transition from paper-based
to completely electronic business processes such as electronic mail, electronic
file storage, and electronic contracting with digital signatures. The second
would be bridging the gap due to geographical distance via Internet integration
and allowing remote employees, customers, and vendors to exchange data with the
internal corporate network.

Procedural issues
While there has been one certifying authority (CA) around, there are a
number of other CAs coming up including National Informatics Center (NIC), and
the Institute for Development and Research in Banking Technology (IDRBT, a
subsidiary of RBI). Other aspirants include MTNL, which is being consulted by
PriceWaterhouseCooper (PwC). With multiple CAs one question that could be asked
is which CA should an organization go in for and would there be issues between
them. Neel Ratan, Partner, Global Risk Management Solutions, PwC feels that
ultimately it would be the business that would drive different CAs into entering
into agreements on cross-certification. The process of cross-certification
however, is not automatic as of now. International CAs can also cross certify to
ensure international coverage. For example, a multinational bank having
operations across different countries would need a cross certification to ensure
international coverage.

Digital Certificates
A digital certificate is an assurance provided by a third party (called a Certification Authority) that a public key does indeed belong to the purported owner. Thus it binds an identity to the public key. The identity, or subject name, may be that of a person, corporation, or some other entity such as a web server. The certificate contains, among other fields, a serial number, the subject name, the subject’s public key, and the issuer’s name. The issuer, or Certificate Authority, digitally signs the certificate to provide integrity protection and assurance that the certificate is authentic.

For an enterprise that has decided to go in for deploying digital
certificates, the key issue would be to identify applications that can be PKI
enabled. The broad framework would involve need-based assessment, vendor
identification, and implementation. This would involve the integration of the
system with existing applications. The time taken to implement this is generally
from two to eight weeks and would depend on the nature of the application.

"Defining the level of control to be exercised is very important,"
according to Rajeev Wadhwa, COO, Global Esecure. If a high degree of control is
required the organization would go in for an internal or insourced CA model. In
case of an external CA being chosen, it would be important to review their PKI
framework and make sure that they have performed the task with due diligence.

ROI analysis is also an important element while considering deployment. For
this one has to determine the number of users in terms of PKI applications and
the time frame in which the payoff of the technology investment would take
place. Issues such as scalability, and the ease of use would also need to be
considered.

The challenges ahead
The CIO would face some challenges during deployment. Finding the right
applications, changing certain aspects of management and finding skilled
personnel would be the major ones. According to Rohit Ghai, CTO, Computer
Associates," One of the biggest challenges is the fact that many of the
applications are not PKI and digital certificate enabled. This itself has a
great dampening effect." However, there are SSO (single sign on) type
technologies that can create a wrapper authentication layer around such
applications to mitigate this problem. The other hurdle is the lack of expertise
in both the technical as well as the techno-legal area. If the implementation is
for a transaction intensive environment, scalability issues can often haunt the
adopter of PKI. This is both in terms of being able to store a large number of
certificates but also to enable the transactions to proceed in a reasonable
time-frame.

The Indian market is nascent as of now. Most experts feel that it would take
at least 18 to 24 months for the market to mature in terms of acceptance.
Adoption would occur through careful deliberation and smaller pilot projects
instead of a big bang approach. Ghai points out," Though the technology
holds a lot of promise, it also carries a lot of baggage in terms of the
due-diligence required for a successful implementation. Banking, financial
services, insurance, and the government are expected to be among the early
adopters of digital certificates and PKI.

With the first CA now operational and the first digital signature certificate
having been issued–India has taken a definite step forward. Quicker adoption
would give the much-needed boost to e-commerce and help it realize its true
potential!

Amit Sarkar in New Delhi

Leave a Reply

Your email address will not be published. Required fields are marked *