Time to get Secure

Are we moving toward paperless legal transactions? If recent events are any
indication, this sure seems to be the case. SafeScrypt, a company promoted by
Satyam Infoway and an affiliate of VeriSign, was awarded India’s first digital
signature certificate in February 2002. This marked India’s entry into the age
of secure electronic transactions. Digital signatures are the backbone on which
digital contracts rest.

Watching the events closely were enterprises. While many were educated
regarding the benefits of adopting digital certificates and public key
infrastructure (PKI) architecture, most others were unsure about the procedural
aspects of the same.

Confidence needs to be built

Although electronic mail has replaced paper-based communications in most
cases, sensitive documents are still sent the old-fashioned way for greater
security. Digital signature-based messaging allows sensitive documents to be
sent by e-mail, eliminating the processing costs, mailing costs, and the time
delays which are inevitable with traditional snail mail.

A must for organizations Ten procedural aspects that CIOs need to consider before opting for digital certificate deployment While the procedural steps would vary to some extent depending upon the organization type, there are a few concepts that are common. Inventory the transactions that can benefit from the use of digital certificates. This could include employee sign-on, workflow, procurement etc. Identify the applications and technology that currently facilitate these transactions. Identify which applications and technologies are readily integrated with digital certificates. Quantify the risk associated with each transaction category. Based on the above information determine whether to rely on an external third party CA or to create one’s own certification authority. If an external CA is being considered, review their PKI framework. The more private the private key and the more public the public key, the better it is from the point of view of PKI. Compliance with standards is a must. There needs to be the necessary framework to create the certificate policies and the certificate practice statements. Different tiers/ types of certificates need to be associated with each transaction type. Adopt a scalable PKI since future requirements also need to be met. The decision to go for a digital signature should be based on an ROI model and not just security concerns alone. To customize the ROI analysis for an enterprise, it is necessary to determine the number of users expected for the PKI applications and also the time frame in terms of payoff. If the ROI model for an organization suggests substantial cost savings, then the next step of selecting the right technology and right vendor should be taken. Client software: When evaluating digital signature technology it is important to understand to what extent client software is involved in the solution. Is the PKI solution flexible enough to operate with a thin or no client if desired?

Digital certificates can enable one to build the same level of confidence in
digital transactions that one would usually associate with physical
transactions. This would include the issues of privacy, integrity,
non-repudiation, and authenticity.

The key benefit for a CIO in adopting a digital certificate would be to
ensure the security of the enterprise’s data and communications. According to
Surendra Singh, country manager, RSA Security, digital certificates would be
central to two major transitions every enterprise either has begun to make or
will make in the next few years. These include the transition from paper-based
to completely electronic business processes such as electronic mail, electronic
file storage, and electronic contracting with digital signatures. The second
would be bridging the gap due to geographical distance via Internet integration
and allowing remote employees, customers, and vendors to exchange data with the
internal corporate network.

Procedural issues

While there has been one certifying authority (CA) around, there are a
number of other CAs coming up including National Informatics Center (NIC), and
the Institute for Development and Research in Banking Technology (IDRBT, a
subsidiary of RBI). Other aspirants include MTNL, which is being consulted by
PriceWaterhouseCooper (PwC). With multiple CAs one question that could be asked
is which CA should an organization go in for and would there be issues between
them. Neel Ratan, Partner, Global Risk Management Solutions, PwC feels that
ultimately it would be the business that would drive different CAs into entering
into agreements on cross-certification. The process of cross-certification
however, is not automatic as of now. International CAs can also cross certify to
ensure international coverage. For example, a multinational bank having
operations across different countries would need a cross certification to ensure
international coverage.

For an enterprise that has decided to go in for deploying digital
certificates, the key issue would be to identify applications that can be PKI
enabled. The broad framework would involve need-based assessment, vendor
identification, and implementation. This would involve the integration of the
system with existing applications. The time taken to implement this is generally
from two to eight weeks and would depend on the nature of the application.

"Defining the level of control to be exercised is very important,"
according to Rajeev Wadhwa, COO, Global Esecure. If a high degree of control is
required the organization would go in for an internal or insourced CA model. In
case of an external CA being chosen, it would be important to review their PKI
framework and make sure that they have performed the task with due diligence.

ROI analysis is also an important element while considering deployment. For
this one has to determine the number of users in terms of PKI applications and
the time frame in which the payoff of the technology investment would take
place. Issues such as scalability, and the ease of use would also need to be
considered.

The challenges ahead

The CIO would face some challenges during deployment. Finding the right
applications, changing certain aspects of management and finding skilled
personnel would be the major ones. According to Rohit Ghai, CTO, Computer
Associates," One of the biggest challenges is the fact that many of the
applications are not PKI and digital certificate enabled. This itself has a
great dampening effect." However, there are SSO (single sign on) type
technologies that can create a wrapper authentication layer around such
applications to mitigate this problem. The other hurdle is the lack of expertise
in both the technical as well as the techno-legal area. If the implementation is
for a transaction intensive environment, scalability issues can often haunt the
adopter of PKI. This is both in terms of being able to store a large number of
certificates but also to enable the transactions to proceed in a reasonable
time-frame.

The Indian market is nascent as of now. Most experts feel that it would take
at least 18 to 24 months for the market to mature in terms of acceptance.
Adoption would occur through careful deliberation and smaller pilot projects
instead of a big bang approach. Ghai points out," Though the technology
holds a lot of promise, it also carries a lot of baggage in terms of the
due-diligence required for a successful implementation. Banking, financial
services, insurance, and the government are expected to be among the early
adopters of digital certificates and PKI.

With the first CA now operational and the first digital signature certificate
having been issued–India has taken a definite step forward. Quicker adoption
would give the much-needed boost to e-commerce and help it realize its true
potential!

Amit Sarkar in New Delhi