1 / 41

Making Digital Security a Reality With PKI Nicholas A. Davis, UW-Madison November 28, 2006

Making Digital Security a Reality With PKI Nicholas A. Davis, UW-Madison November 28, 2006. Overview. PKI 101 – Intro to digital certificates History of PKI at UW-Madison UW-Madison IT environment Why UW-Madison is interested in PKI PKI cost and model comparison

rio
Download Presentation

Making Digital Security a Reality With PKI Nicholas A. Davis, UW-Madison November 28, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Making Digital Security a Reality With PKINicholas A. Davis, UW-Madison November 28, 2006

  2. Overview • PKI 101 – Intro to digital certificates • History of PKI at UW-Madison • UW-Madison IT environment • Why UW-Madison is interested in PKI • PKI cost and model comparison • What it all actually looks like in reality • Our experience so far and our future plans • Universal truths • What we have learned • Final thoughts • How to get started today! • Questions

  3. Public Key Infrastructure (PKI) 101 • PKI = System to manage digital certificates • Digital Passport • Digital key to unlock encrypted Data • Digital pen to sign

  4. PKI 101 (Continued) • Digitally sign Microsoft Office documents, spreadsheets, email, PDF files, etc. • Encrypt email in transit and storage, end to end • Authenticate with a much stronger credential than username & password

  5. History of PKI at UW-Madison • October 2000 – UW-Madison and Dartmouth get together • June 2004 – Requirements gathering • May 2005 – Geotrust selected

  6. UW-Madison IT Landcscape • Faculty, Staff, Students • Highly decentralized • Public institution • Research driven environment

  7. Communities Served by UW-Madison AuthNZIt’s Not Just About Us Anymore

  8. Why the UW-Madison is interested in digital security solutions • Threat of identity theft (Authentication) – Alice and Bob story • More university businesses conducted via the Internet (encryption) • Non-repudiation (signing)

  9. Up Front Development Costs • Gartner Group estimates that the average commercial PKI system costs $1 million to implement • 80% of PKI systems never get beyond “pilot” status • Our estimated first year costs are substantially less than this

  10. PKI Models Under Consideration • In-House Commercial • In-House Open Source • Co-managed

  11. Time to Implement • Feature Set • Cost of establishing sandbox, QA and production environments • Hardware acquisition • CP and CPS statements • Open Source, 12 months • In-House Commercial, 9 months • Co-Managed Commercial, 1 month

  12. Annual Cost Summary

  13. Geotrust Selected as UW-Madison PKI • Lower upfront fixed costs • Lower 10 year costs • Faster road to implementation • Trusted Root • Off Site Key Escrow • Automated certificate delivery • UW-Madison common look and feel • No long term lock in

  14. No Trusted Root With Open Source Unsigned Root means distrust both within and outside our core universe

  15. Certificate Storage • Aladdin Etoken • USB based for ease of integration • Excellent customer support • Enhanced platform support

  16. What does it actually look like in practice? -Sending-

  17. What does it actually look like in practice (unlocking my private key)-sending-

  18. What does it actually look like in practice?-receiving- (decrypted)

  19. Digitally Signed and Verified, Encrypted

  20. What does it actually look like in practice?-receiving- (intercepted)

  21. The look of UW-Madison digital certificiates

  22. Feature SetTrusted Root Seamless trust let’s us play globally via the Equifax Secure eBusiness CA1

  23. Feature SetKey Escrow Is Big Brother watching? Who do the keys belong to anyway?

  24. Feature Set – Distance Users – Co-Managed All the user needs is a web browser in order to get their certificate

  25. Our Experience So Far Customers appreciate: • Automated certificate delivery • Trusted Root • Key Escrow Uses: • Using certificates for digital signing • Using certificates for encrypted email • Digital signing of mass email to campus

  26. So Now What? • Digital certificate management model proven • Low hanging digital fruit has been harvested • Is it time for me to retire?

  27. Leveraging Our Existing System • The UW-Madison PKI is in place today for signing and encryption • Encourage others to change their way of doing business • Integration with our current Web ISO for authentication

  28. Example of Business Process Change • UW-Madison Police and Security • Building access: New centralized system • Same historically weak business processes • FERPA issues • PKI to the rescue! • 110 new users

  29. Universal Truths • People are not interested in vaporware to solve their problems • Administrative controls don’t work • If you don’t trust anyone, nobody will trust you. You have to play by the rules, even if you don’t like them

  30. The Secret is Evolution, Not Revolution Revolutions are bloody! Evolution lets you gain immediate benefit today while planning for a better tomorrow without throwing away all your current systems

  31. Integration with WebISOEasy Evolution • WebISO is an independent authentication module for web apps. • Currently username and password enabled • Easily converts to digital certificate based authentication without requiring rewrite of all applications

  32. But What About SecurID? • SecurID = One Time Password authentication device (OTP) • Great for authentication! • What else does it do? • Cost! • Vendor Lock-in! • Good point solution, but hardly forward thinking

  33. Critical Success factors for the UW-Madison • A focus on the customer requirements is of pinnacle importance • Financial lifecycle modeling for both short and long term • Being careful not to reinvent the wheel simply for the sake of pride • Top down support from the CIO’s office

  34. What We Have Learned • A certificate is a certificate • What matters most is what your organization does with the certificate once it is issued • The challenge of implementing PKI is 30% technical and 70% user education, marketing and acceptance

  35. Final Thoughts • The key to success in a decentralized environment lies in motivating your users, not obligating your users • Whether you choose to build or buy, remember to keep it simple for the customers • Don’t spend time on duplication of effort

  36. “But We Are Different…..” • We all like to think we are different • Setup a content filtering device with 100 keywords on your outgoing email • Let me know what you discover • Ignorance is not an excuse for weak security practices

  37. Audience Question How is PKI similar to a Telephone network? The value of the system is proportional to the number of people who have a phone or a digital certificate!

  38. “It can happen to you, it can happen to me, it can happen to everyone eventually…..”

  39. The First Taste is Free! Download a FREE email digitial certificate www.ascertia.com www.thawte.com Perform inter-institutional testing with your organization and UW-Madison! Digital certificates are inherently supported in: Outlook, Outlook Express, Thunderbird, Mail.app, Mulberry, Eudora 7.0

  40. Questions and Comments Nicholas Davis PKI Project Leader UW-Madison ndavis1@wisc.edu 608-262-3837 www.doit.wisc.edu/middleware/pki PLEASE PARTNER WITH US AS WE MOVE FORWARD WITH PKI! -----BEGIN CERTIFICATE----- MIIDLjCCApegAwIBAgICAdkwDQYJKoZIhvcNAQEFBQAwgYkxCzAJBgNVBAYTAlVT MSswKQYDVQQKEyJEaXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSMw IQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50czEoMCYGA1UEAxMfVW5p dmVyc2l0eSBvZiBXaXNjb25zaW4tTWFkaXNvbjAeFw0wNjA5MDYxNjUzMjJaFw0w NzA5MDYxNjUzMjJaMIG8MQswCQYDVQQGEwJVUzESMBAGA1UECBMJV2lzY29uc2lu MRAwDgYDVQQHEwdNYWRpc29uMSgwJgYDVQQKEx9Vbml2ZXJzaXR5IG9mIFdpc2Nv bnNpbi1NYWRpc29uMSMwIQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50 czEXMBUGA1UEAxMOTmljaG9sYXMgRGF2aXMxHzAdBgkqhkiG9w0BCQEWEG5kYXZp czFAd2lzYy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJECUO2/kNde rq9BXL9c60k7glXKSilVTS2hWfI7OVrVVVpSdOOVwd2djZ4EfuuJTmvwMRWdnU3h 124gFZWO+LiDhLx+iLC1bCwVbvUJPyfjViqXMoKgUNx7NStt6YlntqxvNfzW5Lxq NQ2VCu23AFqczmGxvX27M2VtSPg1oCWfAgMBAAGjcDBuMA4GA1UdDwEB/wQEAwIF 4DA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxz L3dpc2NvbnNpbi5jcmwwHwYDVR0jBBgwFoAUHJ5SUhsEYkcsaywBuGnxqTcsIyQw DQYJKoZIhvcNAQEFBQADgYEADgrwXFZyVWceIhbro0lR2NfdwqbkY1p1ywr9v8lf JGUfZ0scAxaNfdfkXMHJvMK7MZCQ65vXEO9YwTFAfugXK+AAFot0HhNvWMwvBLqX cYKps+A5VU9JnhNAKZJRIImiGCKjz2e+ZARm6fjTxheW5qJyJq30sbwukG/tsbXT jnw= -----END CERTIFICATE-----

More Related