Traditionally enterprises have been spending a significant amount of their resources securing the network perimeter, deploying security systems like Firewalls, Intrusion Detection systems, AntiVirus software to protect its information assets from external threats, while little realizing that information assets are just as vulnerable from within an organization. Quite a few surveys have recently cited that threats of a security breach over the Internal Systems are as high as external threats. These breaches could be on account of reasons like – discontented, reckless and greedy employees or even disgruntled former workers. They all can be bigger threats than the mysterious hacker from outside. Also as more companies outsource portions of their business or extend the network/corporate resources, vital company information can easily fall into the wrong hands. If one has to build adequate safeguards to protect these digital assets, the key is to build “Trust” around these systems.
When we talk about Trust, what we essentially mean is how do we transact with faceless individuals literally sitting across the two ends of the wire. In this regard some of the crucial concerns are:
- How do we know whether the person or entity we are dealing with is indeed who he or she claims to be?
- How can we be sure that the information we sent across has indeed gone without someone else taking a look at it?
- How do we know that the data we received has not been altered mid-way?
- What if the person we transacted with went back on his word? Do we have proof?
In the physical world we use and associate the signature of a person to establish identity and credibility of the individual, but what happens in the electronic world? Coupled with this concern is another dimension of the law – what is the legal validity and sanctity of an electronic transaction in any court of law?
Therefore, “creating trust” in an e-environment involves assuring the transacting entities about the integrity and confidentiality of the transaction along with authentication of the sending and receiving entities such that both entities cannot repudiate the transaction.
The enabling technology to achieve this Trust is PKI (Public Key Infrastructure).
The Indian IT Act 2000 enables individuals to use a Digital Signature in place of a physical signature that enjoys evidentiary status in the Indian courts of law. This landmark IT act has in fact created history of sorts & catapulted India into that small band of nations that have a Digital Signature Legislation.
Very Simply put, a Digital Signature Certificate is like an “electronic passport”. It is an individual’s identity on the net that uniquely identifies him or her. For a Digital Signature to enjoy this legal status, it has to be issued by a licensed Certifying Authority or CA. Certifying Authorities are awarded licenses by the Controller of CA (CCA), under the Central Government. after ensuring that the licensee fulfils the stringent criteria laid down in the IT Act. Being in the business of trust, the licensee has to follow some very rigorous security guidelines (as per the IT Act 2000) pertaining to infrastructure, technology and people, to qualify as a CA.
Once an individual possesses a unique Digital Signature Certificate issued by a Certifying Authority, the individual can affix his or her unique digital signature on any electronic document communication and transcation.
What PKI can do?
PKI solutions can be used to secure a wide range of business-to-consumer (B2C) and business-to-business (B2B) applications over the Internet. Functioning as electronic credentials that identify parties online, Digital Signatures enable encrypted communications and enforce legal validity, thereby making them a vital component of online transactions in e-Commerce, financial services, supply-chain management, virtual private networks (VPN), as well as wireless and mobile commerce environments. PKI as we know today has evolved beyond the traditional offering of E-Security and is considered a basic enabler of new E-Business revenue streams.
Early in its life cycle PKI established itself with a clear value as compared to it’s immediate counterparts. Firewalls established the fortress for a corporation, of which intrusion detection served to enhance this capability. Antivirus protected hosts and desktops to the threat of infection. VPNs ensured secure communications over public networks. PKI stepped in to provide application level security, did away with the inherent weaknesses in IDs and passwords and linked the identity of users to their Internet hosts through digital certificates.
But PKI went further and crossed the boundaries of security by enabling a host of services, which were not previously enabled due to lack of enhanced security. Some of the unique services offered by digital signatures are –
- Digital Signing of electronic documents
- Electronic supply chain management
- Electronic (e)-Ordering & e-Procurement
- Online e-Government Services
These are only a few examples of new applications which were earlier not carried out over for the Internet but are now enabled as new services due to the enhanced security offered by PKI.
PKI – The Technology
PKI is one of the few technologies of today, which integrates the disciplines of Legal Practices & Information Technology. This results in several unique challenges in its deployment. To understand PKI one must appreciate the underlying concept of PKC (Public Key Cryptography). It would be safe to say that though PKI is not a technology at the forefront, Public Key Cryptographic Techniques are pretty much the building blocks for securing applications.
Public Key Cryptography
PKC is based on the principle of Public Private Key pairs i.e. what one key encrypts the other key decrypts. The private key as the name suggest is private to the user while the public key is the open. A user signs a piece of data with the private key to prove identity, integrity and non-repudiation where as the user uses the public key of the recipient to ensure privacy of data by encrypting the data with the public key. Extending this concept from users to devices and applications, public key cryptography forms the centerpiece to provide an all round e-security pertaining to Database Security, Channel Security or even Secure Access to remote applications.
Public Key Infrastructure
PKI is the infrastructure that is used to maintain the public and private key pairs for operations. Infrastructure is not just about hardware and software but includes a lot more, such as – Key Management, Security & Operations, Support Services, Application Integration and Consulting. For most organizations putting all this in place drives up the operational cost and hence it seems to be an expensive proposition. An alternative here is the Managed PKI Services model, which has by far been the most successful model worldwide for most PKI implementations. It just does not make business sense to invest in setting up a full-fledged PKI if an enterprise does not have a large number of users. To overcome the legal and technological obstacles, implementation of PKI solution can be performed in two fundamentally different approaches:
In this approach the customer purchases PKI software and hardware, which is used to deploy digital certificates to individuals. Dedicated staffs are responsible for defining their own certifying practices and policies for the creation and distribution of digital certificates throughout the corporate infrastructure. Companies perceive that this approach offers inherent “ownership” and flexibility. But typically this option requires a large upfront investment in both time and money.
This approach is analogous to the service provider market where the ownership of infrastructure lays with an external entity – in this case the Certifying Authority (CA). The CA is responsible for setting policy, managing information technology (IT) and owning liability of ownership on behalf of the customer. The advantage to the enterprise is control of their certificate issuance, co-branding and management, while moving the responsibility of maintenance, scalability and policy management to the back-end (commonly referred to as the processing center)
Some of the common factors that may be found in successful PKI deployments across the world are – PKI as a part of Government to Consumer Interface, Technology Specific Legislation prescribing the use of PKI, Effective drive and implementation mandates from Authorities and Preference of Outsourced PKI Service over the In-house PKI model.
The following table illustrates two supporting cases of PKI implementation – one for stock broking companies and another for export-import companies of India.
Stock Broking Companies
- Pain Area: Cumbersome process of sending out Contract notes to customers
- Business Requirement: Streamline the process and reduction of cost
- Solution: Electronic Identity for Authorized Signatories (who were signing physical contract notes and Application for signing these contract notes
- How it works: Authorised Signatories use their Digital Certificates to sign and issue Digitally Signed contract notes online
- Benefits: Dramatically reduces costs while enhancing security and client convenience
- Used by: 30 of the top 40 brokers in India (jointly developed product with NSE.IT) and ICICI Direct.com
Secure transactions for Export-Import companies with the DGFT
- Pain Area: Large community of Exporters & Importers to move online for transactions with DGFT – but security and repudiation considerations are paramount
- Business Requirement: Community of EXIM users to transact with DGFT using their portal application in a secure manner (authentication, integrity of data, confidentiality, non-repudiation)
- Solution: SAFE EXIM, Electronic Identity for community of users and Application to sign documents
- How it works: EXIM user purchases a copy of SafeEXIM – enrolls for a certificate which is issued on successful validation of the organisation. They use this certificate as credentials to access the DGFT portal application over the Internet and transacts and signs the document using digital certificate.
- Benefit: Since the DGFT was keen to derive benefits of this system – the EXIM community received an incentive in terms of fee waivers.