1 / 43

Overview

PKI Past, Present and Future at the UW Nicholas Davis, PKI Project Leader Eighth Annual Educause PKI Summit. Overview. History of PKI at UW-Madison UW-Madison IT environment Our PKI requirements Comparison of benefits we found in buy vs. build Our experience so far

oihane
Download Presentation

Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PKI Past, Present and Future at the UWNicholas Davis, PKI Project LeaderEighth Annual Educause PKI Summit

  2. Overview • History of PKI at UW-Madison • UW-Madison IT environment • Our PKI requirements • Comparison of benefits we found in buy vs. build • Our experience so far • Integration with existing systems • Critical success factors • Summary of benefits • PKI goals for year two • Future considerations • What we have learned • Questions and comments

  3. History of PKI at UW-Madison • October 2000 Internet2 Public Key Infrastructure Lab established at UW-Madison. • 2001 Secure email pilot study

  4. History of PKI at UW-Madison • 2002 Provided certificates to Shibboleth testing community and participated in Federal Bridge pilot.

  5. History of PKI at UW-Madison • 2004 Campus requirements gathering initiative • Spring 2005 RFI review • August 2005 Geotrust selected

  6. How UW-Madison Differs From Peers • Faculty, Staff, Students • Highly decentralized • Public institution • Research driven environment

  7. Why the UW-Madison is interested in PKI • Threat of identity theft (strong 2-factor authentication) • More university businesses conducted via web / extranets through open community, across organizations • Privacy of information (encryption) • Authenticated communication (signing)

  8. UW-Madison Critical Solution Requirements • Ease of management • Ready integration into existing systems • Ease of adoption by end users • Scalability, flexibility, cost of ownership, accreditations…

  9. Core Requirements • Automated certificate delivery • Used for encryption, digital signing and potentially authentication • Off site key escrow • Transparency to end user • Global trust • Implementation within 6 months • Minimum “lock in” commitment

  10. Up Front Development Costs • Gartner Group estimates that the average commercial PKI system costs $1 million to implement • 80% of PKI systems never get beyond “pilot” status • Our estimated first year costs are substantially less than this

  11. Project Features • Time • Cost • Features • Quality

  12. PKI Systems Under Consideration • RFI solicited input from:

  13. PKI Models Under Consideration • In House (Commercial and Open Source) • Co-managed

  14. Time to Implement In House (Open Source) • To develop our desired feature set would require 2 full time programmers for 12 months • Cost of establishing sandbox, QA and production environments • Hardware acquisition: secure cage, network equipment, Certificate Authority, Registration Authority • CP and CPS statements would need to be written and reviewed by DoIT management and UW Legal • Estimated time to implement: 12 months

  15. Time to Implement In House (Commercial) • 1 FTE would be needed to act as Administrator • Need to establish sandbox, and QA environments. • Design logical and physical security infrastructure for secure CA and offsite key escrow • Purchase hardware, install software • Develop policy, CP and CPS • Estimated time to implement: 9 months

  16. Time to Implement Co-Managed • 1 FTE would be needed to act as Administrator • Upon completion of purchase contract, system would be immediately ready • No need to establish sandbox, and QA environments. • Estimated time to implement: 4 weeks

  17. Projected costs for an aggressive PKI rollout schedule Build (Open Source) Year 1 system costs 5000 users ~$50,000 2 FTE (salary and benefits) ~$200,000 Total Year 1 costs: ~$250,000 Year 2 and beyond (annual costs) 5000 users ~$0 2 FTE (salary and benefits) ~$200,000 Total annual costs ~$200,000 10 year cost ~$2,050,000

  18. Projected costs for an aggressive PKI rollout schedule Build (Commercial) Year 1 system costs 5000 users ~$200,000 1 FTE (salary and benefits) ~$100,000 Total Year 1 costs: ~$300,000 Year 2 and beyond ($40,000 maint.) 5000 users ~$0 1 FTE (salary and benefits) ~$100,000 Upgrades and maintenance ~$5000 Total annual costs ~$145,000 10 year cost ~$1,605,000

  19. Projected costs for an aggressive PKI rollout schedule Buy (Co-Managed) Year 1 System costs 5000 users ~$43,000 1 FTE (salary and benefits) ~$100,000 Total yearly costs = ~$143,000 Year 2 and beyond (annual contract) 5000 users ~$43,000 1 FTE (salary and benefits) ~$100,000 Total annual cost $143,000 10 year cost ~$1,430,000

  20. Annual Cost Summary

  21. Feature Set – No Trusted Root With Open Source Unsigned Root means distrust both within and outside our core universe

  22. Feature Set – Trusted Root -- Geotrust Seamless trust lets us play globally via the Equifax Secure eBusiness CA1

  23. Feature Set – Key Escrow -- Build Logistical, financial and political issues with building true off site key escrow

  24. Feature Set – Key Escrow – Co-Managed Keys are securely kept in Atlanta, GA

  25. Feature Set – Distance Users -- Build Logistical issues with getting certificates to users who are geographically distant.

  26. Feature Set – Distance Users – Co-Managed All the user needs is a web browser in order to get their certificate

  27. Service -- Build • Supporting a PKI in house would require dedicated staff to work on monitoring system health constantly

  28. Service – Co-Managed • True Credentials is constantly monitored, patched, upgraded and backed up by Geotrust at their operations center in Atlanta, GA

  29. Certificate Storage • Aladdin Etoken • USB based for ease of integration • Excellent customer support • Enhanced platform support

  30. Our Experience So Far Customers appreciate: • Automated certificate delivery • Trusted Root • Key Escrow Uses: • Using certificates for digital signing • Using certificates for encrypted email • Digital signing of mass email to campus

  31. Integration With Existing Systems • Easily scalable – Load users in CSV format in batch • Public keys are exportable to LDAP and University White Pages • CRL is automated via True Credentials system • Third party software available for high assurance server authentication

  32. So Now What? • Digital certificate management model proven • Low hanging digital fruit has been harvested • Is it time for me to retire?

  33. Leveraging Our Existing System • The UW-Madison PKI is in place today for signing and encryption • Encourage others to change their way of doing business • Integration with our current Web ISO for authentication

  34. Example of Business Process Change • UW-Madison Police and Security • Building access: New centralized system • Same historically weak business processes • FERPA issues • PKI to the rescue! • 110 new users

  35. Universal Truths • People are not interested in vaporware to solve their problems • Given equal cost, people will adopt the easiest solution to meet their needs • Price matters

  36. The Secret is Evolution, Not Revolution • Smooth transition using our existing Web-ISO to migrate towards strong authentication

  37. Critical Success factors for the UW-Madison • A focus on the customer requirements is of pinnacle importance • Financial lifecycle modeling for both short and long term • Being careful not to reinvent the wheel simply for the sake of pride • Top down support from the CIO’s office

  38. Summary Benefits of Buying • Lower upfront fixed costs • Lower 10 year costs • Faster road to implementation • Trusted Root • Off Site Key Escrow • Automated certificate delivery • UW-Madison common look and feel • No long term lock in

  39. Future Considerations • The beneficial cost argument may change if our user population grows dramatically • Widespread adoption of HEBCA may alter our reliance on a commercial pre-installed root

  40. What We Have Learned • A certificate is a certificate • What matters most is what your organization does with the certificate once it is issued • The challenge of implementing PKI is 30% technical and 70% user education, marketing and acceptance

  41. What We Have Learned • The key to success in a decentralized environment lies in motivating your users, not obligating your users • Whether you choose to build or buy, remember to keep it simple for the customers • Don’t spend time on duplication of effort

  42. Questions and Comments Nicholas Davis PKI Project Leader UW-Madison ndavis1@wisc.edu 608-262-3837 www.doit.wisc.edu/middleware/pki

More Related