430 likes | 558 Views
PKI Past, Present and Future at the UW Nicholas Davis, PKI Project Leader Eighth Annual Educause PKI Summit. Overview. History of PKI at UW-Madison UW-Madison IT environment Our PKI requirements Comparison of benefits we found in buy vs. build Our experience so far
E N D
PKI Past, Present and Future at the UWNicholas Davis, PKI Project LeaderEighth Annual Educause PKI Summit
Overview • History of PKI at UW-Madison • UW-Madison IT environment • Our PKI requirements • Comparison of benefits we found in buy vs. build • Our experience so far • Integration with existing systems • Critical success factors • Summary of benefits • PKI goals for year two • Future considerations • What we have learned • Questions and comments
History of PKI at UW-Madison • October 2000 Internet2 Public Key Infrastructure Lab established at UW-Madison. • 2001 Secure email pilot study
History of PKI at UW-Madison • 2002 Provided certificates to Shibboleth testing community and participated in Federal Bridge pilot.
History of PKI at UW-Madison • 2004 Campus requirements gathering initiative • Spring 2005 RFI review • August 2005 Geotrust selected
How UW-Madison Differs From Peers • Faculty, Staff, Students • Highly decentralized • Public institution • Research driven environment
Why the UW-Madison is interested in PKI • Threat of identity theft (strong 2-factor authentication) • More university businesses conducted via web / extranets through open community, across organizations • Privacy of information (encryption) • Authenticated communication (signing)
UW-Madison Critical Solution Requirements • Ease of management • Ready integration into existing systems • Ease of adoption by end users • Scalability, flexibility, cost of ownership, accreditations…
Core Requirements • Automated certificate delivery • Used for encryption, digital signing and potentially authentication • Off site key escrow • Transparency to end user • Global trust • Implementation within 6 months • Minimum “lock in” commitment
Up Front Development Costs • Gartner Group estimates that the average commercial PKI system costs $1 million to implement • 80% of PKI systems never get beyond “pilot” status • Our estimated first year costs are substantially less than this
Project Features • Time • Cost • Features • Quality
PKI Systems Under Consideration • RFI solicited input from:
PKI Models Under Consideration • In House (Commercial and Open Source) • Co-managed
Time to Implement In House (Open Source) • To develop our desired feature set would require 2 full time programmers for 12 months • Cost of establishing sandbox, QA and production environments • Hardware acquisition: secure cage, network equipment, Certificate Authority, Registration Authority • CP and CPS statements would need to be written and reviewed by DoIT management and UW Legal • Estimated time to implement: 12 months
Time to Implement In House (Commercial) • 1 FTE would be needed to act as Administrator • Need to establish sandbox, and QA environments. • Design logical and physical security infrastructure for secure CA and offsite key escrow • Purchase hardware, install software • Develop policy, CP and CPS • Estimated time to implement: 9 months
Time to Implement Co-Managed • 1 FTE would be needed to act as Administrator • Upon completion of purchase contract, system would be immediately ready • No need to establish sandbox, and QA environments. • Estimated time to implement: 4 weeks
Projected costs for an aggressive PKI rollout schedule Build (Open Source) Year 1 system costs 5000 users ~$50,000 2 FTE (salary and benefits) ~$200,000 Total Year 1 costs: ~$250,000 Year 2 and beyond (annual costs) 5000 users ~$0 2 FTE (salary and benefits) ~$200,000 Total annual costs ~$200,000 10 year cost ~$2,050,000
Projected costs for an aggressive PKI rollout schedule Build (Commercial) Year 1 system costs 5000 users ~$200,000 1 FTE (salary and benefits) ~$100,000 Total Year 1 costs: ~$300,000 Year 2 and beyond ($40,000 maint.) 5000 users ~$0 1 FTE (salary and benefits) ~$100,000 Upgrades and maintenance ~$5000 Total annual costs ~$145,000 10 year cost ~$1,605,000
Projected costs for an aggressive PKI rollout schedule Buy (Co-Managed) Year 1 System costs 5000 users ~$43,000 1 FTE (salary and benefits) ~$100,000 Total yearly costs = ~$143,000 Year 2 and beyond (annual contract) 5000 users ~$43,000 1 FTE (salary and benefits) ~$100,000 Total annual cost $143,000 10 year cost ~$1,430,000
Feature Set – No Trusted Root With Open Source Unsigned Root means distrust both within and outside our core universe
Feature Set – Trusted Root -- Geotrust Seamless trust lets us play globally via the Equifax Secure eBusiness CA1
Feature Set – Key Escrow -- Build Logistical, financial and political issues with building true off site key escrow
Feature Set – Key Escrow – Co-Managed Keys are securely kept in Atlanta, GA
Feature Set – Distance Users -- Build Logistical issues with getting certificates to users who are geographically distant.
Feature Set – Distance Users – Co-Managed All the user needs is a web browser in order to get their certificate
Service -- Build • Supporting a PKI in house would require dedicated staff to work on monitoring system health constantly
Service – Co-Managed • True Credentials is constantly monitored, patched, upgraded and backed up by Geotrust at their operations center in Atlanta, GA
Certificate Storage • Aladdin Etoken • USB based for ease of integration • Excellent customer support • Enhanced platform support
Our Experience So Far Customers appreciate: • Automated certificate delivery • Trusted Root • Key Escrow Uses: • Using certificates for digital signing • Using certificates for encrypted email • Digital signing of mass email to campus
Integration With Existing Systems • Easily scalable – Load users in CSV format in batch • Public keys are exportable to LDAP and University White Pages • CRL is automated via True Credentials system • Third party software available for high assurance server authentication
So Now What? • Digital certificate management model proven • Low hanging digital fruit has been harvested • Is it time for me to retire?
Leveraging Our Existing System • The UW-Madison PKI is in place today for signing and encryption • Encourage others to change their way of doing business • Integration with our current Web ISO for authentication
Example of Business Process Change • UW-Madison Police and Security • Building access: New centralized system • Same historically weak business processes • FERPA issues • PKI to the rescue! • 110 new users
Universal Truths • People are not interested in vaporware to solve their problems • Given equal cost, people will adopt the easiest solution to meet their needs • Price matters
The Secret is Evolution, Not Revolution • Smooth transition using our existing Web-ISO to migrate towards strong authentication
Critical Success factors for the UW-Madison • A focus on the customer requirements is of pinnacle importance • Financial lifecycle modeling for both short and long term • Being careful not to reinvent the wheel simply for the sake of pride • Top down support from the CIO’s office
Summary Benefits of Buying • Lower upfront fixed costs • Lower 10 year costs • Faster road to implementation • Trusted Root • Off Site Key Escrow • Automated certificate delivery • UW-Madison common look and feel • No long term lock in
Future Considerations • The beneficial cost argument may change if our user population grows dramatically • Widespread adoption of HEBCA may alter our reliance on a commercial pre-installed root
What We Have Learned • A certificate is a certificate • What matters most is what your organization does with the certificate once it is issued • The challenge of implementing PKI is 30% technical and 70% user education, marketing and acceptance
What We Have Learned • The key to success in a decentralized environment lies in motivating your users, not obligating your users • Whether you choose to build or buy, remember to keep it simple for the customers • Don’t spend time on duplication of effort
Questions and Comments Nicholas Davis PKI Project Leader UW-Madison ndavis1@wisc.edu 608-262-3837 www.doit.wisc.edu/middleware/pki