PKI Past, Present and Future at the UW Nicholas Davis, PKI Project Leader Eighth Annual Educause PKI Summit.

Slides:



Advertisements
Similar presentations
HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.
Advertisements

1 PKI Buy vs. Build Decision at UW-Madison Presented by Nicholas Davis PKI Project Leader UWMadison, Division of Information Technology.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.
Procserve Benefits of eCommerce © Procserve Holdings Limited. All rights reserved.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
August 2004 Providing Industry-wide Security and Identity Management Solutions.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.
© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
Northshore Community College Public MA Community College 4 campus locations –4200 FTE –2500+ non-credit –90+ progams of study Career,LA,Transfer Technical.
The Unique Challenges of Rolling Out a PKI in the U.W. Academic Environment Nicholas A. Davis.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
Public Key Infrastructure from the Most Trusted Name in e-Security.
© Copyright High Performance Concepts, Inc. 12 Criteria for Software Vendor Selection July 14, 2014 prepared by: Brian Savoie Vice President HIGH.
1 Digital Credential for Higher Education John Gardiner August 11, 2004.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
State of Information Technology Presentation for Faculty Council November 14, 2013 Mike Carlin Vice Chancellor for IT and CIO.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
Making Digital Security a Reality With PKI Nicholas A. Davis, UW-Madison November 28, 2006.
1 PKI Update September 2002 CSG Meeting Jim Jokl
The InCommon Federation The U.S. Access and Identity Management Federation
Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. Code Signing Distributing trustworthy software over the Internet.
Cdigix & Clabs Overview Chuck Powell Director, Academic Media & Technology, ITS Yale University May 11, 2005.
041025_1 Your World-Class IT Business Solution _2 Bolt Networks, Inc. Providing you with world-class service and total technology solutions.
Nicholas A. Davis DoIT Middleware September 29, 2005.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Presentation Software as a Service Applications Software-as-a-Service Partner Enablement Program Enabling ‘Software as a Service’
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Configuring Directory Certificate Services Lesson 13.
Electronic Records Management: A Checklist for Success Jesse Wilkins April 15, 2009.
Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
PKI Update December, 2008 Nicholas Davis. Quick Background 2004 UW-Madison purchased co-managed solution from Geotrust Both client certs and SSL certs.
One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
"The majority of users in a typical enterprise simply want frequent, location-independent access to a few key applications, such as , calendar and.
Cloud Computing Project By:Jessica, Fadiah, and Bill.
October 10-13, 2006 San Diego Convention Center, San Diego California Effective Deployment and Migration Strategies Leigh Fatzinger, VP.
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
State of e-Authentication in Higher Education August 20, 2004.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Cdigix at Yale Chuck Powell Director, Academic Media & Technology, ITS Yale University September 15, 2004 Copyright Charles Powell.
"The majority of users in a typical enterprise simply want frequent, location-independent access to a few key applications, such as , calendar and.
Moving Your Paperwork Online Western Washington University E-Sign Web Forms.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
The Decision to Buy vs. Build Nicholas Davis (UW-Madison) Tom McDonnell (Geotrust)
Selecting the Best Alternative Design Strategy. Two basic steps 1.Generate a comprehensive set of alternative design strategies 2.Select the one design.
1 Evolution and Revolution: Windows 7 and Desktop Virtualization Changing the Desktop Support Landscape Denise Harrison, CIO and Vice President.
Public Purchasing in Florida MyFloridaMarketPlace Brief September 16, 2005.
“Business first, technology's the tool.”. The Application Hosting business model is based on a very simple idea:  Install application software on powerful.
Copyright © 2007 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. October 24 th, 2007 CORE.
IT Services Town Hall 7/3/2016 Page 1 S T A N F O R D U N I V E R S I T Y I N F O R M A T I O N T E C H N O L O G Y S E R V I C E S IT Services Town Hall.
PKI Implementation at the University of Wisconsin-Madison
Public Key Infrastructure from the Most Trusted Name in e-Security
PKI Update December, 2008 Nicholas Davis
September 2002 CSG Meeting Jim Jokl
Presentation transcript:

PKI Past, Present and Future at the UW Nicholas Davis, PKI Project Leader Eighth Annual Educause PKI Summit

Overview History of PKI at UW-Madison UW-Madison IT environment Our PKI requirements Comparison of benefits we found in buy vs. build Our experience so far Integration with existing systems Critical success factors Summary of benefits PKI goals for year two Future considerations What we have learned Questions and comments

History of PKI at UW-Madison October 2000 Internet2 Public Key Infrastructure Lab established at UW- Madison Secure pilot study

History of PKI at UW-Madison 2002 Provided certificates to Shibboleth testing community and participated in Federal Bridge pilot.

History of PKI at UW-Madison 2004 Campus requirements gathering initiative Spring 2005 RFI review August 2005 Geotrust selected

How UW-Madison Differs From Peers Faculty, Staff, Students Highly decentralized Public institution Research driven environment

Why the UW-Madison is interested in PKI Threat of identity theft (strong 2-factor authentication) More university businesses conducted via web / extranets through open community, across organizations Privacy of information (encryption) Authenticated communication (signing)

UW-Madison Critical Solution Requirements Ease of management Ready integration into existing systems Ease of adoption by end users Scalability, flexibility, cost of ownership, accreditations…

Core Requirements Automated certificate delivery Used for encryption, digital signing and potentially authentication Off site key escrow Transparency to end user Global trust Implementation within 6 months Minimum “lock in” commitment

Up Front Development Costs Gartner Group estimates that the average commercial PKI system costs $1 million to implement 80% of PKI systems never get beyond “pilot” status Our estimated first year costs are substantially less than this

Project Features Time Cost Features Quality

PKI Systems Under Consideration RFI solicited input from:

PKI Models Under Consideration In House (Commercial and Open Source) Co-managed

Time to Implement In House (Open Source) To develop our desired feature set would require 2 full time programmers for 12 months Cost of establishing sandbox, QA and production environments Hardware acquisition: secure cage, network equipment, Certificate Authority, Registration Authority CP and CPS statements would need to be written and reviewed by DoIT management and UW Legal Estimated time to implement: 12 months

Time to Implement In House (Commercial) 1 FTE would be needed to act as Administrator Need to establish sandbox, and QA environments. Design logical and physical security infrastructure for secure CA and offsite key escrow Purchase hardware, install software Develop policy, CP and CPS Estimated time to implement: 9 months

Time to Implement Co-Managed 1 FTE would be needed to act as Administrator Upon completion of purchase contract, system would be immediately ready No need to establish sandbox, and QA environments. Estimated time to implement: 4 weeks

Projected costs for an aggressive PKI rollout schedule Build (Open Source) Year 1 system costs 5000 users ~$50,000 2 FTE (salary and benefits) ~$200,000 Total Year 1 costs: ~$250,000 Year 2 and beyond (annual costs) 5000 users ~$0 2 FTE (salary and benefits) ~$200,000 Total annual costs ~$200, year cost ~$2,050,000

Projected costs for an aggressive PKI rollout schedule Build (Commercial) Year 1 system costs 5000 users ~$200,000 1 FTE (salary and benefits) ~$100,000 Total Year 1 costs: ~$300,000 Year 2 and beyond ($40,000 maint.) 5000 users ~$0 1 FTE (salary and benefits) ~$100,000 Upgrades and maintenance ~$5000 Total annual costs ~$145, year cost ~$1,605,000

Projected costs for an aggressive PKI rollout schedule Buy (Co-Managed) Year 1 System costs 5000 users ~$43,000 1 FTE (salary and benefits) ~$100,000 Total yearly costs = ~$143,000 Year 2 and beyond (annual contract) 5000 users ~$43,000 1 FTE (salary and benefits) ~$100,000 Total annual cost $143, year cost ~$1,430,000

Annual Cost Summary

Feature Set – No Trusted Root With Open Source Unsigned Root means distrust both within and outside our core universe

Feature Set – Trusted Root -- Geotrust Seamless trust lets us play globally via the Equifax Secure eBusiness CA1

Feature Set – Key Escrow -- Build Logistical, financial and political issues with building true off site key escrow

Feature Set – Key Escrow – Co-Managed Keys are securely kept in Atlanta, GA

Feature Set – Distance Users -- Build Logistical issues with getting certificates to users who are geographically distant.

Feature Set – Distance Users – Co-Managed All the user needs is a web browser in order to get their certificate

Service -- Build Supporting a PKI in house would require dedicated staff to work on monitoring system health constantly

Service – Co-Managed True Credentials is constantly monitored, patched, upgraded and backed up by Geotrust at their operations center in Atlanta, GA

Certificate Storage Aladdin Etoken USB based for ease of integration Excellent customer support Enhanced platform support

Our Experience So Far Customers appreciate: Automated certificate delivery Trusted Root Key Escrow Uses: Using certificates for digital signing Using certificates for encrypted Digital signing of mass to campus

Integration With Existing Systems Easily scalable – Load users in CSV format in batch Public keys are exportable to LDAP and University White Pages CRL is automated via True Credentials system Third party software available for high assurance server authentication

So Now What? Digital certificate management model proven Low hanging digital fruit has been harvested Is it time for me to retire?

Leveraging Our Existing System The UW-Madison PKI is in place today for signing and encryption Encourage others to change their way of doing business Integration with our current Web ISO for authentication

Example of Business Process Change UW-Madison Police and Security Building access: New centralized system Same historically weak business processes FERPA issues PKI to the rescue! 110 new users

Universal Truths People are not interested in vaporware to solve their problems Given equal cost, people will adopt the easiest solution to meet their needs Price matters

The Secret is Evolution, Not Revolution Smooth transition using our existing Web-ISO to migrate towards strong authentication

Critical Success factors for the UW-Madison A focus on the customer requirements is of pinnacle importance Financial lifecycle modeling for both short and long term Being careful not to reinvent the wheel simply for the sake of pride Top down support from the CIO’s office

Summary Benefits of Buying Lower upfront fixed costs Lower 10 year costs Faster road to implementation Trusted Root Off Site Key Escrow Automated certificate delivery UW-Madison common look and feel No long term lock in

Future Considerations The beneficial cost argument may change if our user population grows dramatically Widespread adoption of HEBCA may alter our reliance on a commercial pre-installed root

What We Have Learned A certificate is a certificate What matters most is what your organization does with the certificate once it is issued The challenge of implementing PKI is 30% technical and 70% user education, marketing and acceptance

What We Have Learned The key to success in a decentralized environment lies in motivating your users, not obligating your users Whether you choose to build or buy, remember to keep it simple for the customers Don’t spend time on duplication of effort

Questions and Comments Nicholas Davis PKI Project Leader UW-Madison