PKI In-Sourcing versus Outsourcing

A common question companies face when looking at implementing PKI systems is whether to in­source or outsource their PKI operations.

This document provides some input into this debate. It assumes the basic knowledge of PKI concepts and terminology outlined in our What is PKI whitepaper.

The document starts by examining some of the more commonly used PKI outsourcing models – they vary widely. It then describes some of the arguments used both for and against adopting these models, before describing some of the issues in more detail. Finally, the appendix provides a list of issues that need to be considered in negotiating an agreement with any potential PKI outsourcer.

Discussion

Comparison of PKI Outsourcing Models

PKI outsourcing models can vary dramatically in their complexity. Some of the more commonly used models are outlined below:

• Certificate Vendor Model ­ The outsourcer can simply act as a certificate vendor, providing certificates from their PKI to order and performing all registration and identity checks. With this model, the outsourcer typically charges for certificate issue and accepts some liability if it can be shown the outsourcer was negligent in checking the subject’s identity before issuing the certificate. This is the model used by Verisign, Thawte and others to issue SSL certificates. Verisign also have a Gatekeeper accredited CA in Australia that offers ABN­DSCs [1] under a similar model.
• Client Branded Outsourced PKI Model – The outsourcer uses a product (typically their own) to build and host parts or all of a client’s PKI system. The PKI is branded as being the client’s own but the client relies on the outsourcer’s expertise to operate it. Outsourcers typically make use of their existing hosting environment. This provides a (relatively) low establishment cost. Typically, outsourcers charge a setup fee to establish the system and then have a click­charge per certificate issue and sometimes also per OCSP [2] response. This model is used by VeriSign and others within Australia to provide branded PKIs to a number of smaller clients.
• Unbranded Outsourced PKI Model – The outsourcer builds a PKI system and offers certificates for sale to corporations who are willing to undertake their own registration checks. The certificates are generally not branded as being the client’s own and the client accepts liability for their use. Once again, outsourcers make use of their existing hosting environment to provide a (relatively) low establishment cost and charge a setup fee and click­charges for each certificate issued This model is used by BankID to offer CA services to the banking industry.

Often hybrids of the above models are used. Regardless of the model adopted, certain issues need to be considered and agreed with the outsourcer. Appendix A lists a number of these issues.

Why Outsource a CA/RA?

The arguments for outsourcing vary depending on the outsourcing model that is employed.

Where the only the CA is outsourced (for example, using the Unbranded Outsourced PKI model) the advantages can be summarised as follows:

• reduced need to train staff in vendor supplied products – the system is staffed by people who already have significant expertise in the product and familiarity with its idiosyncrasies
• as hosting centre staff generally manage a number of hosted systems their work level is relatively constant and they have familiarity with the day to day system and key management tasks which means they should be less likely to make mistakes – this might not the case where a system is hosted in­house
• less need to purchase dedicated infrastructure
• lower accreditation and assessment costs (the hosting environment should already have been assessed in line with federal government and industry requirements – so there should be no costs associated with this and ongoing re­accreditation costs are shared by all clients)
• reduced operational costs
• reduced setup costs [3] – the vendor is already familiar with what to do and will have documented procedures for establishing new CAs.

Where the outsourcer also accepts responsibility for registering certificate holders and undertaking liability checks, the following arguments also apply:

• liability for checking the identity of certificate holders rests with the outsourcer
• the cost of documenting, reviewing, training staff in, and ensuring standards compliance of, routine key management and day­to­day running processes and procedures is avoided
• the organisation may not need to hire the services of specially trained and/or vetted staff members [4] for key management tasks that normally occur very infrequently but may happen at any time
• deployment of all product upgrades and patches is provided as part of the service, and
• the service level is assured or penalty clauses apply – importantly, product vendors can’t argue that the reason the product isn’t working is related to the customer’s environment – or inability to use the solution.

It should be noted that in Castelain’s experience, the lion’s share of the cost in any PKI system is related to development of the RA function and not that of the CA. This is because:

• RA products typically require a lot of customisation work due to differences in the way clients register their staff and customers, and
• much of the cost in establishing a PKI relates to ensuring that the issue, revocation and renewal of the certificates can be made legally enforceable. It is not uncommon for 30%+ of the cost of a large PKI development to go in legal fees.

Why in­source a CA/RA?

Arguments for in­sourcing can be summarised as follows:

• the client has complete control over the PKI operations and the key material
• there is no need for the CA to audit the operations of the outsourcer
• there is no need to negotiate a Service Level Agreement
• the CA can specify exactly when it wishes certain actions to occur
• many regulatory standards prohibit outsourcing of responsibility for security [5]
• the CA is not dependent on the financial well­being or business direction of an external vendor
  • The importance of this point should not be underestimated. The risk of being unable to do business in the event that the outsourcer became insolvent, or suffered a major system failure, has led most government agencies and large corporations to reject outsourced models.
• the running costs of in­sourcing – especially where the organisation is already hosting other elements of cryptographic infrastructure – can be much lower
• in­sourcing allows a degree of system integration and/or CA/RA customisation that would be impossible with an outsourced CA – especially where the CA/RA work in an unusual way that is hard for the outsourcer to accommodate, and
• competitive advantage: improved security can be, and frequently is, a major selling point for organisations. This is especially true where the improved security afforded by PKI allows an organisation to provide a service that their competitors cannot risk offering.
  • Using some outsourcing models, it can be impossible for the organisation investing in PKI (Organisation A) to prevent a competitor (Organisation B) using the PKI credentials issued by Organisation A to offer a competitive service to Organisation A’s clients.

How real are the Risks?

This section briefly explores some of the key risks and concerns associated with in­sourcing and outsourcing.

What if the software provider or outsourcer ceases trading?

Private sector companies can go broke. Within Australia, Verisign and Verizon (who recently acquired Cybertrust) are the main organisations offering outsourced PKI packages. Entrust have also started to offer PKI services in partnership with a hosting organisation.

Verisign and Verizon are both publicly listed companies, making their financial viability relatively easy to assess. While Castelain are in no position to assess either company’s solvency, it would appear that the chances of either organisation becoming insolvent are relatively small.

A more likely threat is that either company could be acquired, sell the business unit responsible for providing the PKI hosting service, adopt alternative products, or decide for commercial reasons to exit the hosting or CA product supply business. For example, Verisign’s business case for offering ABN­DSC certificates may be somewhat tenuous as the uptake of ABN­DSCs has been far lower than expected. This, in turn, has led to competitors (such as Telstra and PwC) exiting the market and making VeriSign’s clients more vulnerable.

VeriSign’s decision to refine its strategic direction and focus on core infrastructure http://www.verisign.com/press_releases/pr/page_043088.html also calls into question their on­going support for CA hosting services.

If the CA software provided by the outsourcer is no longer supported, the client is forced to switch products. This is expensive and time consuming due to the cost and effort required for re­integration and testing. If, in the meantime, a software bug was preventing operation of the CA software, this could lead to a significant outage.

Traditional mitigations against this risk – such as holding the CA software source­code in escrow – in fact provide very little real protection. The time taken to reverse engineer the code, read and comprehend documentation that would in all probability be out of date, and repair and test the code would be likely to exceed the time needed to switch products.

Were the outsourcer to cease trading there would also be the potential for serious disruption and re­integration costs. A service level agreement with sufficient penalty provisions would normally protect against an outsourcer wilfully exiting the business without warning, but this would not apply if the outsourcer had become insolvent.

The impact of Service Disruption

The impact of an outsourced CA or RA becoming unavailable depends on the nature of the PKI and what exactly has been outsourced. Where the “Certificate Vendor” model is employed [6], the immediate risk is that CRLs do not get updated. With no CRL available, a relying party would be forced to either honour the transaction and accept the risk that it has been signed with a compromised key, or cease trading.

Where the client registers their own certificate holders it is possible to mitigate this risk. Even if no CRL is available the client can choose to continue trading as they would know which certificates had been reported as compromised – provided the software used to log details of compromised certificates had not itself been outsourced.

The business impact to most organisations of not being able to renew or issue new certificates due to an outage, is usually much lower and would amount to inconvenience rather than a risk of financial loss.

Often this risk can be mitigated against by proactively re­issuing certificates due for renewal – well before their expiry date, or with a Disaster Recovery Plan allowing customers without valid certificates to transact using alternative means.

APPENDIX A. OTHER FACTORS TO CONSIDER IN NEGOTIATING OUTSOURCING ARRANGEMENTS

A number of factors need to be considered in negotiating a Service Level Agreement with a possible outsourcer. Some of the factors most frequently forgotten include:

• Will the outsourcer host just the CA or the CA and the RA?
• Will the certificates be issued under a generic policy or under a policy which prevents organisations, such as your competitors, using them?
• Will your Root CA be outsourced or just the operational CA?
• Is the cost of product upgrades and their deployment part of the outsourcing fee?
• Is the cost of commercial product support is included in the outsourcing fee?
• Is the cost of customised registration and revocation software support included in the outsourcing fee?
• Is the cost of provision of off­site Disaster Recovery included in the outsourcing fee?
• Is the cost of routine testing of these services included?
• Is the cost of routine hardware upgrades included in the service delivery cost? What hardware refresh interval is stipulated?
• Will your customised registration software also be hosted and run by the outsourcer? If so, is warranty on this software covered by the Service Level Agreement?
• Most standards do not allow organisations to outsource responsibility for the security of their systems. Are the outsourcing arrangements consistent with your regulatory obligations?
• Do you have sufficient access rights to allow a full audit of the outsourcer’s operations?
• Is your CA to be hosted on dedicated servers and HSMs? [7] If not, how does the outsourcer ensure the security of your CA environment? Will your CA service be impacted by maintenance work conducted for other clients?
• What role will you play in key generation and management tasks?
• Would it be possible for hosting centre staff to access or copy your key material under any circumstances?
• Is the outsourcer required to provide evidence of solvency, on an ongoing basis?
• Is the outsourcer required to provide evidence of independent audit of their compliance to regulatory standards?
• Would the hosting environment provided by the outsourcer, and the maintenance and running arrangements satisfy your regulatory requirements?

Footnotes

[1]Australian Business Number – Digital Signing Certificates are a particular form of certificate that has been created and approved for transacting with the Australian Government under the Gatekeeper program.

[2]People relying on a certificate need to know if it is still valid or not. To do this, they can either check a Certificate Revocation List (CRL) or they can query the issuing CA using On­line Certificate Status Protocol (OCSP). By not providing CRLs and forcing people to use OCSP, commercial CAs can force people to pay in order to be in position to rely on a signed transaction. In effect, the CA becomes a vendor of insurance policies.

[3]By way of reference, the design, customisation, establishment and commissioning of a Gatekeeper accredited CA and RA operation would normally cost in the excess of AUS $10,000,000 based on work performed by Baltimore in the establishment of the CAPL, Telstra and ATO CAs. Outsourcing has the potential to substantially lower these establishment costs, as it leverages work performed by the outsourcer in establishing the infrastructure and running processes for other similar CAs.

[4]Federal government standards call for many key management operations to be performed or supervised by COMSEC trained and accredited staff. This is a significant overhead, especially where multiple staff need to be kept available at all times so that unforseen key damage or compromise events can be dealt with.

[5]In other words, if the outsourcer makes a mistake and your PKI is compromised – it’s still your problem and you can be held accountable.

[6]As the Australian Customs Service do to allow companies to file import and export declarations on­line.

[7]Hardware Security Modules or HSMs are normally used to hold sensitive key material.