Buckling under the pressure of a waning U.S. macro environment, current and prospective capital and information technology spending budgets are under intense scrutiny. As a result, projects now face higher hurdle rates as a common management edict returns to the forefront: expenditures must demonstrate tangible returns on investments. With this sentiment in mind, we thought it prudent to examine one of the most talked-about technologies in the information security space and take a look at how returns on investments can be generated by public key infrastructure (PKI).
Although PKI deployments can come in various sizes and flavors, in order to calculate the return on investment, we will review some common or potential costs. The most significant costs an enterprise will likely encounter are the original software licensing fees from the software vendors and the ongoing personnel and administration costs for digital certification management.
Depending on the size and scale of the deployments and the applications, the server management framework combined with desktop licensing fees begin around $250 per client. Besides the installation and administration of the system software, enterprises will likely be responsible for ongoing certificate administration and revocation.
Enterprises may outsource this responsibility to a third party, but they also must factor in an ongoing administration expense. The larger and more robust the system, the higher the cost it is to manage. According to Gartner Group, customers of VeriSign (VRSN-$30.75) Onsite, a third party administrator service, generally pay between $25,000 and $250,000 per year.
In order to justify expenses and demonstrate returns on investments, companies can utilize PKI to support widespread applications for collaborative, informational, transactional, distributional and relational purposes. Collaborative applications may include design and development of extranets or supply chains. To securely support multi-company collaboration, access to applications environments must be limited. PKI can protect network access by authenticating users, encrypting communications and information at its source location. Certificates can be issued to authenticate employees from each member company, with access being associated with privileges assigned to a user.
PKI also securely enables virtual private networks, securing connections to remote offices and users by providing the strong authentication between devices. PKI can ensure only authorized users and devices gain access to a corporation's network.
PKI also supports informational applications including the provision of customer and supply information and corporate intranets. By authenticating users, companies can guarantee the integrity of the data on their intranet and can limit a user's access to the appropriate information. Another usage of PKI is for supporting its human resources. EDS recently cited a 10% reduction for its human resources help desk department as its PKI system simplified administration and reduced its password-management overhead.
One of the largest applications enabled by PKI is supporting transactions over the Internet. Whether the transactions take place in an extranet, a supply chain or a consumer purchase, PKI allows for non-repudiation and ties both the buyer and seller to the transaction. By enabling non-repudiation, companies can prevent authenticated parties from refuting the purchases they have made.
PKI also provides an audit trail of the transaction. A purchase order secured by PKI is as legally binding as one in person. Contracts can be signed and executed and purchases made in the matter of minutes, cutting down processing times. For example, an insurance carrier could reduce printing, paper, postage and processing costs by using digital signatures to complete contracts online. Inventory fulfillments could take place in seconds as opposed to days and suppliers and customers would be legally bound to contractual agreements executed electronically.
PKI can also support the secure distribution of intellectual property. Perhaps the most popular Internet application, e-mail, now largely travels the Internet insecurely. PKI can encrypt and secure e-mail messages and allow only the intended recipient or workgroup to view the message. For example, PKI would enable law firms to transfer sensitive legal documents electronically through email and guarantee their authenticity and encryption. Sensitive corporate messages can now traverse the web without the threat of being viewed by third parties.
PKI can also enable relational applications. As personal privacy issues have emerged as a major legal and ethical concern for Internet usage, PKI can help address a company's liabilities. Headlines are routinely filled with news of corporations whose customers' credit cards have been stolen. With a PKI intact, companies can encrypt customer information inside their databases with access to customer information limited to authenticated users only. In addition, new HIPAA healthcare legislation severely limits access and transfer of a patient's medical records. Healthcare firms will be legally bound to protect this data or will be fined if they fail. PKI allows for the safe transmission of the data and permits a patient's encrypted medical records to be seen only by the intended recipient.
After reviewing the costs and applications for which PKI is used, we think the returns should be evident. PKI will only be as valuable as the number of applications it supports and the risks it reduces. To a law firm, it might be the process and time savings required to distribute documents. A large manufacturer might shave a couple days from its inventory as its supply chain and fulfillment is automated and non-repudiation is assured. A health care concern might eliminate fines under recent legislation by limiting access to its patient's records, or finally, a large auto manufacturer may eliminate administration costs by reducing its employees' multiple passwords and tokens to a single secure key.
Like other infrastructure deployments, PKI is not for every company. However, given the multitude of applications it can secure and risk it mitigates, we believe many companies will likely see quantifiable returns from their investments in PKI.
This article was excerpted from the April 4, 2001 edition of Watchdog, a periodical published by Tucker Anthony Sutro Capital Markets covering business and financial topics in the Information Security sector. Frederick D. Ziegel is managing director of equity research and John D. Hall is an associate analyst for the firm, based in New York. Ziegel can be reached at firstname.lastname@example.org and Hall at email@example.com.