Consumer Security

EXPERT ADVICE

Digital Certificates – Don’t Do Business Online Without Them

When you conduct business online — whether it’s selling merchandise through a Web site or simply using email for company communication, there is some level of digital risk. The Web has enabled instant global access to conduct business remotely like never before in history.

Personal meetings allow you to securely exchange physical documents and information, as well as positively identify the person with whom you’re doing business. The downside of remote commerce is the inability to conduct business face to face. To address this risk, digital certificates were created. If you use the Web to transact business or communicate sensitive information with clients, then digital certificates are a must.

Digital Certificate Primer

A digital certificate, sometimes called a “digital ID,” is a credential used on the Internet to identify people and machines. Not unlike a driver’s license, it is issued by a reputable third-party source, called a “certificate authority.” Because it contains cryptographic information, it can be used both to sign and encrypt digital content.

Digital encryption ensures that the contents of a message or attachment have not been changed or tampered with while in transit — not unlike the old practice of using wax to seal documents.

Digital signatures ensure that digital content is from the person identified as the author, and that it is coming from the person who claims to be sending it. When you combine the two using a certificate, you know that the message is from the person or organization identified as the sender and that the contents have not been altered in transit.

The ability to support digital certificates has been built into the vast majority of Internet browsers, networks and applications over the last 30 years without requiring modifications from users.

How to Get a Digital Certificate

The easiest way to acquire a digital certificate is by using your Web browser to purchase one with a credit card. Depending on the type of certificate you order, you may be asked to fax over identification documents, so your identity can be verified — known as “vetting” — before a certificate is issued. Certificates come in different flavors, the most popular being client certificates and server certificates; the one you use depends on what it is you want to identify.

Once the certificate is loaded into your computer, which is an automated process, you use the functionality built into the relevant application. For example, within Microsoft Outlook, there is a button to sign email messages and another one to encrypt them. Web server certificates are primarily used to secure sensitive transactions, such as credit card transactions, over the Web. A padlock icon is usually used to show the presence of the secure Web session enabled by the certificate.

Personal certificates for personal use are generally priced below US$20. Personal certificates for commercial use are generally priced between $5 and $90, depending on volume; the price of certificates for Web servers ranges from under $100 to over $1,000, depending on the features supported in the certificate. In general, more expensive certificates require a more rigorous identification process.

Personal certificates can be stored on a personal computer or on a USB token or smart card for portability. The certificate can be used to sign and encrypt email messages, sign documents, or authenticate an owner seeking access to sensitive information from a remote location. Many organizations also use this form of identification to allow physical facility access.

Digitally signing an email or a document addresses both the integrity and authenticity of the message or document. It establishes integrity, because if the document or email is altered, the signature will not verify. It establishes authenticity, because only the certificate holder could have signed the document. Not all emails require integrity or authenticity, but many do. Whenever this is a requirement, emails should be digitally signed. There have been cases where email has been rejected as evidence of a transaction because its authenticity and integrity could not be proven.

Why Aren’t Certificates More Prevalent?

Until recently, each organization had to establish, build and maintain its own certificate authority before it could issue and maintain certificates, requiring capital expenditures, in-house training, changes to an organization’s network footprint and ongoing maintenance.

Suppose each town had to create and maintain its own driver’s license authority before issuing driver’s licenses. It would certainly be expensive; without a large number of employees, there would be no economy of scale. Small and medium-sized businesses rarely have enough full-time IT staff to effectively perform all the security measures necessary to manage a certificate authority. Even in larger businesses, IT people take on many roles, which means that certificate authority management tasks often can get done only at the expense of other equally important business computing needs.

What changed was the ability to create an on-demand certificate authority accessible via the Internet. The Software as a Service, or SaaS, model effectively spreads the infrastructure costs among many, allowing organizations to start with a very small investment and buy as they grow.

A Cost-Effective Approach

The concept behind a SaaS certificate service is simple.

Rather than acquiring your own digital certificate and encryption technology — plus the technical expertise to administer it internally — you contract with a security vendor. Outsourcing certificate issuance eliminates most of the labor and infrastructure, while still giving you state-of-the-art protection.

Looking at it another way, SaaS security is simply a security capability delivered as a service instead of a product. As an example, some companies deliver certificates via a service that can be accessed by any Web browser; this is an alternative to setting up a product such as the Microsoft Certificate Authority. You don’t need to set up machines, install software and cryptographic hardware, and create a secure physical environment. Instead, you just connect to the service vendor’s environment using a Web browser.

A SaaS certificate service reduces the complexity, cost and ongoing investment in deploying digital certificates — bringing strong authentication to a much larger audience. In fact, organizations of any size can use it.

Such a certificate service can deliver breakthrough economics and implementation speed to enterprises. It can cost up to 70 percent less than in-house implementations, 50 percent less than traditional managed services, and can be implemented in days — not months. It is a proven approach, and it has provided a high level of digital security for well over a decade.

Digital certificates enable a wide range of digital trust applications, such as strong authentication, secure email, electronic signatures, data encryption, and code signing. They can be a key factor in supporting compliance with privacy regulations.

Certificates have been around for more than 30 years; they work, and they are proven. As more companies and individuals rely on remote commerce, the need for certificates and their security continues to grow. The infrastructure required to create and manage certificates has also grown and matured over the last 30 years. Certificates literally plug into today’s computing environments — and with breakthroughs such as on-demand delivery, the cost of getting started and maintaining certificates has dropped dramatically, while the ease of use has dramatically improved.

The bottom line is that for any business transaction in which sensitive information is being transferred, it makes good sense to use digital certificates, since they are both proven and inexpensive. The quickest and most cost-effective way to implement digital certificates is through a SaaS approach, an approach that has been successfully deployed by a number of firms.


John Adams is chief technology officer for ChosenSecurity, a provider of on-demand digital certificates.


1 Comment

  • John – another good security practice on top of digital certificates is to de-identify data where possible, and especially the most sensitive information such as credit card numbers. Using tokenization, businesses can replace credit card data with a unique identifiers that can then be used for future transactions.

    Taking this approach, even if a business is breached, no sensitive credit card data is present to be stolen. Plus, it will reduce the scope of compliance requirements that would otherwise apply. To see a 4 minute video on this, visit braintreepci.com

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels