I work for IBM and while listening to a presentation once, the presenter said, “We’re IBM, we don’t make dog food.” I thought that was rather clever, and decided to subvert that for my own uses. I am going to describe how we are eating our own dinner with regard to Certificates and our internal Certificate Authority(CA).
For the last several years, I have been involved as a security architect at IBM on a project to deploy a Public Key Infrastructure (PKI) system on System z, to sign certificates for a multitude of use cases.
The idea for that project was that by eliminating the cost barrier to certificate signing for internal uses, we could eliminate self signed certificate warnings thus improving the security mentality of our users.
For phase one of the project, we determined that we would only target server certificates. That was a fairly straightforward use case.
Setup and customize PKI Services on System Z, change our internal policies to gently prod users to use the new Certificate Authority (CA) and then investigate other use cases.
We are now targeting other types of certificates, such as:
- Certificates as an authentication replacement for userid and password
- Two factor authentication using a combination of userid, password and certificates
- Certificates used for clientauth or mutual ssl connections for server to server channels
- Certificates used for OpenVPN tunnels in labs
- Wi-Fi connections using EAP-TLS
- Production VPNs using certificates
I’m trying to paint a picture as to how many diverse use cases there are for certificates to improve the security of these use cases. This also shows that running a CA for internal uses can have wide reaching implications. The complexity of this picture, is exactly the reason we targeted only server certificates in phase one of the project.
That use case is trivial:
- Authenticate to the Certificate Authority application
- Check if the user requesting the certificate is the server owner based on the hostname they input
- Have the user’s manager approve the certificate request
- Download the signed certificate and install it to the server’s keystore
That’s all great Jonathan, but the title of the blog said IBM was saving money, when are you going to talk about that?
At the start of the project, I scanned the entire IBM network across port 443(HTTPS). I excluded all other ports because I was hardware constrained. I excluded any network behind firewalls, and I excluded all private networks. This also excluded any user-based certificates.
The tip of the iceberg, as I like to call it, is that I found 60,000 certificates. To get an idea of what that means, I scanned another single subnet across the entire range of ports and found 2000 certificates, hence 60,000 certificates across a single port may well be only 10% of the story.
Out of the 60,000 certificates I found, 6,000 were costing IBM money. If we assume a cost per 3-year certificate of $500, over the course of 3 years, we could save $3,000,000 by replacing those certificates with an internal certificate authority.
That’s not a bad cost savings for a product that is free to run on System z.
Jonathan Barney is currently the lead security architect for public storage cloud(IBM GTS Offering) and SmartCloud Archive(BCRS cloud) at IBM. He has worked with SCE and SCE+ to some capacity. He also has experience with IBM CCRA. You can reach Jonathan on Twitter: @idle_j
Editor’s Note: This blog post by Jonathan Barney is part of a series on IT security we are running in December 2012 to help readers understand key aspects of security, including reputational risk, cloud security, and the role of hardware, software and services in security solutions.
We encourage you to read the other posts in our series, listed below:
- Are You the Keymaster? Yes, Actually, I Am by Paul DiMarzio
- Reputational Risk and IT: They’re Closer Than You Think by Yesica Schaaf
- Security-Ready IT: A Fundamental Imperative for Smarter Computing by Shelley Westman
- Enterprise Systems and Security by Amy Bennett
To effectively compete in today’s changing world, it is essential that companies leverage innovative technology to differentiate from competitors. Learn how you can do that and more in the Smarter Computing Analyst Paper from Hurwitz and Associates.