How IBM Saves Money by Eating Our Own Dinner


I work for IBM and while listening to a presentation once, the presenter said, “We’re IBM, we don’t make dog food.” I thought that was rather clever, and decided to subvert that for my own uses. I am going to describe how we are eating our own dinner with regard to Certificates and our internal Certificate Authority(CA).

For the last several years, I have been involved as a security architect at IBM on a project to deploy a Public Key Infrastructure (PKI) system on System z, to sign certificates for a multitude of use cases.

The idea for that project was that by eliminating the cost barrier to certificate signing for internal uses, we could eliminate self signed certificate warnings thus improving the security mentality of our users.

Untrusted Certificate Image

For phase one of the project, we determined that we would only target server certificates. That was a fairly straightforward use case.

Setup and customize PKI Services on System Z, change our internal policies to gently prod users to use the new Certificate Authority (CA) and then investigate other use cases.

IBM Internal Certficate Authority Image

We are now targeting other types of certificates, such as:

  • Certificates as an authentication replacement for userid and password
  • Two factor authentication using a combination of userid, password and certificates
  • Certificates used for clientauth or mutual ssl connections for server to server channels
  • Certificates used for OpenVPN tunnels in labs
  • Wi-Fi connections using EAP-TLS
  • Production VPNs using certificates

I’m trying to paint a picture as to how many diverse use cases there are for certificates to improve the security of these use cases. This also shows that running a CA for internal uses can have wide reaching implications. The complexity of this picture, is exactly the reason we targeted only server certificates in phase one of the project.

That use case is trivial:

  1. Authenticate to the Certificate Authority application
  2. Check if the user requesting the certificate is the server owner based on the hostname they input
  3. Have the user’s manager approve the certificate request
  4. Download the signed certificate and install it to the server’s keystore

That’s all great Jonathan, but the title of the blog said IBM was saving money, when are you going to talk about that?

At the start of the project, I scanned the entire IBM network across port 443(HTTPS). I excluded all other ports because I was hardware constrained. I excluded any network behind firewalls, and I excluded all private networks. This also excluded any user-based certificates.

The tip of the iceberg, as I like to call it, is that I found 60,000 certificates. To get an idea of what that means, I scanned another single subnet across the entire range of ports and found 2000 certificates, hence 60,000 certificates across a single port may well be only 10% of the story.

Out of the 60,000 certificates I found, 6,000 were costing IBM money. If we assume a cost per 3-year certificate of $500, over the course of 3 years, we could save $3,000,000 by replacing those certificates with an internal certificate authority.

That’s not a bad cost savings for a product that is free to run on System z.

Jonathan Barney is currently the lead security architect for public storage cloud(IBM GTS Offering) and SmartCloud Archive(BCRS cloud) at IBM. He has worked with SCE and SCE+ to some capacity. He also has experience with IBM CCRA. You can reach Jonathan on Twitter: @idle_j

Redbooks Thought Leader

Editor’s Note: This blog post by Jonathan Barney is part of a series on IT security we are running in December 2012 to help readers understand key aspects of security, including reputational risk, cloud security, and the role of hardware, software and services in security solutions.

We encourage you to read the other posts in our series, listed below:

Smarter Computing Analyst Paper - HurwitzTo effectively compete in today’s changing world, it is essential that companies leverage innovative technology to differentiate from competitors. Learn how you can do that and more in the Smarter Computing Analyst Paper from Hurwitz and Associates.

Subscribe to the Smarter Computing Blog
This entry was posted in Data Security and tagged , , . Bookmark the permalink.

Recent Posts

Securing cloud infrastructure: Five threat management best practices

Rehan Jalil

With IT leaders still worried about threats to cloud infrastructure, how can they reconcile obvious benefits with possible risks? Here are five best practices.

Continue reading

Cloud maturity: Preparing for digital transformation

Ron Kline

Businesses today are undertaking digital transformations, rethinking what their customers value and creating operating models that take advantage of new technologies to set them apart from competitors. With cloud as the foundation for these digital transformations, how can companies prepare for the future and evolve toward cloud maturity?

Continue reading

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>