Академический Документы
Профессиональный Документы
Культура Документы
This study has been conducted in cooperation with SEALWeb, an independent and trusted
consultancy firm who has proven experience in managing PKI projects in the financial services
and other industry sectors. The case study figures are representative of the average time and
budget that customers of SEALWeb typically spend on PKI implementations.
Total Cost of
Ownership (TCO)
Understanding and
calculating all the
costs related to a
PKI solution
Contents
Introduction............................................ 3 Case studies : ....................................... 6
Public Key Infrastructure (PKI) - 1) Institution with small user base and
What is it and why?................................ 3 limited needs
2
Introduction a financial institution with limited needs Certificates are associated with identities,
up to a large organisation with extended for example with the name of a person or
In the world of electronic banking, proof requirements. a function within the organisation. This is
of identity is often very complex, involving the role of the Registration Authority, also
numerous tokens, passwords and access known as RA. The RA is responsible for
cards for a single transaction. The use Public Key Infrastructure the registration and controlling the identity
of Public Key Infrastructure (PKI) and (PKI) - What is it and why? of its users. Therefore, they will apply their
adoption of electronic signatures are now Know Your Customer policies (KYC) and
considered best-in-class for securing What is PKI?
A Public Key Infrastructure or PKI is a security processes prior to linking the
banking communications. PKI enables identity of the user with a certificate. Users
both financial institutions and their system for the creation, storage and
distribution of digital certificates. PKIs sign their financial instructions, such as a
customers to ensure that instructions are payment by using their private key. The
authentic, unaltered and legally binding. allow organisations and their customers
to verify the authenticity of financial financial institution verifies the signature
Implementing a cutting edge PKI messages they receive. When transferring by using the associated certificate and will
infrastructure is costly and often complex a financial message, the sender has a check the validity of this certificate with
to build and maintain. It requires for you not private encrypted key that needs to match the CA (e.g. whether the certificate has
only to invest in the infrastructure and build the recipient’s public key. Only when the been revoked).
expertise but also to permanently upgrade two match can the recipient verify that the Why use PKI?
the changing technology and evolve with message is authentic (Fig. 1). There are three main advantages and
new security threats. Therefore, enabling differentiators of using a PKI solution over
strong authentication and digital signatures To implement this solution, an individual
generates a private (secret) key locally, any other electronic identity means:
with your customers is not only a question
of ‘keys’ and ‘tokens’. which will be used as a credential for Checking the authenticity of
1.
signing purposes. For security purposes, the sender: Authentication means
Most ‘financial’ decisions for a PKI such credentials are often stored on verifying the identity of the person
solution are based on a comparison of the external devices, such as USB tokens who sent and signed the data and
most obvious costs, therefore overlooking or smartcards. A public key is created being sure that they are the person
the hidden, and often more expensive and linked to the individual’s private key who they say they are. PKI facilitates
costs. by a trusted party, also known as the remote authentication between
TCO or Total Cost of Ownership allows Certification Authority or CA. The public parties, assuring the receiving entity
you to understand and calculate all the key is used to authenticate the individual. that the information originated from
costs related to a product or service. It Each key is a unique string of numbers. the sender who owns and has
includes not only the direct and most The CA can revoke a specific certificate; protected access to his or her private
visible costs of a solution, but also unveils for instance, if its lifetime has expired or if key.
the often hidden indirect costs for building there is concern with the certificate, such
and maintaining the solution. In the as theft of an associated private key that
world of PKI, the TCO includes the more has been reported.
visible charges such as infrastructure
investments, cost of developing the
applications, product licenses, installation
and training, etc… and the often hidden
recurring charges to run and maintain the
service. The latter is not always easy to
identify and not obvious to calculate. Sender Receiver
SWIFT, together with SEALWeb,
conducted a study comparing the
costs for a financial institution to build
and maintain a proprietary PKI with the
costs of implementing 3SKey. The study
revealed that institutions could reduce
their cost up to 40% when using 3SKey. Encode using Decode using
This information paper describes the Private key of sender Public key of sender
drivers to use PKI solutions, breaks
down the different cost components to
build and maintain such infrastructure,
describes the implementation options for
an organisation and reviews all the costs
in three typical scenarios. This starts with (Fig. 1) Basics of a PKI solution
3
Controlling the integrity of the
2. Common implementation and the existence of an internal security
signed information: Integrity options and 3SKey framework that can be reused.
means ensuring that data cannot
be corrupted or modified, i.e. a Institutions planning to implement or
Bank User
transaction can therefore not be replace a PKI solution have different
altered. With PKI, the content of the options available. Each of the
exchanged data is guaranteed by implementation strategies have different
its electronic signature. If the data costs and benefits and the decision will
CA RA
is modified afterwards, then the likely be driven by factors such as:
signature will no longer be valid. — Number of users CA =Certification
CA= Authority RA
CertificationAuthority RA== Registration
Registration Authority
Authority
infrastructure.
User Support + Vendor Applications Integration +
Bank
Web Channels Integration + Host Channels Integration +
User
Tokens + Logistics & Distribution +
PKI Service Provider
Product Documentation + Contractual Agreements +
Multi-Bank Acceptance + Audit + RA CA
CA= Certification Authority RA= Registration Authority
CA = Certification Authority RA = Registration Authority
= Total Cost Ownership
(Fig. 4) PKI Service Provider
4
(Fig. 2) Cost components of a PKI service
The institution needs to select the third Each financial institution will register its To ease and speed-up the integration
party according to its business needs, users independently by applying their of 3SKey for financial institutions, their
the size of its customer base and also own registration and KYC procedures, customers and within third party financial
geographical scope. They will typically and subsequently associate the identity of applications software, 3SKey has
pay a one-time and recurring license fee the user with the 3SKey certificates. For been built using common and widely
for the use of the PKI infrastructure and financial institutions it offers a service that used industry standards (e.g. RSA
also a one-time and recurring fee per responds to their customer demand for 2048 keys, X.509 digital certificates,
user. The digital certificates will need to a multi-bank solution. Thanks to a multi- …). Also, integration toolkits and APIs
be integrated in the proprietary products registration model, financial institutions are are made available to ease the project
and solutions of the institution, often not dependant on each other for checking implementation. SWIFT provides ongoing
with the assistance of the selected third the user identity. Moreover, 3SKey support to financial institutions and the
party. The level of possible adaptation significantly reduces the investments and vendor community during the integration
and customisation is mostly limited. The running expenses to manage an in-house and use of the service, and also provides
technical support for basic user queries PKI infrastructure or contracting with a end-user assistance for the installation
will be handled by the organisation itself third party PKI provider. and activation of the 3SKey digital
whilst the more complex problems will be certificates.
escalated to the PKI provider. User Implementing 3SKey will allow
On top of this, regardless of whether Bank Bank organisations to offer a multi-bank solution
a third party or an in-house solution is to the user, whilst reducing TCO by using
used, other cost elements should not be a cost-effective infrastructure operated by
overseen. These include amongst others SWIFT, a trusted and neutral party.
project management, the organisation RA RA
of regular audits, setup multi-bank CA Comparing the needs and benefits of
acceptance when required, monitor
different PKI implementation options
threats and technology evolution and CACA=
= Certification Authority RA
CertificationAuthority RA==Registration
RegistrationAuthority
Authority
The table below summarises the benefits
migration to a new security infrastructure
of each PKI implementation strategy and
(on average every five years). (Fig. 5) 3SKey how the needs are addressed with each
option (Fig. 6).
Using 3SKey Financial institutions pay a one-time
Instead of building its own PKI or and annual service fee for using the
relying on a third party PKI provider, 3SKey service within their banking group
financial institutions can now also take regardless of the number of users,
advantage of the 3SKey service. 3SKey channels and countries where they use
was designed to respond to a growing the 3SKey certificates. This makes 3SKey
demand from financial institutions and a very flexible and scalable solution,
their corporate clients for an international suitable for small, medium-sized and large
and interoperable digital identity solution. organisations.
With 3SKey, SWIFT takes away the
burden for a financial institution to develop
and maintain the technical infrastructure
PKI
and issues digital certificates, whilst Benefit /Needs In-house 3SKey
Provider
for their customers it allows them to
manage the users and tokens by using Outsource infrastructure
a secured web portal. This model offers
users a single certificate solution, which
Multi-bank acceptance
they can use with many different financial
institutions and over any channel.
Large geographical coverage
Customisation of interfaces/workflows
Cost-effective scalability
5
Case Studies: Comparing (Annual service
Cost to build Price
the costs of a common PKI
implementation and 3SKey the PKI + of tokens + running costs)
x 3 years
TCO* =
In order to conduct this study, typical Number of digital
scenarios have been identified. These (*) Cost per user on a 3-year basis certificates
different scenarios address the most
commonly used models of PKI in a variety — Cost to build the PKI = all investments and expenses associated to buy,
of financial institutions. The following develop and build the infrastructure and solution
variables were used to define the different — Price of tokens = the unit price paid for the tokens and associated services
case studies. — Annual service running costs = all recurring and maintenance fees associated
with running and supporting the service
— Using a third party PKI versus building
— Three years = the typical life cycle of a digital certificate and hardware security
an in-house PKI infrastructure
device before it must be renewed
— Size of the institution in terms of
— Number of digital certificates = the institution’s number of users equipped
number of users
with a digital certificate
— Limited usage versus adoption of PKI
across all platforms (Fig. 7) Total Cost of Ownership (TCO) formula
— Need for multi-bank acceptance
— Number of user applications requiring For each case study, the average To calculate the Total Cost of Ownership
integration time and budget spent for all the cost (TCO) of a self-managed PKI solution and
components to build and run the service compare with the costs of the 3SKey
Three main scenarios have been chosen (as described in the section Cost service, the formula in Fig. 7 was used
to compare typical configurations in components of a PKI infrastructure) were providing a total cost per user.
financial institutions. In the respective case calculated based on experience and real
studies, the building and running costs costs of PKI implementation projects of a
The following section presents the three
were compared with 3SKey (Fig. 8). similar nature.
selected cases studies, a quantification
The cost for a similar implementation of all the cost components and a
with 3SKey was then calculated taking comparison of the TCO per user with
into account the service and token fees, 3SKey.
as well as the project and running costs
for the components still managed by the
institution itself.
1. Institution with small user base 2. Institution with medium user base 3. Institution with large user base
and limited needs and regular needs and extended needs
— PKI outsourced to a third party — PKI outsourced to a third party — In-house PKI infrastructure
— 1K - 10K users — 10K - 50K users — 20K - 100K users
— File signing only — File signing and web-banking — File signing and web-banking
— No need for multi-bank acceptance — Limited multi-bank acceptance — Multi-bank acceptance
— 5 vendor applications — 10 vendor applications — 10 vendor applications
6
Case Study 1 – Institution
small user base and TCO per user (3 year basis)
limited needs
This scenario looks at an institution with 400 €
7
Case Study 2 – Institution with
medium-sized user base and
regular needs TCO per user (3 year basis)
8
Case Study 3 – Institution
with large user base and TCO per user (3 year basis)
extended needs 250 €
This scenario analyses an institution
200 €
with a large user base ranging between
20,000 and 100,000 users, who has 209 € -40%
150 €
extended needs and runs an in-house
100 €
PKI infrastructure. The organisation uses
PKI authentication and digital signatures 50 € 129 €
on its web banking portal and also for its
application-to-application file exchanges. 0€ Cost of annual service running
The organisation requires its digital Cost of initial service building
and integration
certificates to be accepted by five other Price of token
financial institutions.
Bank PKI 3SKey
The institution has decided to create an solution solution
in-house PKI and design and host it in its
secured data centre. The organisation has
already very good expertise on PKI and an
experienced team in such technology. The (Fig. 14) 40% cost savings for institution with large user base and extended needs
physical data centre and logical security
frameworks are not specific for this project
The initial registration of the company In this case, the institution subscribes
but shared with other existing critical bank
administrator is performed face-to- to an insurance plan for its PKI. The PKI
infrastructures. They buy and configure
face at the local branches; afterwards platform is audited by an external auditor
the necessary software and hardware
the company administrator registers once a year.
themselves. The tokens are chosen by the
and manages their users. Five CA
institution itself and are already supported The result of the analysis demonstrates
administrators are trained to maintain and
by the PKI software. In this scenario, the that with 3SKey, the TCO per user
monitor the solution and 30 registration
cost of the tokens represents only 7% of over three years can be reduced by
operators manage the end-users.
the total costs (Fig. 13). 40% compared with an in-house PKI
Helpdesk tools are developed and the
infrastructure deployment (Fig. 14). This
existing customers’ portal is adapted to
3-year TCO represents potential savings ranging from
Cost component support the deployment of PKI certificates
per user 2,200K EUR to 4,600K EUR depending
with its customers. All user support is
on the number of users. As the number
Annual maintenance performed by the institution itself, only
77% of users grow in such a scenario, the cost
and support complex issues are submitted to the PKI
benefits of using 3SKey increases further
software editor for resolution. Typically the
for the financial institution. On top of the
Initial build and customer support costs represent 30%
16% cost savings, an organisation avoids
integration of the annual running costs of the PKI
auditing its PKI infrastructure on a regular
service.
basis and limits the recurring investments
Token 7% The customer base in this scenario uses linked with technology renewals as
on average 10 common financial software security paradigms change.
(Fig. 13) Cost break-down using an in- applications. The institution ensures
house PKI with 30,000 users optimal integration of its digital certificates
and extended needs with the vendors of these applications. A
set of APIs developed by the PKI software
vendor and configured for the institution’s
specific PKI are made available to the
vendors.
9
Conclusion – Outsource On top of the financial savings, 3SKey will
infrastructure, reduce costs and provide you with additional competitive
keep control with 3SKey advantages, including:
10
For more information about 3SKey
visit www.3skey.com
Legal Notices
S.W.I.F.T. SCRL (“SWIFT”),
Avenue Adèle 1, 1310 La Hulpe, Belgium. RPM Nivelles – VAT BE 0413330856
Copyright
SWIFT © 2012. All rights reserved.
You may copy this publication within your organisation. Any such copy must include these legal notices.
Disclaimer
This publication is for general guidance only. The information in it is therefore general, and should not be considered or relied on as
definitive advice. The information in this publication may also change from time to time. Please always refer to the latest available
version on www.swift.com.
Trademarks
SWIFT is the tradename of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT: SWIFT, the SWIFT logo, the
Standards Forum logo, 3SKey, Innotribe, Sibos, SWIFTNet, SWIFTReady, and Accord. Other product, service or company names
mentioned in this publication are trade names, trademarks, or registered trademarks of their respective owners.
56183 - SEP2012
SWIFT © 2012