Using Digital Certificates to Secure Sensitive Communications at UW-Madison

WHOOHANicholas Davis – DoIT Middleware

Overview• Old business processes vs. new

business processes• Protecting your electronic identity• Email security• Digital certificates defined• What digital certificates can do for

your department• How digital certificates can help

your increase security• Questions• Next Steps

Old vs. New Business Processes• UW-Madison has

historically relied upon manual business processes

• Transcripts, HR Data, Contracts, Research Data, Health Information, Financial and Accounting Information—all kept on paper

• Physically secure• Difficult to access,

replicate and distribute

Old vs. New Business Processes

• As the amount of information we manage has increased, we have turned to electronic information systems to help us organize and disseminate information in a more efficient manner

Old vs. New Business Processes

• Today, we send official documents as email attachments

• We send email and documents to group mail lists

• Access to information is much greater than it was in the days of manual processes

• With new technologies there are new threats

Protecting Your Personal Identity

• When you send a document, how does the receiver know it came from you?

• When you send an electronic document, wouldn’t you want the same assurance?

Email Security

• How secure is the email you sent this morning?

• What happens to an email once you click the “send” button?

• Network, Intermediary Servers, Receiving Email Server, End User’s Workstation

• Laptops!

Digital Certificates Defined• A digital certificate is NOT a software

application• A digital certificate is an “electronic

passport”, with special added features

• Proves your identity• Allows you to protect your

information with encryption• Functionality already built into

existing applications on your compter

What Digital Certificates Can Do For Your Department

• Provide electronic equivalent of pen and paper signature

• Proves that the document (Word, Excel, PDF, Powerpoint) came from you

• Proves that the document has not been altered from origianl form

Example

Example

Encryption• Protects your email from being

read and/or altered from the moment it leaves your computer

• Simple as “click and send”• In order to receive encrypted

email, you must have a digital certificate

• In order to encryption to work bi-directionally, both users must have digital certificates

Example

If The Encrypted Email Is Intercepted

Uses

• Signing official documents (and email) to prove authorship

• Encrypting sensitive emails and attachments

Think About ThisCould cause harm in

a critical situationCase Scenario

Multiple hoax emails sent with Chancellor’s name and email. When real crisis arrives, people might not believe the warning.

It is all about trust!

Case Scenarios To Be Avoided

• HR related email concerning Nicholas Davis is intercepted by someone on the campus network and sent to newspaper

• Laptop containing spreadsheet with SSN’s of all UW faculty is stolen at Moscow airport.

The Technology Is Trustworthy

• X.509 is the industry standard

• Used by National Security Agency

• Used in all Western European passports

• Used by GE, Raytheon, J&J, P&G

The Technology Is Managed• DoIT generates, distributes,

supports and manages the digital certificate program

• Our certificates are provided by Verisign, the most widely trusted issuer of digital certificates

• We keep copies—just in case

Questions, Comments• Nicholas Davis• ndavis1@wisc.edu (info)