Digital Certificate Management: Navigating Your Success

RSA Professional Services

In the following pages, we provide an easy-to-follow, step-by-step methodology for navigating your way to a successfully implemented digital certificate management solution from planning, through designing, building and integration, and on to final implementation and training. By following the helpful navigational points and recommendations in this guide, you will stay on the path to a successful implementation.

Web Access Management: Navigating Your Success

Table of Contents
I. Introduction
Creating a Trusted Environment for Your e-Business Overview of a Digital Certificate Management Solution Gaining Valuable Assurance from RSA Professional Services

1
1 1 2

II.

Planning
Point 1 Assessing Your Readiness Point 2 Identifying Resources and Defining Objectives Point 3 Developing an Implementation Road Map

3
3 4 5

III.

Designing, building and integrating

Point 4 Mapping Technology to Business Goals Point 5 Building and Integrating Digital Certificate Management Components

7
7 9

IV.

Implementing and training

Point 6 Launching Pilots and a Phased-in Rollout Point 7 Preparing Your Support Operations Point 8 Training Personnel

11
11 12 12

V.

Conclusion

13

Digital Certificate Management: Navigating Your Success

I.

Introduction
Overview of a Digital Certificate Management Solution
At the core of a public key infrastructure is a digital certificate management solution that creates and manages public and private key pairs. By using digital certificates to establish trust relationships among your internal and external users, you are able to provide a new level of security for your entire enterprise. For example, your RSA Keon CA can open the door to new e-business opportunities by providing a broad range of e-security capabilities, including: Authentication identifying with whom youre doing business, Confidentiality providing assurance that your information is kept private, Authorization enabling you to decide what is accessed by whom, Integrity ensuring that your transactions are not altered, Non-repudiation providing proof that transactions have occurred. Digital certificates are provided to end users and can be managed through web browsers, RSA Keon Web PassPort software or a variety of Smart Card and USB token systems including RSA Passage technology. The power and security provided by digital certificates can be quickly realized by your own certificate-enabled applications and by products such as RSA Secure e-Mail and RSA e-Sign. In addition, there are many other industry specific applications such as Adobe Accelio Capture FormFlow, Aventail Anywhere VPN and Lotus Notes that take advantage of digital certificates. For a complete list of RSA Keon CA ready products available from our extensive set of RSA Partners, see http://www.rsasecurity.com/partners/

Creating a Trusted Environment for Your e-Business

Trust. Its implicit in most business transactions; yet, how can you trust the electronic communications and transactions underlying e-business? While a handshake, paper purchase order or signed contract provide traditional methods for validating and enforcing a transaction, they simply dont apply to the world of e-business. Unsecured electronic communications sent over the public space of the Internet can be intercepted, misdirected or forged. In this open environment, how can you establish trust and, more important, how can you insulate your business from undue risk? Digital certificates are part of a Public Key Infrastructure (PKI) that can protect your business with a pervasive shield against fraudulent or criminal activity throughout your enterprise. Digital certificates are the essential foundation for establishing trustworthy identities and managing the related encryption keys that form the basis for those identities. By choosing RSA Keon certificate authority (CA) software and other RSA certificate management products, you can bring a new level of trust to your e-business by employing digital certificates to help ensure that all online communications and transactions are properly authenticated, private and legally binding. To be fully effective, this technology must be woven into the fabric of your information system environment a task that can be challenging and far-reaching. As you prepare to undertake a certificate management implementation, it is important to consider the many issues that can affect your success. It is equally important to determine the best approach for implementing this new technology within your organization you can choose to build and manage the solution in-house, outsource the infrastructure and management to a trusted partner or employ a combination of the two. Today, there is a spectrum of choices depending on your objectives, staff and resources, time-to-market requirements and budget. This guide will help you gain a clear understanding of the many considerations you face and lead you step by step through the implementation process to a successful introduction of this new, trust-enabling technology.

Of all the providers we talked to, only RSA Security offered everything we were looking for: industry-leading technology, proven implementation expertise and a willingness to really listen and accommodate our needs.
Anna Berglund Senior Product Manager, PKI Bankgirocentralen BGC AB / Devise Business Transactions Sweden

RSA Professional Services

Digital Certificate Management: Navigating Your Success

Your initial implementation may be as simple as issuing your own digital certificates for authenticating and encrypting links between your SSL-enabled applications. Or, your business goals may require you to issue and manage digital certificates for each of your employees, customers, vendors and partners in order to provide a broad scope of secure, trusted e-business applications that link and integrate the business activities of your entire organization. A thorough assessment of your requirements and agreement within your enterprise on the goals for certificate usage are the first steps toward a successful implementation. If you havent yet completed these tasks, consider using the expertise of an RSA Professional Services consultant to assess and document your requirements and to facilitate reaching organizational agreement on your goals. However, whether your goals are large or small, you need an effective process for implementing the e-business security capabilities that a certificate management system can provide. This document details a basic methodology for accomplishing this result. The following steps are the key points of the methodology: Review and validate the business deliverables and requirements that define your goals for your use of digital certificates, Assemble team and develop a plan for implementation, Design your digital certificate management solution, including both the technology and the processes that support it, Next build the physical components required and integrate these with your core enterprise systems, Implement certificate-enabled applications so that this new technology effectively supports your business goals, Train your users in effective use of the new technology and processes. For small-scale, simple uses of digital certificates, your implementation project may be relatively quick and easy, accomplished in weeks or a few months. However, as the scale and complexity of your goals for digital certificate usage increase, so too will your implementation project.

Your certificate management solution will tie into many elements of your information technology infrastructure: your network, directory and application systems and may ultimately touch each of your end users whether they are internal (employees, temporaries, contractors) or external (customers, vendors, partners). As the numbers associated with each of these areas grow, the most difficult task of your implementation then shifts to communication and support rather than in designing and physically implementing the core components of your certificate management infrastructure.

Gaining Valuable Assurance from RSA Professional Services

Throughout your implementation process whether you use in-house resources or out-source the project RSA Professional Services stands behind you. We provide a full range of services for every critical step in the process, drawing on our breadth of experience to align your technology investments with your business requirements. Our services are designed to provide the level of detail you need to make informed decisions regarding technology investments and to address the reality that you may need assistance at multiple points in a projects life cycle. Working within the context of your unique requirements, we tailor our services to suit project scale and application-specific needs helping to ensure the success of your certificate management project. RSA Professional Services focus areas include: Planning to help ensure that your security strategy is aligned with business and IT objectives, Designing, building and integrating to provide you with a timely, cost-effective solution that is a part of your critical security and e-business infrastructure, Implementing to help reduce business risk, Training to augment in-house expertise. As you proceed with the task of implementing your certificate management solution, careful attention to each of these areas will result in a smoother, faster and more cost-effective solution. In the following pages, we provide important guidance and recommendations to help you navigate through the complex issues you must address in each phase of an implementation project from planning, through designing, building and integration, and on to final roll-out and training.

RSA Professional Services

Digital Certificate Management: Navigating Your Success

II.

Planning
During the planning stage, you and your extended implementation team must analyze these factors and map them to your business requirements, establishing a solid foundation for the remaining steps. A look back at your enterprises prior experience in implementing other applications that affected large numbers of users such as e-mail or virus protection can also provide insight and useful guidance in planning your certificate management implementation.

In many ways, planning is the most extensive and important phase of your implementation. Planning allows you to identify the critical resources required at each stage of the project. It provides you with the tools needed to engage all members of your extended team. And it helps avoid pitfalls that could jeopardize your success. Especially with a technology that touches many parts of your IT infrastructure (such as certificate management), it is critical to have skilled technology experts on your team to help plan and architect the right solution for your business. RSA Professional Services can guide your organization through the essential planning process, providing you with a fundamental profile of your current state of e-security, an assessment of your current and future needs, an accurate risk assessment and a realistic road map to help you achieve your objectives. Whether you take on the task of planning your certificate management implementation with internal resources or work with a consultant, it is important that your team have a clear understanding of the key drivers affecting the overall effort and timeframe required to achieve your goals. These drivers include: The structure of your certificate architecture and the processes you choose to create and administer certificates (in-house or out-sourced), The general architecture you choose for certificate management implementation and support (centralized or decentralized), The number and types of applications that you will certificate-enable (e-mail, VPN, web sites, mission-critical applications, etc.), The number of end users who will be issued personal certificates (thousands, tens of thousands or hundreds of thousands), The types of end users who will be issued personal certificates (employees, partners, customers), The types and methods of integration required between your certificate management infrastructure and other information and security systems.

Point 1 Assessing Your Readiness

A critical part of planning is assessing your state of readiness and reviewing the factors that affect your ultimate success, as described below.

Management and Organizational Buy-in

Incorporating a certificate management solution into your information system infrastructure may ultimately impact each user and application system within your environment. Therefore, you need the buy-in and support of senior management from each of the key organizations within your enterprise; this helps to ensure that you have the support and commitment needed for a smooth implementation. To foster this buy-in, it is important to provide each organization with a clear understanding of your strategic goals, an estimate of the resources youll need, an evaluation of potential effects and expected benefits.

Communications and Change Management

The introduction of RSA certificate management products to your enterprise brings a number of changes, potentially affecting everything from the way users interact with their desktops, to how your enterprise interfaces with employees, customers, vendors and partners, to the support needs of new systems and operational processes. Unfortunately, change can be disruptive, so it is important to communicate effectively to make sure this change is accepted positively. To prepare the various organizations and end users in your enterprise, you must clearly communicate what is changing and what each individual and organization needs to know about the change. Accordingly, a well-designed and well-implemented communications plan is a must for success.

RSA Professional Services

Digital Certificate Management: Navigating Your Success

Network and System Infrastructure

Your new certificate management system is built upon your existing network and information system infrastructure, and depends on the capabilities and reliability of each of these components. To effectively support certificate management, you must carefully examine network performance and reliability, user administration systems, system operational procedures and your end-user support capabilities. It is essential to ensure that these elements are functioning well and are prepared to provide the additional capabilities and capacity your new certificate management system requires.

Project management
Implementation projects of any complexity require strong planning, organization and coordination. In addition, most certificate management implementations are composed of a multitude of individual and cross-organizational tasks that require careful coordination to accomplish your business goals and achieve your roll-out schedule. Therefore, it is critical to assess your project management capabilities before beginning the implementation process and determine if outside assistance is needed to provide guidance and oversight or to augment in-house capabilities. This is an area in which RSA Professional Services can provide strong experience to coordinate your successful implementation of RSA Keon CA software and help you avoid known stumbling blocks.

Technical Expertise
Development of your certificate management system as with other security systems requires a broad range of expertise that must encompass both a big picture and a technically-detailed understanding of your security systems and the surrounding environment. In fact, the quality and success of your implementation depends largely on the expertise of the individuals who build and support it. Therefore, you must assemble a team of resources with the necessary technical knowledge and experience. If drawing from internal staff, you will need to ensure they have the necessary skills or implement a plan for developing those skills. Alternatively, you may choose to draw on the assistance of an outside consultant or a managed service that includes implementation and support. Regardless of your approach, you can count on the expert assistance of RSA Professional Services throughout the implementation process.

Point 2 Identifying Resources and Defining Objectives

In preparing for your digital certificate system implementation, you must first lay the foundation by assembling the right teams, developing clearly stated objectives and setting policies.

Identifying and Preparing the Core Team

Your core team should include members of the information security team and representatives from other organizations that are critical to designing, building and maintaining your public key infrastructure. The number and specific source of these individuals will vary depending on the size of your implementation and whether you choose to use in-house staff or out-source portions of the project. Regardless of the source of your team, the following functional roles are required for a successful implementation: Senior management sponsorship, Project management, Security system architecture, RSA Keon CA system architecture, Server operations for certificate authority, registration authority and other certificate management components, User registration and certificate administration, End-user support, Communications and change management.

Support for End Users

Once you begin using digital certificates, you can expect a settling-in period during which the acceptance and comfort level of end users will be proven. During this period, end users are likely to have various questions and issues. Therefore, proper planning includes ensuring that your support structure including help desk, desktop support and so on is appropriately staffed and trained to handle these additional inquiries.

RSA Professional Services

Digital Certificate Management: Navigating Your Success

Validating Digital Certificate Requirements and Goals

Before implementing a digital certificate solution, ensure that you have clear management approval of your business requirements and the goals, objectives and metrics for your implementation project. Acceptance and support by key executives and organizations is critical. In addition, these project essentials will be needed to measure the progress and success of your implementation.

Identifying and Engaging Your Teams

Because a certificate management system is so far-reaching, it is important to augment the core team with an extended implementation team that includes individuals who have expertise from a broad cross-section of your enterprise. Depending upon the scope and scale of your digital certificate usage, this extended team should provide the following knowledge and expertise: Network systems to assist with RSA Keon CA architecture development and end-user account management planning, Directory systems to assist with integration of RSA Keon CA with your enterprise directory services, Smart card systems to assist with integrating digital certificates with smart card devices (if used), Desktop systems to assist with integrating digital certificates with end user desktops, Server operations to integrate and manage RSA Keon CA Certificate/Enrollment /Administration Servers with other server operations, Web server operations to assist in integrating digital certificates as authentication means for web servers (if used), Application systems to assist with certificate-enabling application systems (if used), Systems programming to develop custom integration tools for certificate management system (when required), End user support to prepare help desk organization for their support role, Certificate administration to prepare certificate administrators for their role, Quality assurance to assist with desktop, server and process quality assurance, Documentation to develop custom documentation for operations and support , Communication tools to develop communication tools such as presentations, posters and brochures.

Developing a Certificate Policy and Certification Practices Statement

A public key infrastructure is based on a collection of technologies and processes that together, provide a secure, trusted environment for management of your information assets and business transactions. Your Certificate Policy and Certification Practices Statement establish the framework on which your entire public key infrastructure is built. These two documents detail the processes that are used to measure the trustworthiness of your system for both you and the applications and organizations that will rely upon it. In many environments, these documents have legal ramifications, so ensure that you either have the experience required to develop them on your own or call on the expertise of RSA Professional Services.

Point 3 Developing an Implementation Road map

The effort spent in planning and organizing your certificate management system project will be repaid many times in the results achieved. A carefully developed plan provides a clear road map that guides your implementation team through the complete process required to meet your objectives.

Organizing the Project and Work

A project plan with a work breakdown structure details the high- to mid-level tasks required to achieve your implementation goals. It is an essential tool for managing your project, providing the framework for assigning task responsibilities to specific individuals and estimating the effort and duration required to accomplish each task. Whether you develop a project plan internally or work with a consultant, you will also need a full set of project standards, control mechanisms and communication methods that reflect the size and complexity of your particular implementation. Your core team must play a key role in developing and reviewing these documents.

RSA Professional Services

Digital Certificate Management: Navigating Your Success

In addition to the extended team, you should assemble a stakeholder team to periodically review progress and issues related to the certificate management system implementation. This team generally includes senior representation from key organizations, such as the following: Executive management / sponsorship, Business management, Legal, Information and network systems management, Application systems (affected), End user support, Enterprise communications, Out-sourcing organizations, Vendors (including RSA Security).

Developing Pilot and Implementation Plans

Pilot projects are an important step in preparing for a production rollout. A pilot plan should identify pilot groups and the requirements for conducting and evaluating pilots early in the planning stage. Similarly, anticipated plans for production rollout whether by geography, business unit, functional unit or other phasing should be tentatively laid out. Ultimately, these plans must be meshed with the certificate management architecture and infrastructure development schedule to provide your final production rollout scheme in the time frames required. Pilots are discussed in more detail later in this document.

Developing Communications and Change Management Plans

Communicating information about your project to end users and key stakeholders will prepare them for the changes that digital certificates will bring, and it will educate them on new skills needed to effectively utilize this new technology. A communications and change management plans must address the following important areas: Themes or core messages of the implementation, Branding and standard terminology used for all communications, Audiences and specific communication tools used to reach each audience , Schedules for communication releases and events. With a well-constructed set of plans, you are now ready to begin designing, building and integrating your certificate management system.

Developing Operations and Support Plans

Your core team must work with the appropriate members of your extended team to develop operational plans that address system operations for your RSA Keon CA certificate management servers, end user accounts and digital certificate administration, as well as end user desktop and help desk support. These plans are developed in conjunction with the digital certificate management architecture and define the complete spectrum of processes that are needed to build and manage your production environment.

RSA Professional Services

Digital Certificate Management: Navigating Your Success

III. Designing, Building and Integrating

After the planning phase is completed, you need experienced resources to ensure a solid execution. Experienced security practitioners from RSA Professional Services are ready to assist you every step of the way, whether you plan to use internal resources or engage a third party. Our extensive expertise in designing, building and integrating best-ofbreed solutions for complex multi-vendor environments provides the added assurance that your certificate management system will perform as expected from day one and will continue to meet your objectives as your needs evolve over time. This effort requires highly specialized skill sets to accommodate new and emerging technologies while best optimizing investment protection.

Defining the Certificate Architecture

Your certificate architecture describes the structure and operations that establish the basic trust and identity relationships for your PKI environment. The Certificate Policy and Certification Practices Statement developed during the planning stage will guide your architecture decisions and provide strategic direction on how you to use digital certificates within your enterprise. Your certificate architecture should address the following considerations: Signing hierarchy and jurisdictions, Certification structure and conventions, Certificate validation through published certificate revocation lists (CRLs) or online certificate status protocol (OCSP) responders, Certificate life cycle management, Certificate and CRL archiving, Key recovery methods and processes (if required).

Point 4 Mapping Technology to Business Goals

During the design phase of the process, the components of your certificate management system solution are mapped to your business requirements and information system infrastructure. This mapping helps clarify the tasks and methods needed for final implementation. This stage of implementation requires a clear understanding of your digital certificate usage goals, your existing information system infrastructure and RSA Keon CA capabilities. Be sure that your core and extended implementation teams have strong technical expertise and experience to address these needs. RSA Professional Services can provide valuable assistance to both in-house and out-sourced resources to develop a secure certificate management system infrastructure and RSA Keon CA technology configuration that will support your enterprise.

Developing the RSA Keon CA Server Architecture

RSA Keon CA offers a wide range of capabilities and has specific requirements to help ensure its secure and reliable operation. Servers are required for certificate generation, storage, administration, enrollment and logging as well as for OCSP transactions. The architecture for these servers must be integrated with your existing information system environment to provide a digital certificate management system infrastructure that is secure, reliable and responsive. To accomplish this, the following factors must be considered: Functional capabilities required to meet business goals, Server platform hardware /software requirements and configurations, Hardware security module integration (if used), Server and network topology, Server software security requirements, Server physical security requirements, Server redundancy and fail-over requirements, Private key and certificate protection requirements, Directory services integration, Smart card production integration (if used), Other enterprise system integration (such as HR or user account management and administration), Auditing and monitoring.

RSA Professional Services

Digital Certificate Management: Navigating Your Success

Determining the Certificate Delivery and Management Method

Digital certificates, whether used to provide security for devices or end users, must be delivered, installed and managed. For end users, the typical methods available for securing and using certificates are: Standard Internet browser RSA Keon Web PassPort software Smart Card (RSA Passage) USB Token Each of these methods provides a different level of security and functionality and each requires a different set of components and processes to implement. A simple, reliable and secure means of accomplishing the delivery and management functions for each method required must be designed. RSA Professional Services can assist you in determining which options are best suited for your requirements and can then guide you in designing the processes to implement and maintain each.

Designing Certificate-enabled Applications

Many certificate-enabled applications are available off-theshelf. Applications such as RSA Secure e-Mail, RSA e-Sign, and RSA Keon Web Sentry products provide powerful, effective, quick-to-implement solutions that utilize the capabilities of digital certificates. Many other applications are also available from our extensive set of RSA Partners (see http://www.rsasecurity.com/partners/) and from other application providers. However, critical legacy or in-house developed applications will require customization in order to utilize digital certificates in place of existing security methods. This design requires a thorough knowledge of the application coupled with expertise in utilizing security and cryptographic toolkits such as RSA BSAFE encryption technology. A cooperative effort between your application support specialists and RSA Professional Service software engineers is a proven method for ensuring that this work is accomplished in the most effective manner.

Designing Your Communications Tools

The size and complexity of your user base, along with your communications plan, determines which tools are best suited to prepare and educate your users. Communication tools that should be considered for both broad coverage and targeted members of your user community include the following: Presentations (management, technical and end user), Articles (enterprise/departmental newsletters), Brochures (primary end user training tool), Web sites (technical and end user information), Videos (user familiarization, executive support), System log-on messages (awareness building), e-Mail (executive support, end user information).

Smart Card / USB Token Production (if used)

Smart cards and USB tokens are capable of providing a highly secure and portable method of providing digital certificates to end users. In addition, these devices can offer a multifunction capability that provides for additional employee information, passwords, authentication methods, physical access and more. Development of a complete smart card or USB token production system is a significant sub-project of your digital certificate management system implementation. This subsystem requires additional hardware, software and importantly a physical distribution system for providing these devices to your end users. Also important are the methods and tools required for requesting, creating, delivering and integrating unique digital certificates into the smart card prepared for each user.

RSA Professional Services

Digital Certificate Management: Navigating Your Success

Evaluating and Testing Your Technology Components

To guide initial implementation, as well as the ongoing management of your certificate management environment, it is important to develop a test environment that can thoroughly evaluate the capabilities of your system design and key elements of your production environment. Testing will help either your internal staff or your out-sourcing organization to gain confidence and experience in installing and administering RSA Keon CA servers, as well as to help ensure that the design, configuration and integration choices are appropriate for your environment. In addition, the test environment continues to be important after initial rollout, providing a means to test and evaluate new versions of software and hardware components thoroughly before introducing them into the production infrastructure.

Building and Testing Your Digital Certificate Management Production Infrastructure

Implementing an RSA Keon CA architecture and design may require the installation of servers spread across the geographical reaches of your organization. It may require a mechanism for installing and maintaining desktop components such as RSA Keon Web PassPort software on each end users system. In addition, if the implementation design calls for pre-production of large numbers of digital certificates or smart cards, this task must also be performed prior to production rollout. In a large enterprise, this process will require the effort and cooperation of multiple organizations, while for a small organization, it may be accomplished with only a few phone calls. In either case, thorough testing of the digital certificate infrastructure for reliability and performance is essential before beginning an enterprise-wide rollout.

Point 5 Building and Integrating Digital Certificate Management Components

As the design of your digital certificate management system solidifies, the task of building and integrating each of the technology and process components can begin. The complexity and effort required for each of these tasks depends greatly upon the scope of the implementation. Very small implementations may require only weeks of effort, while large enterprise implementations which address many applications may require many months. In the following paragraphs, we provide important guidance to help ensure these stages of implementation proceed smoothly and successfully.

Building Custom Certificate-enabled Applications

Your solution requirements may dictate customization of existing applications to provide for use of digital certificates. Design and coding of these modules requires a thorough understanding of the applications security mechanisms, as well its overall architecture. With this knowledge, a systems programmer can utilize a security-enabling toolkit such as RSA BSAFE to certificate-enable most applications. The effort required to accomplish this work will be highly dependent upon the complexity of the application and the skills and experience of the system programmer. Training and guidance from a RSA Professional Services software engineer has proven to be an effective method for ensuring the success of this customization.

Assessing Your Information System Infrastructure

A digital certificate management infrastructure depends on a network, server, desktop and support environment that provides stability and responsiveness. As the building process of your new RSA Keon CA infrastructure begins, it is critical that your internal staff or out-sourcing organization assess these areas and work with their owners to ensure that the capabilities you require are in place before production implementation.

Integrating RSA Keon CA with Other Information and Security Systems

When integration with other information and security systems is required, RSA Keon CA provides native integration capabilities to simplify the process. Its open architecture provides access to a powerful API which can link to other components of your information management environment, including the following: Customized registration authorities, Smart card production systems, User access management systems.

RSA Professional Services

Digital Certificate Management: Navigating Your Success

Building and Testing User Administration Processes

The effectiveness of your certificate environment will depend heavily on the people and processes used to manage the certificate life cycle for your end users. This is accomplished by using the capabilities of the RSA Keon CA together with manual and automated methods to enable the process of requesting, issuing and managing personal digital certificates. Certificate Administrators play a key role in this process, as can RSA Keon Web PassPort technology, which simplifies the enrollment process through integration with existing system, such as human resources databases or RSA SecurID technology. Ultimately, it is best to integrate digital certificate user administration with other systems, such as network, remote access and business applications to provide a seamless process for users and administrators.

Preparing End User Support Organizations

Help desk and desktop support groups are critical to implementation of digital certificate solutions. As digital certificate-enabled applications grow in number, calls to the help desk for username and password problems should diminish; however, during initial implementation of digital certificate usage, the individuals within these organizations must be prepared to handle the end user access, usage and system problems that will invariably arise (regardless of how carefully users are educated and systems tested). Support resources must be well trained and provided with the opportunity to use RSA Keon CA capabilities for their own needs before they can effectively support the extended user base.

Building Communications Tools Building and Testing Server Operations Processes

Since your digital certificate management system will quickly become a critical component of your information system infrastructure, server operations for RSA Keon CA must be built on a set of processes that provide production-level support for end users. It is important to ensure that the following processes are in place: Daily server management, Physical security, Secret/sensitive key protection, System performance monitoring, System backup and recovery, Auditing and monitoring activities. To build the communications tools needed to inform and educate the enterprise and end users about the new digital certificate management environment, you will likely require the skills of organizations and individuals outside the Information Security team. Content development, design, graphics and multimedia skills are typically needed to produce professional and effective communications tools. Therefore, ensure that you have engaged your in-house communications group or a qualified service vendor to assist with this important task.

RSA Professional Services

10

Digital Certificate Management: Navigating Your Success

IV. Implementing and Training

Final implementation of your digital certificate management system even within a small enterprise should be based on a multiple-phase rollout. Pilots and a step-by-step production rollout aligned with business goals and organization structure will help to ensure that digital certificate usage is integrated into your production infrastructure in a smooth and supportable manner. Moreover, effective training will provide rapid ramp-up of staff and lasting value of your investments. Technical expertise and dedicated project management are essential to staying on schedule and within budget and it is during the final implementation phase when you will most likely need to seek outside assistance. To support your in-house staff or an out-sourced organization, RSA Professional Services provides a full range of services from local installation to global rollout that will align people, processes and products for fast, precise deployment of your solution. In addition, you can count on a comprehensive range of training options available from RSA Educational Services and our global network of Authorized Training Partners.

Point 6 Launching Pilots and a Phased-in Rollout

As you embark on final rollout of your digital certificate management system, it is important to consider the role of pilots and a phased rollout to help ensure that the new system is meeting stated goals every step of the way.

Introducing New Systems with Pilot Projects

A pilot project is a time-tested method for introducing new systems. Pilots serve as a test bed for not only the new technology being implemented, but also the processes and infrastructure on which this technology depends. RSA Keon CA makes it fast and easy to begin the pilot process. Depending on the size of the overall implementation, some or all of the following pilot phases should be employed: For each pilot, a test plan and acceptance criteria should be developed to address the readiness of each of the following areas appropriate to that stage of pilot: Communications process, Certificate roll-out process and usage, Help desk and desktop support, System integration processes, RSA Keon CA system operations, System performance.

Recommended Pilot Group

Information Security Team and IT users (10 25)

Systems Piloted
Lab

Pilot Objectives
Acquaint implementation team with capabilities and daily operations required. Test production system infrastructure and familiarize support groups with system. Test production system infrastructure and user support. Test production system infrastructure and user support for remote users.

QA, help desk, desktop Technicians (10 25)

Lab or Production

Typical End Users (Local, 50 200)

Production

Typical End Users (Remote, 50 200)

Production

RSA Professional Services

11

Digital Certificate Management: Navigating Your Success

Phasing in a Production Rollout

Based on the success of the pilots and the operational experience of the support team, production implementation of your digital certificate management system can begin. The appropriate production rollout phases for each enterprise will depend on its business goals and organizational structure. Ideally, those groups that will receive the greatest benefit from the new technology and are easiest to support, should be implemented first. Implementation can be organized along one or more of the following structures: Broad user base (internal, external), Organizational (divisions, regions, vendors), Geography (U.S., Asia, Europe), Application (e-mail, VPN, web server, custom certificate-enabled applications), Functional (Sales, Engineering, HR).

Point 8 Training Personnel

Technical training and certification is central to bolstering your e-security profile and building staff competency. RSA Educational Services offers a wide range of training programs to support your needs from the planning stages through final implementation and ongoing operation. Technology professionals will want to take advantage of the RSA Certified Security Professional Program, which offers industry-recognized certifications that help increase expertise in enterprise security systems and establish credentials through independent certification testing. Product specialization for Systems Engineers, Certificate Administrators and Certified Instructors offer job-based certifications. In addition, RSA Securitys relationship with Virtual University Enterprises (VUE) and its 2,400 test centers in 110 countries provides convenient access to certification programs and ensures impartial testing.

Point 7 Preparing Your Support Operations

One of the goals of implementing a digital certificate management system must be to provide a stable, maintainable environment for this mission-critical component of an enterprises information infrastructure. The major operational considerations for meeting this goal include the following:

Training the Core PKI Team

Depending on skill set and experience of the individuals serving on the core PKI team, various training options may be appropriate. In particular, individuals who are unfamiliar with PKI and RSA Keon technology should attend the following formal training classes provided by RSA Educational Services: RSA PKI Foundations

Providing 24 x 7 Support
Like other mission-critical enterprise systems, this system requires a 24 x 7 support structure. In most cases, information security personnel and end user support personnel must be available or on call to handle any serious problems with components of the RSA Keon CA or desktop environment. In particular, if RSA Keon Web PassPort software is used to authorize each desktop logon, then users will be affected if both primary and fail-over server systems are inoperative.

RSA Keon Core PKI Installation and Administration RSA Keon Core PKI Installation and Configuration RSA Keon Web PassPort Installation and Configuration This critical technical training is provided at RSA Training Centers in North America and Europe and can be customized or provided at your site when required.

Training Technical Support Personnel Controlling RSA Keon System Revisions

As patches, revisions and new releases of RSA Keon CA software are made available, they must be incorporated into the test and production system environment. This helps to ensure that the security, reliability and capability of RSA Keon CA system components are optimized. Generally, system revisions should be introduced to the test environment before placing them in production, but the criticality of each change must be evaluated to determine the specific method and timing. Keeping information security, help desk and desktop support personnel trained on new features, problems or resolution techniques is an ongoing process. The information security group can stay abreast in these areas using the RSA SecurCare system and new product training provided by RSA Sales and Sales Engineering support. The appropriate portions of this information should be passed on to other support groups as needed. Any new personnel within these groups will also require training to prepare them for their support responsibilities. The in-house training tools developed for initial implementation training should be kept up-to-date and used together with RSA Securitys standard classroom offerings to train new personnel as they join the organization.

RSA Professional Services

12

Digital Certificate Management: Navigating Your Success

V.

Conclusion

A public key infrastructure is truly an enterprise environment, one that ultimately touches every employee, customer, partner, mission-critical application and much of your information system infrastructure. As discussed, implementation of an enterprise-wide digital certificate management solution requires policy, process, people and, of course, a suite of technology components. A digital certificate management system is not difficult to implement but success does not come as a shrink-wrapped package. Therefore, it is critical to determine your strategy for implementation in advance whether to tackle the process using in-house resources, out-sourcing everything to a third party or using combined in-house and out-sourced resources. Regardless of the approach you choose, it is fundamental to your success to employ a well-structured process that incorporates planning, followed by designing, building and integrating, and culminating with a phased implementation and training. By carefully considering the issues discussed in this document, as well as others specific to your environment and particular business needs, you can succeed in adding a powerful security enabler digital certificates to your information system infrastructure.

RSA Professional Services Your Partner for Success

RSA Professional Services works in partnership with you to help ensure the security of your entire enterprise. We offer a full complement of professional services, including Security Planning and Project Management Services, Architecture and Design Services, Custom Application Development and Implementation Services that can provide the leadership and assistance required to make your project a success. Specific to the implementation of RSA Keon CA and your digital certificate management environment, we offer the following services:

Planning Services
Digital certificate and business goals assessment Certificate Policy (CP) and Certification Practice Statement (CPS) development Project work breakdown and staffing plans Communications and change management plans Operations and end user support plans Quality control plans Pilot and production rollout plans

Design, Building and Integration Services

Certificate architecture and management design RSA Keon CA architecture design RSA Keon CA customization and integration Certificate-enabling applications design-in security using RSA BSAFE Operational and end user support design Communications and change management design

Implementation Services
RSA Keon CA installation and configuration Pilot and production rollout assistance

Training Services
Operations and end user support training

Project Management Services

Monitoring, measuring and reporting of project progress Change control and risk management Vendor and cross-organizational resource coordination For additional information on any of our service offerings, please contact your RSA Security sales representative or RSA Professional Services directly. In the Americas: 1-877-RSA-4900 In the UK: +44 (0) 1344 781 318. Send e-mail to proservices@rsasecurity.com.

RSA Professional Services

13

Digital Certificate Management: Navigating Your Success

Notes

RSA Professional Services

14

Digital Certificate Management: Navigating Your Success

Notes

RSA Professional Services

15

Digital Certificate Management: Navigating Your Success

About RSA Security

With thousands of customers around the globe, RSA Security provides interoperable solutions for establishing online identities, access rights and privileges for people, applications and devices. Built to work seamlessly and transparently in complex environments, the Companys comprehensive portfolio of identity and access management solutions including authentication, Web access management and developer solutions is designed to allow customers to confidently exploit new technologies for competitive advantage. RSA Securitys strong reputation is built on its history of ingenuity and leadership, proven technologies and long-standing relationships with more than 1,000 technology partners.

Additional Information
For additional details regarding this integration please visit http://www.rsasecurity.com/support/impguides/index.asp to review the RSA Security Implementation Guides. For additional information on any of our service offerings, please contact your RSA Security sales representative or RSA Professional Services directly. In the Americas:1-877-RSA-4900 In the UK: +44 (0) 1344 781 318. Send e-mail to proservices@rsasecurity.com. 174 Middlesex Turnpike, Bedford, Massachusetts 01730 Main Number: 781.515.5000 International Calls: Refer to our web site for specific countries. e-Mail: Proservices@rsasecurity.com Web Site: http://www.rsasecurity.com/services

BSAFE, Keon, RSA, RSA Security, SecurCare, the RSA logo and SecurID are registered trademarks or trademarks of RSA Security Inc. in the United States and / or other countries. All other trademarks are the property of their respective owners. Keo2003 RSA Security Inc. All rights reserved.

DCMNV GD 0503