How Much Do Banks Spend on PKIs and Encryption

When you think of data that 100% needs to be encrypted, what comes to mind? How about financial data? When your bank sends sensitive financial info about your clients to other institutions, what are you doing to secure that data? Chances are, you’re using keys generated by your in-house PKI, or Public Key Infrastructure, to encrypt financial messages as they move throughout your back-office ecosystem and reach their eventual endpoints (whether that’s the SWIFT gateway or another similar system).

The security certificate and identity verification provided by a PKI is foundational to the security of the financial data sent around the world every day. But has the PKI outlived its usefulness? Is there a less costly way to ensure your data is securely encrypted and verify the identity of who sent it? Let’s start with an intro to the basics of PKI and the costs associated with implementing this encryption technology. Then we’ll get to how you can reach the same level of security while improving your bottom line at the same time.

Public Key Infrastructure: An Overview

PKI is the most prevalent system in place for the creation, distribution, and storage of encryption keys and certificates. These keys are used to encrypt data pre-transmission and decrypt it upon receipt. Encryption keys also provide verification as to the identity of the sending party to ensure everything is on the up-and-up. With a PKI in place, senders use their private key, generated at the time of transmission, to encrypt the data to be sent. When received, the receiving system uses a linked public key to decrypt the data and verify the sender identity.

All of this is handled by centralized services known as the Certificate Authority (CA) and Registration Authority (RA), both of which are contained within the PKI. The keys are linked by the CA so a verified receiver can ultimately access the information. The private keys are used as a credential to sign the encrypted files and are often stored on removable media like a USB key or smartcard for an added layer of security. If this device is lost or stolen, all keys generated by it can be flagged by the CA as invalid, thus stopping their use and rendering any files stolen unreadable.

PKI basic structure

All of this key management, identity verification, etc. is handled by the CA, RA, and a central repository for the storage of active and archived keys. This combination of tools is what comprises the PKI.

A simplified workflow for sending confidential data looks something like this: at the time of transmission, the sender’s public key is generated by the PKI (possibly via that USB key or smartcard) and linked to a paired public key by the CA. Both of these keys are then linked to the sender’s identity in the RA.

On the other end, the receiver checks that the identity matches and uses the public key to decrypt the transmitted data. As a matter of course, the CA also handles the decommissioning of keys due to expiration or in cases where the validity of a key is in doubt. All of this occurs with minimal input from human agents and is often automated via a managed PKI solution. More on that in a moment.

PKI for Banks and Financial Institutions

The broad stroke steps mentioned above hold true for financial data transmissions as well as emails or messages via any encrypted network that uses a PKI. However, there are some aspects worth highlighting here. First, the three primary functions of the PKI remain the same:

  1. Authenticate sending account
  2. Verify the integrity of the data sent
  3. Prove sender identity

Authentication of sender account information means the receiver can be assured the sender is who they claim to be. This is accomplished by comparing the signed certificate from the CA against stored identity data in the RA. The verification of data integrity is ensured when the public key used to decrypt the data works.

In cases where the data was intercepted and/or manipulated in any way, this relationship would be broken and the public key would no longer work to unlock the data. In encryption schemes, this is called non-repudiation, and it means you have the ability to prove the data was sent by who it purports to have been sent by. This is, once again, done by comparing signed certificate data with the identity data stored in the RA database. This final step differs from the first in that it is the data integrity itself that is being verified rather than the identity of the sending party.

The Three Primary Ways to Implement a PKI

As with any security solution (or IT solution in general, really), there are multiple options for deploying a PKI for your institution. And as in most such scenarios, each option comes with its own set of plusses, minuses, and associated costs.

Self-hosted, or On-premises PKI

Hosting your own PKI internally gives you the highest levels of security and customizability. This entails building the solution from scratch, from acquisition of relevant hardware through configuring the software for your purposes and user needs. And it includes the maintenance and support of that solution for your users on an ongoing basis, of course. This option requires a robust security infrastructure to build on, experienced staffers who are already well-versed in PKI best practices, and the resources to maintain and support the resulting toolset.

Hosted PKI solutions

Option two entails outsourcing your PKI needs to a third-party vendor. In this scenario, all of the infrastructure and associated management tasks are farmed out to this trusted PKI provider, with the organization handling the integration of the keys generated into each product according to the needs on the organization’s end. Costs associated here are the initial and ongoing infrastructure licensing fees and generally an initial and recurring per-user fee.

Managed PKI solutions

And the third primary option is to use a managed PKI solution. With this option, institutions need to register each user with the managed service provider to assign them an identity and begin issuing keys. Most will have a multi-bank network in place so the keys created are configured to work across platforms, leaving minimal set-up or configuration to be up and running. Costs are generally lower with this option, however since these solutions are scalable and run regardless of the geographical range covered by your users, even these fees can quickly escalate.

Cost Breakdown for PKI Implementations

On to the nitty-gritty. We’re using this report from SWIFT for numbers. They were focused on how much less their solution cost users, while we’re going to focus on the overall TCO they calculate for the various options discussed above. The usual caveat applies here: this is a single source of information and we mean for it to be used as a building block for you to use in your own research.

On-premises PKI costs

For a larger institution (defined as 20,000-100,000 users) using a self-hosted PKI, per-user costs were calculated to be 209 Euro (or ~ $248USD). This number represents the total cost of ownership on a recurring, annual basis, and accounts for all stages of implementation: acquisition, licensing, management, and maintenance/support.

Hosted PKI costs

For a smaller institution (1,000-10,000 users) who outsource their PKI to a third-party provider, per-user expenses came to 356 Euro (or ~$423USD). These costs encompass the development and building of a custom PKI to meet the organization’s specific use case, management of CA and RA functions, monitoring and maintenance of centralized tools, as well as ongoing support for users.

Managed PKI costs

For each sample institution, using a managed solution could cut TCO by anywhere from 25-40% as maintenance and support are taken out of the equation. The report authors calculated that anywhere from 69-77% of TCO for PKI solutions goes to recurring annual maintenance and user support.

The p≡p Difference

p≡p is a true end-to-end, peer-to-peer encryption solution. This model cuts all centralized infrastructure completely out of the equation. Since encryption, decryption, and all key/identity management take place on-device there is no need for any expenditure on centralized monitoring, maintenance, or infrastructure to begin with.

By following the E2E, P2P model and removing the complexity of an in-house encryption infrastructure and the maintenance costs associated with it, your encryption scheme becomes so simple it will be invisible to daily operations (save for your audit logs). p≡p automates common tasks such as swapping expired keys for new ones, managing partner identities, and more in a decentralized way that doesn’t require a central key server of PKI. This automation cuts costs and complexity even further. And finally, by operating at the application level, there is no need for complicated, latency-causing encryption at the transport level. The result is both improved security across the back-office environment and improved efficiency.

The P2P model also drastically reduces your attack surface with its decentralized model. If a single end-point is attacked, the most a hacker will get away with is that single user’s key data and contact list. The results will have a minor impact on communications while a single member of the IT team deactivates that user’s identity and sets them up with a new one, but that’s all in terms of admin overhead. Contrast that with the hacking of a central PKI database. Here, the attacker has gained access to every active private and public key along with the identity database, CA, and RA for the entire organization. That will take some time, and a serious budget, to clean up.

Where the Cost Savings Come From

By using p≡p and taking advantage of its decentralized model, you eliminate infrastructure costs completely. Add to that the savings of only licensing one piece of software, zero hardware requirements (p≡p runs on all major server architectures and operating systems), and your TCO just plummeted.

In terms of the majority of costs associated with maintenance, with no new hardware required, no infrastructure needed, and an utter lack of systems to administer, your ongoing costs for running p≡p are barely above where they are now. Your IT and InfoSec crew can work the necessary monitoring into their daily workflow with minimal impact.

This lack of staffing requirements means no new hires needed. Same for the P2P nature of p≡p, with no centralized repository to maintain, outer layer security needs are minimized as well. Installation of p≡p is turn-key and leaves a minimal amount of configuration to be accomplished at the time of end-point install to be up and running.

All of that adds up to, or should we say subtracts down to, a bottom-line that saves you time, energy, and, most importantly for this discussion, money. Not only will your budget thank you, your users will too, as the E2E automated nature of p≡p also streamlines their need for specialized knowledge of encryption protocols and limits their interaction with the system to a bare minimum. All that plus the security that comes with knowing your confidential financial data is locked down and safe from intrusion.

Contact Us for More Insights

Contact Us