GlobalSign Blog

Why Your XaaS Company Needs PKI

Why Your XaaS Company Needs PKI

Before getting started, I wanted to quickly share with you what I mean by XaaS. When I talk about 'X' as a service I am including; software as a service, platform as a service, infrastructure as a service, identity as a service, communication as a service and much much more. Think of things like website creators, cloud hosted services where the subscription is accessed on a unique URL in the web browser, virtualized computing services over the internet, VoIP or internet telecommunications services. 

With today’s market for cloud-based services so fiercely competitive, it can be hard to stand out from the crowd. Managing a service that you believe in is great when you’re selling loads of it, but when you are just starting to launch it, you need key competitive differentiators which may be outside your normal offerings. 

I know this all too well and hear this every day from my customers and prospects. Product managers just want to make their product and service AMAZING. A place where customers never have to leave the platform, they can do what they need, with ease and to the point where they couldn’t imagine a world where your product didn’t exist. That’s the dream! 

I want to explain one very effective way you can take another big leap towards this dream by creating differentiation in your marketplace and getting everyone shouting about your new product feature – PKI (Public Key Infrastructure).

PKI is very much about encrypting and securing communications, something that’s on everyone’s mind these days. Security and privacy are becoming vital ingredients to any cloud-based service and your customers need them. Why not offer security built-in to your service?

In 2016, Gemalto published a report suggesting that consumers hold businesses responsible for data protection. Two thirds of respondents would be unlikely to shop/do business with an organization that experienced a breach where their personal or financial information was stolen. Just think of the huge loss Talk Talk had after their breach. They claimed it was £60m and 101,000 customers they lost, but the loss of reputation and integrity in the market is also a factor – it’s just more difficult to put a number on. 

If consumers are worried, you should be too. Because now, more than ever, your customers need to secure their data and be able to prove it. 

What Are the Business Drivers for PKI?

Before going into the discussion around how PKI can benefit your business, I want to discuss the business drivers for adopting PKI into your XaaS solution or service. 

As well as an increased consciousness around cybersecurity, your customers need assurance that they are protecting their organizations, users and customers when using your service. It is not enough to know that the data is encrypted because hackers can still intercept that traffic and pose as a trusted organization or entity. 

What Can Adding PKI to Your Service Do?

Web and Server Security –using SSL/TLS certificates to encrypt data and prove identity on websites being visited by customers.

  • Secure Email – Digitally signing and encrypting emails with S/MIME certificates to prove identity of sender and reduce phishing, email snooping and data loss.
  • Document Signing – Ability to digitally sign and certify PDFs or word documents with an identity to eliminate wet ink signatures, enable a paperless work environment and protect document contents from tampering.
  • Timestamping– Use a third party service to achieve non-repudiation around when a transaction took place. 

Legislation

One of the most compelling business drivers for PKI is, of course, legislation. Depending upon how your customers are using your service, there will be different legislation that they may need to adhered to. However, there are a couple regulations that will affect any and all organizations that do business in Europe. These are eIDAS and GDPR.

eIDAS

We have already posted plenty of content around eIDAS and what it means for businesses. So, without going over old ground, I will touch on the regulation from your customers’ perspective.

In a paperless office environment, a certain level of trust is needed. Similarly, a certain level of trust is needed if I sign a document with a pen and paper. You know the signature is mine but there is a small possibility of a forgery always involved. Digital Signatures give that added trust that a pen and ink signature cannot give. 

If I sign a document using a third-party-verified Digital Certificate that only I am in possession of, we can be sure that it was indeed me who signed the document. eIDAS requires all organizations to use Digital Signatures in this way and classifies two levels of assurance (advanced and qualified), which have a higher level of identity verification that PKI can provide.

As a result of this regulation, standard wet ink signatures will start to migrate over to certificate-based signatures in order to gain more assurance.

GDPR

The General Data Protection Regulation is one I expect to be fully on your radar already. It’s quite rare that a regulation this strong on privacy and data comes out. However, the point is to make a change to the way companies use and handle personal data. In order to make such a large shift in business patterns and behavior, regulation must be a driving force. 

The basics of the regulation are around the protection, transparency of processing and safe handling of EU citizen’s personal data (that is any one of several pieces of information that can identify an individual citizen). Penalties for non-compliance are cited as being 4% of annual revenue or 20 million EUROS, whichever is higher. 

As a XaaS provider, it will be vital to display not only compliance of the regulation on how you are handling and securing your customers’ data but the ability to implement innovative product solutions that can help your customers also be compliant with the regulation. If you haven’t already, now is a great time for a product meeting or road map.

Industry Regulations

Much like legislation, being compliant with industry regulations is a must for any businesses that wants to be doing business with its customers and be seen as trustworthy. If you work in a particular industry, the benefits of showing compliance with industry regulation in your service are a must! 

Some examples of regulations that will be affecting specific industries are PCI DSS (financial industry), UK Land Registry and Electronic Documents (Scotland) Regulations 2014.

The UK Land Registry, for example, has a new system which requires eSignatures to be certificate-based (Advanced Electronic Signatures under eIDAS) so that a conveyancing company can connect to the tool and control the platform and workflow.

Another example of something similar is the UK water and utilities industry. Water suppliers have been offered the ability to provide water to any commercial property as part of something called the Open Water Programme. In order to open up services, water companies must login to something called the Central Market Operating System (CMOS), for which authentication through a Digital Certificate is needed.

Risk Mitigation 

Every business comes with risks such as that of a data breach, a lawsuit or a cyber-attack. Businesses can be closed as quickly as they are opened if something goes wrong and that’s why we always need someone balancing the potential gains against the potential risks to decide where the business is directed. This is why many businesses conduct audits internally and through external industry regulators.

PKI is a great way to mitigate the risks I have mentioned above. It does this by encrypting communications and data transmissions, authenticating identities of users and other endpoints, and protecting data from being altered.

An example of this working today is an educational institution handing out qualifications where PKI is used to verify that the qualifications they are handing out are indeed real and cannot be falsified.

Best Practice

While best practice might not be the easiest driver to bring to the board, coupled with regulatory and compliance drivers, it’s a win.

Even if a regulation is not strictly enforced in an industry, compliance can be a huge benefit in the long term. If more companies were compliant with the Data Protection Act (DPA) then perhaps the workload for GDPR would have been cut in half.

Your customer’s are looking for companies like you, who are managing their data effectively and putting enough precautions in place to ensure risk of a data breach is mitigated. If they can trust you enough to be secure, they can trust you enough to do business with you.

This is the same reason people get ISO or ISMS certifications, use Identity and Access Management, S/MIME, authentication and more.

Benefits of Using PKI in Your XaaS Service

Business drivers aren’t the only factor that should apply when you’re looking to add PKI to your XaaS solution, business benefits are also worth mentioning too.

Automation

Technology is improving at a fast rate, allowing us to digitize our processes and provide faster and more effective services to our customers. Digitization is currently making huge strides in the banking and IoT sector.

XaaS providers are all about serving customers in a digital form, while making their processes faster and easier. Who said certificate management needs to be any different? With automated certificate renewal processes, encryption, authentication, signing and timestamping processes can continue to happen effectively without being ground to a halt every time a certificate needs to be renewed or expires.

Competitive Edge 

Giving your service something that your competition does not have allows you to gain market share. Alternatively, your competitors could all be offering something that you are not and you might need PKI to jump on board and close a gap in your product/market.

You could be offering a competitive edge by simply keeping your customers inside your platform by offering the security service they need. If your customers can sign, encrypt and authenticate using your service, they have no reason to leave the platform and their processes become more efficient as a result.

Customer Experience and Satisfaction 

As I mentioned above, keeping your customers inside the platform can improve processes and efficiency. This in turn, makes for a much happier customer. If you are able to reduce time off your customer’s working day or delight them by giving them ability to do something easily when it was once before a painstakingly long process, you are winning over hearts and minds. Your customers will be more inclined to stay with your service when they are happy – enabling you to reduce customer churn and the high cost of constantly needing to acquire new customers.  

Corporate Governance

The system of rules and processes that control a business involving the balancing interests of many company stakeholders can be, in part, solved with PKI. Take the example of a company called Passageways, an online board of directors meeting portal. In order to make governance simpler, they created an app where board meetings can be documented and shared for collaboration during and in between meetings. 

In the old way of doing things, minutes would be paper-based. Today directors are mobile and often not in the same room so they need a platform they can use like Passageways. More than 200 hours are spent a year on board meetings, often sensitive topics are discussed. With the introduction of an online platform, security measures have to be put into play to authenticate users and encrypt information as well as digitally sign final board meeting minutes. PKI is enabling this as it is built-in to their service. 

Making XaaS and PKI Mix

If you’re as convinced as we are that PKI will help you solve challenges, meet compliance and give you a competitive edge, the next step is to convince your stakeholders. Please get in touch and I can work with you to create a pitch. 

Share this Post

Recent Blogs