1. Using Digital Certificates to Secure Sensitive
Communications Within the UW Medical School
Nicholas Davis – DoIT Middleware
March 1, 2010

2. Overview
• Old business processes vs. new
business processes
• Protecting your electronic identity
• Email security
• Digital certificates defined
• What digital certificates can do for
your department
• How digital certificates can help
your increase security
• Questions
• Next Steps

3. Old vs. New Business Processes
• UW-Madison has
historically relied upon
manual business
processes
• Transcripts, HR Data,
Contracts, Research Data,
Health Information,
Financial and Accounting
Information—all kept on
paper
• Physically secure
• Difficult to access,
replicate and distribute

4. Old vs. New Business Processes
• As the amount of information we
manage has increased, we have
turned to electronic information
systems to help us organize and
disseminate information in a more
efficient manner

5. Old vs. New Business Processes
• Today, we send official
documents as email
attachments
• We send email and documents
to group mail lists
• Access to information is much
greater than it was in the days
of manual processes
• With new technologies there
are new threats

6. Protecting Your Personal
Identity
• When you send a document, how
does the receiver know it came
from you?
• When you send an electronic
document, wouldn’t you want the
same assurance?

7. Email Security
• How secure is the email you
sent this morning?
• What happens to an email
once you click the “send”
button?
• Network, Intermediary
Servers, Receiving Email
Server, End Users
Workstations
• Laptops!

8. Digital Certificates Defined
• A digital certificate is NOT a
software application
• A digital certificate is an
“electronic passport”, with special
added features
• Proves your identity
• Allows you to protect your
information with encryption
• Functionality already built into
existing applications on your
computer

9. What Digital Certificates Can Do
For Your Department
• Provide proof of document or
email message authorship
• Proves that the document
(Word, Excel, PDF,
Powerpoint) came from you
• Proves that the document has
not been altered from original
form

10. Example

11. Example

12. Encryption
• Protects your email from being
read and/or altered from the
moment it leaves your computer
• Simple as “click and send”
• In order to receive encrypted
email, you must have a digital
certificate
• In order for encryption to work bi-
directionally, both users must have
digital certificates

13. Example

14. If The Encrypted Email Is
Intercepted

15. Uses
• Signing documents (and
email) to prove authorship
• Encrypting sensitive emails
and attachments

16. Think About This
Could cause harm in
a critical situation
Case Scenario
Multiple hoax
emails sent with
Chancellor’s name
and email.
When real crisis
arrives, people
might not believe
the warning.
It is all about trust!

17. Case Scenarios To Be Avoided
• HR related email concerning
Nicholas Davis is intercepted
by someone on the campus
network and sent to
newspaper
• Laptop containing spreadsheet
with SSNs of all UW faculty is
stolen at Moscow airport.

18. The Technology Is Trustworthy
• X.509 is the industry
standard
• Used by many
Federal Government
agencies and
Universities around
the world
• Used in all Western
European passports
• Used by GE,
Raytheon, J&J, P&G

19. The Technology Is Managed
• DoIT generates,
distributes,
supports and
manages the digital
certificate program
• Our certificates are
provided by
Verisign, the most
widely trusted
issuer of digital
certificates
• We keep copies—
just in case

20. Questions, Comments
• Nicholas Davis
• ndavis1@wisc.edu (info)
• pki@doit.wisc.edu (support)