• Home
• Products
  • SecureNTP - Time Management
  • DirectConnect - Time Delivery
  • Consulting & Auditing
• Solutions
  • Making GPS Provable
  • PCI Compliance
  • OATS Compliance
  • Third Party Assessments
• Support
  • Knowledgebase
    • FAQ's
    • Glossary
  • Bug Tracking
  • CTO's Support Blog
• News
• About
  • Contacts
  • Time Centers
  • Management
  • Privacy

Where do you get your time?

Where do you get your time? If you don't know, how can you trust it?

The best place to start in answering these questions is with the blinking digital clock at the top of this page. It comes from the time generated on your PC. So where does your computer get the time? If you are on a network (such as an office environment), then your system administrator probably set up a domain controller that distributes time to all the computers on the network. If you are not on a formal network, like your home computer, Windows comes preloaded with a routine that automatically updates the clock from the Internet (learn more).

But where does that time come from? Almost anywhere. Your company could use a clock that gets its time settings from the GPS satellite system. Or your time could come from a source on the Internet, such as NIST, the US Naval Observatory, pool.ntp.org or any of the more than 3,000 other Internet time servers distributed across the globe. In most cases these sources are free and provide relatively accurate time.

However, accuracy is not the only attribute you should be concerned with when it comes to time, especially in the commercial context:

• Time needs to be reliable and always available. Your time source is like any other third party that provides critical services to your organization. Can your provider answer the following questions affirmatively:

• Are your systems and processes audited and do you follow stringent industry and government standards?
• Do you provide your users with a service level agreement?
• Do you provide logging and monitoring of the time setting process?
• Do you alert your users when there are problems?

It is unlikely that your time source can answer "yes" to any of these questions. Free is great, but it seldom guarantees service, support or reliability.

• The time setting process must be interactive. Most time sources are passive. They provide a one-way statement of the time and do not accept any communication back from the user to confirm the accuracy or source. If you send money or conduct a transaction electronically, there is always a two-way communication to confirm the identity of the parties and the accuracy of the data. The same should apply for time setting.
• Time must be provable. 100 years ago time was recorded by writing down the event on a piece of paper and the person who wrote down the information could later be queried as to its accuracy. Today, machines handle virtually all time recording and the average person has no idea where the time data came from or how valid it is. Yet time is the starting point for determining the meaning of the data. It is a " trust-anchor" that establishes the validity of the associated information. If time is not set correctly, your digital certificates and change control processes will fail, audit logs will become unreliable, forensics will become a nightmare, and your auditors and regulators will conclude that your controls are deficient. Worse, if you submit digital evidence as part of litigation and your time stamps conflict or cannot be verified, you run the risk that your evidence will not be admissible or credible. But if time is that critical, how can we verify that the computer set the time accurately?
• Time must be consistent. It is not enough that the time on your device is accurate. You need the same accurate time across your organization and with every third party that you exchange data with. You need a time source that can provide services wherever your business and your partners are located.

The only answer is secure time services from a reliable time-provider: a provider that meets the same rigorous control standards you use in your organization; a provider that is focused on providing service and support; a provider that can verify the accuracy and source of its time data; a commercial time provider. For further information on Certichron's products and services, click here.

Certichron provides secure and auditable time services that allow companies to provably synchronize their desktops and transaction servers with regionally deployed, Federally-traceable time servers (using the Internet or a private extranet). For more information on our services and technologies, please email Certichron with your requirements or contact the sales office directly at 800-511-2301 (9-5 PST). Certichron, Inc. © 2009 Privacy Policy Terms of Use