Businesses are becoming ever more dependent on digital information and electronic transactions, and as a result face stringent data privacy compliance challenges and data security regulations. With the enterprise increasingly under threat of cyber attacks and malicious insiders, business applications and networks are now dependent on the use of digital credentials to control how users and entities access sensitive data and critical system resources.
Public key infrastructures (PKIs) are necessary to help ascertain the identity of different people, devices, and services. In a nutshell, PKIs go way beyond the use of user IDs and passwords, employing cryptographic technologies such as digital signatures and digital certificates to create unique credentials that can be validated beyond reasonable doubt and on a mass scale.
PKI technology is already used more widely than you might think. It is a cornerstone of how data is encrypted as it is passed over the internet using SSL/TLS – without it, e-commerce wouldn’t be practical. PKI is used to digitally sign documents transactions, and software to prove the source as well as the integrity of those materials – in important task as Trojans and other malware proliferates. Finally, PKI underpins the security of the consumer world by supporting authentication of smart phones and tablets, games consoles, citizen passports, mass transit ticketing, and mobile banking.
To drill down into how PKIs actually function, cryptography is deployed to provide all users in a particular group with a set of cryptographic ‘keys’: a public key available to anyone in the group and a private key which must be kept secret and only to be used by the entity to which it belongs, typically for tasks such as decryption or for the creation of digital signatures.
Critical to the proper functioning of a PKI are digital certificates. Much like a passport certifies one’s identity as a citizen of a country, the digital certificate gives the key pair a meaning and establishes the identity of users within a group. As a consequence it is vital to protect the authenticity and integrity of the digital certificates and the process by which they are created and issued – otherwise the credentials can’t be trusted and are worthless.
Certificate authorities (CAs) are a critical component of PKIs which manage the lifecycle of all digital certificates within a PKI. The CA is the party which both the owner of the certificate and the party using the certificate trusts. Because of this critical dependency, CAs underpin the security of not only the PKI, but of all transactions and exchanges that are protected by the certificates that they issue. Not surprisingly CAs have become the focus of targeted attacks such as the one perpetrated against DigiNotar in September 2011.
Most larger organizations and public sector bodies deploy their own CAs and issue certificates for their own use. Other organizations can use hosted CA services that typically charge a fee for the issuance of certificates. Hosted services can be accessed by multiple organizations and the general public and therefore also serve the purpose of establishing trust between them, acting as a trusted third party.
We’ve run through a number of important concepts here but perhaps you’re still wondering why PKIs are so important. Well, the answer is that almost all security controls ultimately come down to authentication and access controls. Encryption is a powerful tool for protecting confidentiality but unless that data can be decrypted it is forever useless. Determining who has the right to decrypt data and to access applications becomes the critical issue. When we think about cloud computing, virtualization, outsourcing and other examples of where the traditional perimeter defenses in an organization has started to evaporate the need to authenticate and verify becomes clear. If a company cares about the integrity of its data and systems, it must either deploy a PKI with an appropriate set of checks and balances or use a third party service it can trust. Failure to do so leaves an organization exposed and increasingly vulnerable compared to other potential victims.
Part 2: Security considerations of a PKI
Part 3: Is your organization's PKI adequate?