Thales Blog

Is Your Organization's PKI Adequate? Part 3

May 10, 2013

As more and more business is done online, organizations need to regularly assess whether their PKI is adequate for supporting its security demands. Whether an organization owns its own Certificate Authority, or uses a private or public outsourced service, a PKI is only as valuable as the trust it can deliver.

The problem for many organizations is that the PKIs they originally deployed to support relatively low-value operations may no longer be suitable. For example, it is common to hang more and more business applications off a PKI. A good case in point is in the rise of the Bring Your Own Device (BYOD) phenomenon. With more and more employees working from home on their own devices, a business must evaluate whether its PKI is capable of supporting the plethora of smartphones, tablets and laptops connecting to the network. Certificate volumes may have increased and evolved to far exceed original expectations, meaning that items such as algorithm choice and key length may no longer be appropriate.

Organizations must take care to assess the strength of their PKI. Software-only systems (i.e. systems that do not employ dedicated hardware such as HSMs for cryptographic purposes) can be inherently vulnerable to many of the threats against PKIs: best practices should be followed.

Imagine a scenario where an enterprise issues smartcards to employees to provide controlled access to physical and virtual resources. It is likely that these cards, in addition to carrying a photo of the user, will contain encrypted keys to certify their identity for access to controlled zones and business areas, as well as to sign documents and business transactions.

If the CA issuing the keys is compromised, the identity of personnel can no longer be validated. The consequences of this could be disastrous: fraudulent users could steal IP, execute unauthorised transactions and compromise the business.

In the same vein, software publishers who depend on digital signatures to attest to the authenticity of their products would see business plummet if customers could not verify and trust that they were downloading genuine products. As a consumer, when you download an update from, say, Adobe, a box pops up on your screen to confirm that it is a safe download. A compromised CA, however, would be able to able to issue fraudulent certificates which would allow unsuspecting customers to install what appears to be legitimately signed software from a bogus source. Such a scenario would potentially infect the customer’s platform, affecting the developer’s reputation, and could even put them out of business. It is for this reason that code signing from a PKI is critical.

Private CAs make it their business to sell trust, which is why attacks such as that which affected private CA DigiNotar in 2011 are so damaging. If the trust is compromised, these companies are likely to go out of business.

So how should you determine the strength of your PKI requirements? Critical factors include:

  • The volume of certificates issued by a CA
  • The number of applications they support
  • The value of those applications
  • Whether these applications are subject to government or industry regulation

Other factors include:

  • Geography and topology including partners and external parties
  • Approval processes including supervision and accountability
  • Auditing and compliance procedures
  • Speed of issuance and validation, and associated latencies
  • Existing cryptographic policies

Part 1: What is a PKI and why is it important?

Part 2: Security considerations of a PKI