Is public key infrastructure (PKI) giving you a false sense of security?
Do you think you have secured your organization and solved your issues with strong authentication, data encryption and digital signatures just because you are using the public key infrastructure (PKI) security method? “Think again,” says Daniel Hjort, business developer at identity and security company Nexus Group.
The public key infrastructure (PKI) security method enables trusted electronic identities (eIDs) for people, software and things, which makes it possible to implement strong authentication, data encryption and digital signatures. These security mechanisms are used to grant secure access to physical and digital resources; secure communication between people, software and things; and enable digital signing of documents and transactions.
PKI is misunderstood and misused
“PKI is now widely accepted as the best method for doing these things, and a quickly increasing number of organizations are starting to use PKI. And that is all good. The problem is that PKI is misunderstood and misused,” says Hjort.
In PKI, digital certificates are issued to people, software and things to ensure the trustworthiness of their identities. These digital certificates are issued with the help of a certificate authority (CA) software.
“The most widely used CA software is Microsoft’s Active Directory Certificate Services (ADCS), and many organizations are also buying additional certificates on the street to manage web servers, for example. But a large percentage of organizations do not understand what they are implementing, how they are to document it, and how they will handle the life cycles of the certificates,” says Hjort.
He compares it to buying an electronic toothbrush and fluoride toothpaste because you know that this is good for your teeth – but then not understanding how to use it correctly.
“If you only brush your teeth once a week, or if you press way too hard, or if you clean the toothbrush instead of your teeth with the toothpaste, you cannot expect healthy teeth. But many organizations expect secure authentication, data encryption and digital signatures, even though they are not using the PKI correctly,” says Hjort.
EUs General Data Protection Regulation (GDPR)
New regulations, most notably the EUs General Data Protection Regulation (GDPR), are putting an increased pressure on organizations to take control of their data and to assure privacy by design.
“This is stressing many C-level people out. They read up a little, realize that PKI is the state or the art, and decide that their organization is to deploy it. But – to use yet another metaphor – this is like buying an inflatable life boat, without realizing that you have to have a mechanism to inflate it. Using PKI incorrectly gives you a false sense of security,” says Hjort.
Secure design of the PKI
The solution is to set up a stable and secure design of the PKI, and to put adequate policies and processes in place for managing it, according to Hjort.
“For example, you have to make sure that the lifecycle management of the certificates are handled correctly, that notifications are sent before they have to be renewed, that you can handle multiple domains, and so on. You also have to control who has the right to make certain decisions, such as deciding to issue a certificate, through the correct separation of duties,” says Hjort.
IT teams usually understand the basics when it comes to separation of duties (SoD) within the technology area as well as the principle of least privilege. However, IT teams do not normally have the expertise to determine the SoD within the business.
“Even if conflicting access rights are causing concern, it is not the IT team’s responsibility to identify these issues and bring the management’s attention to them. It is the business management’s responsibility to make sure that the business logic is mapped to the information flow, and that SoD is imposed where it makes sense,” says Hjort.
This is best accomplished with the help of auditors with the right training and expertise, and by putting an identity and access management (IAM) software in place, according to Hjort.
Easier for both administrators and end users
“All CA softwares issue X.509 certificates, and an X.509 certificate is an X.509 certificate. But the trust is not built from this technology itself. The implementation of controlled and adopted processes is what makes the certificates trustworthy and gives the PKI solution the ability to make your organization safer,” says Hjort.
An IAM software can help you enforce uniform policies in the management of identities, credential data and entitlements. It can also give you centralized and correct information on who is in possession of which physical or digital access credentials and entitlements at any time.
“In addition, a good IAM software streamlines and gives you control of on-boarding and off-boarding of employees, students, visitors and contractors, preferably through user-friendly self-service interfaces. This also makes life easier for both administrators and end users,” says Hjort.
Published 4/4 2017