I’m often frustrated by the misconception that PKI is dead—there’s an idea in some circles that it’s an old technology and we’ve grown beyond it. Actually, nothing could be further from the truth. PKI is still on its way in. And it’s only going to become more vital as we look for scalable ways to manage and secure communication across the skyrocketing number of new machines and applications.
Why do I care about PKI? There are not a lot of people floating around in this market who have 20+ years of PKI experience. It’s just kind of weird that I’ve stayed with it all these years. Some people think PKI is boring, but actually it is quite exciting as IoT and Smart Infrastructures emerge. I always believed that it was going to have its day eventually. And I was right; that day is today.
PKI been getting a misleading rap for quite a while now and I’d like to set the record straight. Here are 4 common misconceptions about PKI and its relevance to our future security.
The problem with putting PKI out to pasture is that there really isn’t anything else that is a suitable replacement. In fact, instead of becoming less relevant, PKI is becoming more relevant as we increase our adoption of cloud and DevOps infrastructure. Both of these technologies consume large numbers of certificates that are only used for short periods of time. What other technologies are there out there that can authenticate effectively, verify that data hasn’t been changed, and cost only a few cents? There aren’t any. No one has been able to develop an alternative that is as ubiquitous and easily deployed, or one that is as cost effective.
Granted, PKI was created for a specific purpose and then it kind of went to sleep for a few years. During that time, it was used quietly in the background and nobody thought too much about it. And then, what I think of as PKI 2.0 started happening about 4 or 5 years ago. We started to see certificates used on smart cards, and other devices, to identify humans as well as machines (the non-human actors on your network). And now we’ve got an exploding population of IoT, virtual, cloud and DevOps machines and they all need unique identities. Each of these relatively short-lived machines need a way to authenticate themselves to other machines so they can communicate securely. And PKI is still the only way you can even begin to tame all of that madness.
If you’re not a PKI person, you may be a little scared of PKI because it seems very deep and complicated. It’s not actually. But because it appears that way to people there’s a misperception that it is causing a lot of pain. If you dig a little deeper you’ll realize that it’s not the underlying PKI technology that’s causing the pain, it’s the management of PKI assets (or keys and certificates) that’s causing the real problem. The problem is that most organizations are not managing these critical security assets at all. And, as a result of this lack of even basic oversight, when certificate issues arise they consume large amounts of scarce, highly skilled resources and things get ugly fast, and very stressful. It’s relatively easy to avoid all these difficulties, and substantially simplify PKI, by automating the management and workflow of the certificate life cycle. This isn’t nearly as difficult as some nay-sayers make it out to be; a better understanding of the root cause of perceived PKI pain would eliminate an enormous amount of confusion, frustration and public embarrassment.
Executives often perceive PKI costs as unpalatable until they realize that by not tracking machine identities, they can literally cripple the business. Unmanaged machine identities can impact your business in two ways. First, from an unexpected expiry which causes an outage and, from an external user perspective, looks like a serious security compromise. Second, from an actual compromise, which is extremely serious. When a certificate and its corresponding keys are stolen, attackers can use them to appear to be trusted. They can then move around inside your network completely undetected and do all kinds of things you don’t want to think about, and your security controls generally won’t be able to detect them. Effective management of your PKI will neutralize these dangers.
PKI is a long way from dead—PKI management is going to become an increasingly critical component of every security program and is already becoming a part of IT audit. Private keys will even form part of securing most block chain technology. The explosion of machines in all of your external environments means that you’re putting a stunning number of keys and certificates out there. It’s crucial for you to know where they all are. But that’s not all—you also need to validate that they are where they should be, and have not been damaged in any way that could result in breach or compromise. If you’re not actively managing your PKI, then you could be in for a really rough ride because analysts tell us attackers are targeting keys and certificates.
So, PKI is here for the long haul. It can be your best friend or your worst enemy.
Do you know which it is in your organization?