Cybersecurity is a subject that is inescapable for executives in both the private and public sectors. In discussing all the challenges associated with cybersecurity, cyber threats and securing the organization’s data assets, protecting the data through identification and authentication of users, devices and applications is a top priority. While it may be tempting to focus on protecting the identities of humans in your organization, it’s critical that you do not under-value machine identities in your cybersecurity and IAM strategies.
A digital signature is an electronic, encrypted, stamp of authentication on digital information such as e-mail message or electronic documents. A signature confirms that the information originated from the signer and has not been altered. To create a digital signature, you need to have a signing certificate. The digital signature is associated with a certificate and the certificate establishes the identity of the individual who signed the electronic document. The digital certificate is a form of identification. Or as the experts are now saying, it’s a machine identity.
Authentication involves verifying the identity of a user, device or application. This very important security concept can be achieved through non-cryptographic (e.g., handwritten signatures, biometric authentication, pins and passwords) and cryptographic methods (e.g., secure hash functions, symmetric key and asymmetric cryptography).
Many moons ago, when a customer wrote a check to make a purchase in a brick-and-mortar store, the recipient would ask for a driver’s license or government-issued identification (ID) card to verify that the name on the check matched the name on the license or ID card. A match gave the recipient confidence that he or she could confirm the identity of the purchaser and trust that they were authorized to write the check. Similarly, a credit card transaction may have been authenticated by physically comparing the signature on the back of the credit card with the signature on the credit card holder’s driver’s license.
These types of manual, non-cryptographic methods, proved to be risky and often times resulted in a financial loss for the company due to the unauthorized use of a check or credit card. Cryptography provides stronger security than non-cryptographic measures. As technology advanced, and organizations suffered financial and reputational harm due to weak identification and authorization, cryptography emerged as a best practice.
At a high level, public key infrastructure (PKI) is a solution for authenticating and encrypting data. PKI uses digital certificates to accomplish this. Digital certificates can be used to verify a user’s identity as well as specify the privileges the user has been granted (e.g., privileges might include the authority to view proprietary information). Digital certificates build trust between businesses and stakeholders!
According to the United States (U.S.) Cybersecurity & Infrastructure Security Agency, PKI consists of policies, standards, people, and systems that support the distribution of public keys and the identity validation of individuals or entities with digital certificates and a certificate authority (CA). From a business perspective, PKI allows users to conduct business electronically with the confidence that the person identified as conducting a digital transaction is actually the originator, the person on the receiving end of the transaction is the intended recipient, and that data integrity has not been compromised.
The U.S. Department of the Treasury notes that components of a PKI include a CA, Registration Authority (RA), a Subscriber, Relying Party and a Directory (also referred to a repository). CAs confirm the identities of parties; that is, those individuals sending and receiving electronic transmissions (e.g., emails or financial transactions). RAs authorize the creation of a certificate and provide validated information to the CA. CAs trust RAs to register identities or confirm the identities of the users. CAs actually issue the certificates. A Relying Party trusts the certificate. The Directory is used to store certifications and other information related to certificates.
Building trust with stakeholders—customers, clients, donors, partners—is critical to an organization’s success and reputation. PKI provides a high dree of trust in an organization’s systems and data by preventing unauthorized access and use. This level of trust results in strong digital security and a mature cybersecurity program. When considering options related to PKI, executives need to consider the following.
Executives should be aware of the following PKI challenges.
When you consider today’s digital landscape, the volume of data generated by users, devices and applications has grown tremendously. There are millions of applications and connected devices that require certification. The volume of certificates issued to secure communications and data can result in a certificate management nightmare in the absence of a strong and effective PKI.
Managing certificates—which may occur in-house or through a third-party managed service provider—presents a unique challenge, especially to larger organizations that are using digital certificates now than ever thanks to the rise of the Internet of Things (IoT). In-house certificate management has some benefits, but it is also very challenging because with this type of management comes the requirement to vet certificate issuance, monitor, maintain and revoke certificates. Organizations that manage certificates in-house struggle to scale PKI because managing and updating all the certificates for users, devices and applications is an arduous process. The challenges associated with certificate management support the trend towards PKI automated PKI solutions.
PKI has the potential to protect against cybersecurity threats, including the human factor. For example, an organization may need to quickly revoke the certificate of an employee who lost a company-issued device, or whose device was stolen, to protect the business from unauthorize use of the employee’s device. If the employee is diligent, and promptly reports his or her device as lost or stolen, the organization may be able to move quickly to revolve certificates associated with the employee. The human factor, specifically, personnel, also has the potential to create a challenge for PKI and security teams. In the employee device example, if the employee did not promptly report the incident, the administrator will not know to revoke the certificate.
Depending on the industry, navigating data security polices and governance may challenge an organization that does not have a framework for their PKI program. Executives must take care to consider how the business will implement security policies, procedures and controls that will govern the infrastructure. Strong governance and adherence to best practices will help the organization create and maintain the most effective policies and procedures for their PKI program.
Advances in technology, such as IoT, also present a challenge for organizations who are working on improving their PKI or just beginning a PKI program. Securing the communications between IoT devices, and the associated data, is critical due to the new opportunities for cybercriminals that has been created by IoT. Consequently, organizations need to maintain a strong identification and authentication regime for deployed IoT devices. This will, however, result in the creation of more certificates, which will require additional monitoring and managing, and will add to the challenge of securing the increased volume of connected devices.
The dangers of weak PKI include poor digital security, an immature cybersecurity program and the risk of not meeting compliance requirements, which may lead to fines and increased costs associated with remediation efforts following a data breach as well as reputational harm. Without strong PKI, organizations risk experiencing security gaps in user identification and authentication, encryption of sensitive data, and data integrity. Moreover, gaps in digital security may result in unexpected outages and business disruptions due to expired certificates. Delays in identifying an expired certificate may result in downtime, loss of productivity, and in some cases, loss of revenue and reputational harm.
An automated PKI solution simplifies certificate management for organizations. Automated certificate management allows information technology professionals, who may not be cryptography experts, to effectively address user identification and authentication issues. It also gives executives the confidence in knowing that risks associated with the human factor may be mitigated by automating PKI functions and using strong PKI governance and best practices.
With the advances in technology, PKI automation is crucial due to the evolving security and compliance requirements and the sheer complexity of securing devices and data. Further, automated PKI better positions an organization to keep pace with advances in technology and certificate management while considering the multitude of users, devices, applications—across industries—as well as use cases and desired PKI administration (e.g., application programming interface (API), command line or web console).
One of the greatest benefits of PKI is the trust that it creates between businesses and their stakeholders. Automating PKI enhances this benefit and also provides an organization with an opportunity to scale their PKI program. If your organization is committed to investing in digital security, thinking about ways to maintain a mature security posture or in the process of creating a cybersecurity program you should seriously consider the benefits of PKI automation.