Magnum PKI

In the physical world, trust is built on social, legal and business interactions that can take generations to mature. People rely on symbols to establish trust—drivers’ licenses, employee badges, credit cards. Organizations, however, are required to conduct business with a much keener eye to establishing and securing user identities on more than trust. With a growing list of regulations and mandates such as HIPAA, Gramm-Leach-Bliley, Sarbanes-Oxley, HSPD-12 and 21 CFR Part 11, businesses and governments are looking for solutions and services to provide identity management and encryption, as well as the confidentiality, integrity, authentication and non-repudiation of information on which their viability depends.

Public key infrastructure (PKI) is one of the identity and access management strategies gaining momentum due to this growing number of mandates. PKI provides organizations with the ability to digitally sign and encrypt critical data that can be deciphered or viewed only by individuals possessing a digital certificate or credentials. PKI is not a new technology; it has been used in military, intelligence and commercial applications for several decades. It has gone through a number of “boom and bust” cycles. Its ability to meet a full range of information security needs makes it desirable, but the perception that it is a difficult solution to implement puts people off. PKI is currently experiencing a great deal of interest as various countries, including Belgium, Singapore and Malaysia, embrace it as fundamental to their national identity infrastructure. PKI is also emerging as the technology of choice in government identity programs, such as the U.S. federal employee ID mandated by HSPD-12. Applications are emerging to take advantage of the growth of digital credentials. Another strong sign that PKI is here to stay is its integration into the latest version of the Windows operating system, the yet-to-be-released Vista.

PKI is perhaps one of the most valuable identity and access management solutions on the market today due to its ability to both digitally sign and encrypt data. Other common access management tools involve user names and passwords, one-time or multi-factor authentication tokens and biometrics, such as fingerprint or iris scans. These tools, however, are not as effective as PKI since they do not enable encryption of data. Additionally, they are not as robust an electronic signature as those created using digital certificates. With cost being a key criterion in most CFOs’ and CSOs’ security strategies, PKI’s functionality provides a cost-effective way to leverage the technology already in-house, while at the same time improving security processes to ensure that critical data is protected.  

Traditionally, PKI certificates were produced and maintained in-house, which required a certain level of security talent within the organization, as well as the ability to drive and support the infrastructure itself. Self-maintenance was an option with this approach, but it was a large pill for an organization to swallow. While larger companies are capable of running a PKI infrastructure themselves, many find it more cost-effective to look to a managed PKI services provider to build and maintain the infrastructure. During this current emergence of PKI, managed PKI is becoming a more popular alternative to the in-house implementations seen in the past.

Who Needs PKI, Anyway?

PKI can be used to meet compliance mandates for a number of applications. Today, PKI in the United States is most prevalently deployed in the public sector. For example, the federal government’s HSPD-12 mandates that all federal employees and contractors be issued digital credentials via smart cards; the PKI serves as the trusted infrastructure that binds the employee’s identity to the smart card and enables the issuer, in this case the government agency, to validate that identity throughout the lifecycle of the card. Once issued, the certificates can be used to control access to physical facilities and computer networks.  

Managed PKI services are also used to achieve cross-certification, defined as the concept of tying together individual PKIs to create a more widespread trusted network. For example, individual PKIs within the pharmaceutical industry (via SAFE) and aerospace industry (via CertiPath) have established what are known as bridges to facilitate the cross-certification process from both a technical and policy perspective. The ultimate goal of such bridges is to facilitate the use of PKI for trusted transactions among the bridge participants.

The Key to a Strong Security Strategy

It’s important to clarify that when it comes to protecting data and other resources, there is no one-size-fits-all solution, especially at the application layer. Not every application an organization has in-house will need assurances around identity. For example, storage applications possess a very rigorous identity proofing process, such as a hardware device, while others may simply require a user name and password. 

The federal government, as a consequence of HSPD-12, has a fairly well-defined identity proofing process with regard to background checks. It is also bolstering the face-to-face identity proofing process by mandating that the components of the identity—digital photo, fingerprint templates and the digital certificate—be stored on a hardware token, such as a smart card. Enterprises, however, are free to determine the level of proofing for their employees’ access to company assets and may choose to utilize other information security techniques such as two-factor authentication with a one-time password token that creates a new, randomly generated password on each use. Organizations that have needs beyond authentication, such as digital signing of electronic documents or encryption of data, find PKI services to be a better fit for their overall needs.  

Unlocking Security and Compliance Possibilities

Managed one-time passwords are a cost-effective alternative to strong authentication to meet regulatory requirements or simply to implement security best practices. However, this same functionality can be achieved through a managed PKI approach, granting remote access to a partner’s or customer’s virtual private network (VPN). Above and beyond the security provided by one-time passwords, PKI enables electronic business processes that require signatures and provides organizations with the ability to produce digital certificates for signing an important document electronically or validating a large financial transaction. Certificates are a hassle-free way for authorized individuals to make transactions and a secure way for organizations to hold information—a key component in establishing seamless business processes.

Implementing a managed PKI security strategy can also help organizations demonstrate compliance with a variety of federal and industry-led mandates, such as Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, HSPD-12 and 21 CFR Part 11. One hallmark of these regulations is the establishment of strong controls and the ability to assert that appropriate people have access to specific business processes. Properly implemented business systems that leverage the strong audit and security features of PKI can help demonstrate that controls are in place and that the organization has the ability to monitor those systems. 

The Right PKI Approach for You

So how does an organization determine whether a PKI approach is right for it?

The first consideration is corporate risk and the level of data being protected by PKI. All applications do not require PKI, and it is important that organizations assess the relative risk presented by unauthorized access to an asset. The federal government has developed an approach to evaluating authentication risks in the context of electronic applications, which is a useful starting point in conducting such analysis. While this framework was developed by the Office of Management and Budget for federal agencies, it can certainly be utilized by private sector organizations to evaluate risk levels.

The second consideration may seem obvious: cost. While companies like Microsoft provide free software to create digital certificates, software is a just a portion of the expense incurred. In order to manage and maintain certificates in a trustworthy fashion, organizations need to have the infrastructure and resources in place. If your organization has the people and technology available, then utilizing internal resources for PKI may be appropriate. Organizations that have the right people, but cannot support the expense of maintaining the infrastructure, should consider a managed security services provider that can manage the infrastructure and issuance of certificates at a lower cost. 

Identity management and access control strategies such as PKI can help to ensure security best practices are always in play, allowing organizations to take the necessary steps to protect critical information without depleting in-house resources in a way that distracts from the organization’s core mission.