In the previous article, we explored the importance of Public Key Infrastructure (PKI) from an enterprise architecture perspective. We also saw some of the typical enterprise application scenarios that need to use PKI, including public facing web sites and web applications, Virtual Private Network (VPN) services, mobile applications and software (code signing). This article illustrates a few of the other enterprise application scenarios where PKI needs to be an integral part of enterprise architecture.
Enterprise cloud applications: Cloud computing is truly mainstream today: a recent Rightscale research report from Flexera indicates that 94% of organizations leverage some type of cloud technology. The benefits of cloud including elasticity, location independent access, and usage-based pricing for infrastructure have overcome the earlier apprehensions of moving applications and data to the cloud. However, enterprises need to be as vigilant as ever to ensure appropriate identity and access management (IAM) solutions are in place for their cloud applications. PKI is one of the best IAM options for enterprise cloud applications and is much more secure than alternatives based on a username and password approach.
User authentication: Even within the enterprise, the use of PKI is going up rapidly. Verifying the identity of enterprise users and other entities such as devices using digital certificates makes a lot of sense today – especially considering the risk of insider threats and the need to have strict access controls as well as audit mechanisms in place. For example, code signing, as explained in the previous article, requires DevOps teams and developers to sign code as a part of the deployment and release cycles. PKI based user authentication can also help to restrict and monitor access to sensitive enterprise applications and data, such as personally identifiable information (PII) of customers, company IP and trade secrets, and company financials. In fact, the risk of data breach incidents where customer data is leaked or sold to the outside world by insiders, can be significantly reduced by leveraging PKI based credential management within the enterprise.
Email: For most enterprises today, email continues to be the primary communication mechanism between employees, and with customers and partners. With PKI, digital certificates can be used to sign and encrypt email. More specifically, you use your private key to sign an email you are sending, and you use the recipient’s public key to encrypt that email. The technology used is called Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI principles. Most email providers and clients support S/MIME. Securing email communication is extremely important to address threats related to phishing. The recipient might get an email from somebody impersonating a known person (e.g. a colleague, customer or partner), requesting some confidential information or asking to click a link in the email. With PKI, the email client will alert the recipient that the sender’s identity could not be verified. Enterprises cannot afford to underestimate the importance of email security: cyber security research indicates that most cyber incidents and breaches start with a simple phishing email. Apart from the advantages of identity verification and protecting the privacy of the communication through encryption, non-repudiation is an additional advantage: with PKI in place, the email sender cannot deny later that an earlier email was sent by her/him.
Document management: Enterprises deal with a variety of documents that need to be formally signed by an authorized person – orders, contracts, petitions, agreements, forms, authorizations, and so on. Digital signatures provide a convenient way to sign these documents, since the enterprise is likely to be leveraging PKI in some form or the other anyway. The technology behind PKI ensures that the level of security available for digitally signed documents is much more than manually signed ones. Document management applications therefore need to be able to leverage PKI and digital signatures to ensure that documents are signed (and timestamped) as soon as they are generated, to ensure that any unauthorized changes can be immediately and automatically detected by security tools and platforms.
Summary In today’s world, enterprise application architecture needs to follow a “Security First” approach. For example, with cloud technology becoming mainstream, cloud security also needs to become a top priority for enterprises. Similarly, for application authentication, enterprises can no longer rely on just a username and password approach, since enterprise applications are accessed anytime and from anywhere. Threats like phishing have resulted in email security becoming a hygiene factor and not just a “good to have”. Digital signatures for documents have become the norm, replacing manual signatures. Overall, enterprise architecture today requires application security to keep three needs in mind: stronger authentication mechanisms, validation of the device or endpoint that is being used to access the application and securing the communication channel between the application and the endpoint. PKI through digital certificates, provides a way for enterprises to address all three of these needs. This also means that enterprises need to think about good certificate management practices, including the set up of a private certificate authority (CA) where needed. That, however, is a different subject and will be covered in a future article. Stay tuned!