Read time: 9 minutes, 30 seconds
In this discussion whiteboard, let us understand what is PKI? What are several components involved in Public Key Infrastructure (PKI)? Most importantly, how the recent global pandemic situation across the world is forcing companies to prefer remote working facilities and this in turn is posing a lot of threat for firm’s sensitive data. To secure the sensitive data, we need to understand how to scale the Public Key Infrastructure remotely in order to defend various data breach attacks. What is Public Key Infrastructure as a Service (PKIaaS)? What are the benefits of using PKIaaS and how will it secure the data stored/used remotely? Let’s get into the topic:
Global Pandemic in 2020 has thrown new challenges to the world not only in terms of medical and health parameters but also for many businesses. Firms has to move their working conditions from offline to online. Employees has to work remotely to meet the business needs. With employees working remotely there are high chances of facing cyber security attacks and data leakage. Public Key Infrastructure (PKI) plays a crucial role in providing cyber security to the sensitive data residing across the globe with remotely working employees.
Is still Cyber security practices such as Public Key Infrastructure still relevant during COVID-19 Pandemic Era?
To answer this question we need to understand the findings from the survey conducted by PwC to understand the financial measures CFOs are considering during COVID-19 global pandemic to reduce the business impact and continue sustainability. One of the interesting reveal from this survey is that out of all the CFOs responded to the survey 67% are considering to cancel or defer the planned investments to reduce the financial burden on the firms. Out of the 67%, only as low as 2% are considering to cut the planned activities in Cyber security and rest are not willing to slide down the budget on data protection. This clearly indicates the importance of Cyber security especially encryption, PKI during pandemic situation where data is spread across places as many of the employees are working from remote locations.
What made Cyber Security especially Public Key Infrastructure (PKI) critical during COVID-19?
It is a well-known fact that Cyber Security is always critical to any firm with sensitive data even before the COVID-19 pandemic hit the globe. During the COVID-19 pandemic crisis, this aspect of cyber security became even more critical with employees handling sensitive data are all over the world working remotely. This complicates process of tracking down the sensitive data (at rest, in transit and in use) and protecting it. So, handling Public Key Infrastructure (PKI) remotely became critical for the revocation of short lived certificates and managing the existing live certificates. Also, managing PKI remotely is highly critical for compliance purpose as there might be huge penalties companies has to face for non-compliance to several international standards. Public Key Infrastructure (PKI) can be leveraged for protecting and performing email, VPN, user authentication and website certificates management. PKI has become a business critical asset during the COVID-19 global pandemic in Cyber Security domain.
What is Public Key Infrastructure - PKI?
PKI or Public Key Infrastructure is cyber security technology framework which protects the client – server communications. Certificates are used for authenticating the communication between client and server. PKI also uses X.509 certificates and Public keys for providing end-to-end encryption. In this way, both server and client can ensure trust on each other and check the authenticity for proving the integrity of the transaction. With the increase in digital transformation across the globe, it is highly critical to use Public Key Infrastructure for ensuring safe and secure transactions. PKI has vast use cases across several sectors and industries including Medical and Finance.
What are important components in Public Key Infrastructure - PKI?
There are three key components: Digital Certificates, Certificate Authority, and Registration Authority. PKI can protect the environment using the three critical components. These components play a crucial role in protecting and securing digital communications, electronic transactions.
- Digital Certificates: Most critical component in Public Key Infrastructure (PKI) is Digital certificates. These certificates are used to validate and identify the connections between server and client. This way, the connections formed are very secure and trusted. Certificates can be created individually depending on the scale of operations. If the requirement is for a large firm, PKI digital certificates can be purchased from trusted third party issuers.
- Certificate Authority: Certificate Authority (CA) provides authentication and safeguards trust for the certificates used by the users. Whether it might be individual computer systems or servers, Certificate Authority ensures digital identities of the users is authenticated. Digital certificates issued through certificate authorities are trusted by devices.
- Registration Authority: Registration Authority (RA) is an approved component by Certificate Authority for issuing certificates for authenticated users based requests. RA certificate requests ranges from individual digital certificate to sign email messages to companies planning to setup their own private certificate authority. RA sends all the approved requests to CA for certificate processing.
Why should firms worry about scaling PKI remotely?
COVID-19 has not only created health crisis across the globe but also created a havoc in cyber space creating cyber pandemic. There is multi-fold increase in the number of cyber-attacks right from the start of the COVID-19 pandemic. Cyber-criminals are exploiting the current situation of remote working facility of employees and newly deployed remote access solutions for cyber-attacks. Numbers suggest that during the initial days of global pandemic there is an increase in volume of cyber-attacks by 33%. Recent attacks on one of the largest gas pipeline and Meat supplier suggest that even major firm with huge infrastructure is no exception for these attacks.
Why to use Public Key Infrastructure - PKI?
There are several good traditional cyber security mechanisms such as multi-factor authentication and password based protection implemented for securing the sensitive data in remotely. But these techniques are now not fool proof with cyber criminals easily manipulating the mentioned mechanisms and breaching the secured walls. Cybercriminals are able to breach these techniques and many cyber security research organizations are suggesting to move away from these approaches. Leveraging Public Key Infrastructure (PKI) to implement certificate based authentication provides better enhanced security for sensitive data when compared to the traditional approaches.
PKIaaS – Public Key Infrastructure as a Service
Public Key Infrastructure as a Service (PKIaaS) is a cloud based security service enabling cyber security across the globe. PKIaaS adapts to multiple security scenarios and can be quickly deployed for remote working. An on-demand PKIaaS solution can significantly reduce those costs and keep them under control. Public Key Infrastructure (PKI) can provide a better and stronger security standards when compared with password based protection or multi-factor authentication which are currently in use for protecting the sensitive data. As several research firms such as Forrester and Gartner says, it is always preferred to go with “Zero Trust Security Model” to reduce the risk exposure of your business and employees. PKI can be one of the founding layers in achieving “Zero Trust” strategy. There are three critical steps that can be followed by your organization to scale Public Key Infrastructure as a Service (PKIaaS) remotely to protect the data spread across places.
Why to use PKI as a Service - PKIaaS?
PKI as a Service (PKIaaS) is a cloud based cyber security provision to protect sensitive data. Firms will have the option to choose either on premise PKI setup or PKIaaS cloud or Hybrid model involving both on premise and Cloud Public Key Infrastructure. So, why should firms choose PKIaaS for their key management and lifecycle? There are three important benefits:
- Efficiency: Eliminate software and hardware investment costs and opt for a custom-built pay-as-you-scale service.
- Scalability: Scale from zero to millions of certificates on-demand, and expand your PKI’s scope to other systems (IoT, DevOps, Cloud etc.) using our library of pre-built integrations.
- Security: PKIaaS is set up with high security in compliance with Cyber regulations and standards. Firms will retain the full control over the root certificate Authority (CA) and management system.
Critical steps involved in PKI as a Service (PKIaaS)
PKI as a Service (PKIaaS) became highly critical for the firms dealing with sensitive data remotely. It is easy to setup PKIaaS and can be scaled as per the requirement of the firm.
- PKI certificate based authentication to replace traditional password based protection.
- PKI certificate authentication to replace traditional multi-factor authentication.
- Automation of identity certificate management.
PKI Certificate based authentication vs Password based protection
As per the “Data Breach Investigations 2019 report by Verizon”, 62% of breaches are caused by either phishing, stolen credentials, or brute force. From this research data we can deduce that majority of the data breaches involved password leakage either willingly or by accident or through several hacking techniques such as brute force attack which makes this protection technique more vulnerable.
On the other hand, PKI-based user identity certificates used in certificate based authentication can be considered as one of the strongest form of identity authentication. This also eases out the process for employees where they are not required to remember and update the passwords frequently. In certificate based authentication digital certificates are used for user authentication.
Reasons why PKI based authentication is better:
- Private Key is used for authentication which can always resides on client environment.
- Private Key/Certificates cannot be stolen in transit or at rest (in server repositories).
- Unlike passwords, digital certificates would take several years to decrypt using brute force attacks.
- There is no requirement to remember or frequently change digital certificates like passwords.
PKI certificate authentication vs Traditional multi factor authentication
It is a known fact that multi factor authentication either via hardware token device or mobile SMS/call based authentication will provide additional security when compared to only using password based protection. Unfortunately, this is a cumbersome process for employees as there are extra steps involved in going through authentication cycle. PKI certificate based authentication will help in eliminating this extra step and still be able to provide better and stronger data security.
Advantages of using PKI authentication over traditional multi factor authentication are:
- Employees need not worry about carrying and securing extra hardware token or devices for additional security.
- Extra step of entering secure token ID or One time password (OTP) can be avoided.
- Devices connected can be trusted and authenticated.
- Using PKI certificate authentication you can achieve several use cases and for multiple entities such as users, machines and devices (mobile).
Using PKI, you can satisfy multiple use cases such as user authentication, machine authentication, windows logon, accessing corporate emails, VPN access to name a few.
Automation of identity certificate management using PKIaaS
Final step in scaling PKI remotely through PKIaaS is to automate the process of certificate management. This will reduce the burden on IT staff by eliminating the technical intensive process of certificate deployment, renewal and revocation process. This will help in quickly replacing or revoking certificates by IT staff.
Benefits of automating certificate lifecycle:
- Certificate discovery: Performing discover activity to identify certificates in use across the business landscape.
- Certificate Deployment: Automated issuance of certificates and installation.
- Certificate Review: Automatically renew the certificates wherever necessary and revoke them if expired.
Encryption Consulting's Managed PKI
Encryption Consulting LLC (EC) will completely offload the Public Key Infrastructure environment, which means EC will take care of building the PKI infrastructure to lead and manage the PKI environment (on-premises, PKI in the cloud, cloud-based hybrid PKI infrastructure) of your organization.
Encryption Consulting will deploy and support your PKI using a fully developed and tested set of procedures and audited processes. Admin rights to your Active Directory will not be required and control over your PKI and its associated business processes will always remain with you. Furthermore, for security reasons the CA keys will be held in FIPS140-2 Level 3 HSMs hosted either in in your secure datacentre or in our Encryption Consulting datacentre in Dallas, Texas.