Read time: 7 minutes, 30 seconds
In this discussion whiteboard, let us understand what is PKI? What are several components involved in Public Key Infrastructure (PKI)? Most importantly, how the recent global pandemic situation across the world is forcing companies to prefer remote working facilities and this in turn is posing a lot of threat for firm’s sensitive data. To secure the sensitive data, we need to understand how to scale the Public Key Infrastructure remotely in order to defend various data breach attacks. Let’s get into the topic:
What is Public Key Infrastructure - PKI?
PKI or Public Key Infrastructure is cyber security technology framework which protects the client – server communications. Certificates are used for authenticating the communication between client and server. PKI also uses X.509 certificates and Public keys for providing end-to-end encryption. In this way, both server and client can ensure trust on each other and check the authenticity for proving the integrity of the transaction. With the increase in digital transformation across the globe, it is highly critical to use Public Key Infrastructure for ensuring safe and secure transactions. PKI has vast use cases across several sectors and industries including Medical and Finance.
What are important components in Public Key Infrastructure?
- Digital Certificates: Most critical component in Public Key Infrastructure (PKI) is Digital certificates. These certificates are used to validate and identify the connections between server and client. This way, the connections formed are very secure and trusted. Certificates can be created individually depending on the scale of operations. If the requirement is for a large firm, PKI digital certificates can be purchased from trusted third party issuers.
- Certificate Authority: Certificate Authority (CA) provides authentication and safeguards trust for the certificates used by the users. Whether it might be individual computer systems or servers, Certificate Authority ensures digital identities of the users is authenticated. Digital certificates issued through certificate authorities are trusted by devices.
- Registration Authority: Registration Authority (RA) is an approved component by Certificate Authority for issuing certificates for authenticated users based requests. RA certificate requests ranges from individual digital certificate to sign email messages to companies planning to setup their own private certificate authority. RA sends all the approved requests to CA for certificate processing.
Why should firms automate their Public Key Infrastructure (PKI)?
Manually managing certificates and their lifecycle requires lot of technical expertise and skill. Also, huge amount of time is consumed for the certificate management process. Along with this criteria, there are high chances human errors creeping into the process. A simple error can prove very costly for your firm’s cyber security as it might lead to a data breach. In order to overcome the hurdles of finding experienced resources for managing the certificate lifecycle cyber security experts have come up with the process of automating PKI. This will not only save time and money for the organization but also satisfies the compliance and regulatory requirements.
What are the benefits of PKI automation?
As discussed before, firms are now looking towards automation of their Public Key Infrastructure to enhance the expertise in managing their certificates lifecycle and provide increased security for their high sensitive data. At a high level, there are three benefits identified for shifting towards PKI automation.
- All-inclusive Data Security
- Operational Efficiency
- Business Continuity Management
All-inclusive Data Security: PKI automation will help in drastically reducing the human errors which would result in increasing risk of data breach. Automation will help in managing the certificate lifecycle with precision. Activities such as certificate renewal and/or replacement can be performed on-time. PKI Automation ensures that all the machines which requires new certificate deployment or replacement are immediately addressed with accuracy. This will eliminate the any risk of non-compliance due to outdated certificates in critical systems.
Operational Efficiency: Operational efficiency is an important parameter for any organization’s success. PKI automation will save ample amount of time that goes into manually managing the certificate lifecycle. Also, there will be better efficiency in handling the certificate activities. Leveraging automation of PKI will help in reducing the cost burden on the firms. Considering all the mentioned factors we can safely quote that operational efficiency will be enhanced through PKI automation.
Business Continuity Management: If there is one important lesson we learnt from the recent global pandemic is handling unexpected outages due to known and unknown factors. A recent survey provided data that poor certificate management is the major cause for system outrages. Manual handling of certificate management is the main reason for unwanted certificate expiry and improper deployment of new certificates. PKI automation process which includes automated discovery of endpoint machines, new certificate deployment and renewal or re-issuance of near expiry certificates will eliminate the risk of system outages and in-turn strengthens the Business continuity management of the organization.
How to automate PKI?
There are several ways to automate Public Key Infrastructure (PKI) depending on the organization requirements. You need to choose the appropriate implementation method to automate your PKI for enhanced efficiency. Method of implementation also depends on your Certificate Authority (CA) and its provision of APIs for integration. Let us discuss at a high level on four different ways to implement PKI automation.
- REST API Integration.
- Simple Certificate Enrollment Protocol (SCEP).
- Enrollment over Secure Transport (EST).
- Active Directory Auto-Enrollment.
One of the prominent and most common way of automating your PKI is using API integration. If your Certificate Authority (CA) and corresponding tools, software support API integration then you can leverage REST API Integration. You can perform API integration either from scratch where you develop your own scripts for making API calls with server for requesting certificate and passing it on to device. Other way is through leveraging the existing tools in market which will help in performing integration for automating PKI. Prominent software solutions such as Tanium, Casper, etc. provide you with integration support for automation.
Second option is SCEP. SCEP is an open-source certificate management protocol that stands for Simple Certificate Enrollment Protocol, automating the task of certificate issuance. SCEP is a readily available protocol supported by majority of operating systems such as Android, Microsoft windows, Linux, iOS and other major OS. This option requires SCEP agent on the device and works in concurrence with your enterprise device management tools. Enabling software sends script down the device for retrieving the certificate and configuration details hits SCEP service. One of the major advantage is SCEP agent is aware of retrieving certificates to the device.
Third option available for implementing PKI automation is EST – Enrollment over Secure Transport. EST is an enhancement to SCEP and provides all the functionalities we get from SCEP. Additional feature offered by EST is the support of Elliptic Curve Cryptography (ECC). Both SCEP and EST are used to automate the Certificate enrollment process, but the difference is that SCEP uses Shared Secret protocol and CSRs for enrolling Certificates, whereas EST uses TLS for authentication. EST uses TLS to securely transport the messages and Certificates, whereas SCEP uses PkcsPKIEnvelope envelopes to secure the messages.
Last option for our discussion to automate certificate management is Microsoft Active Directory (AD) Auto-Enrollment. Windows PCs and servers can utilize this option using Microsoft certificate store. Services such as Internet Information Services (IIS), Exchange server uses Microsoft certificate store for auto Enrollment. As you can understand, this option will be only applicable on Windows machines which use Microsoft services.
Finally, which option to choose for implementing PKI automation is solely and completely dependent on the organization’s IT infrastructure. Consulting firms like us will come into play in this step of selecting the implementation of PKI automation with less effort, overheads and more efficiency.
Encryption Consulting's Managed PKI
Encryption Consulting LLC (EC) will completely offload the Public Key Infrastructure environment, which means EC will take care of building the PKI infrastructure to lead and manage the PKI environment (on-premises, PKI in the cloud, cloud-based hybrid PKI infrastructure) of your organization.
Encryption Consulting will deploy and support your PKI using a fully developed and tested set of procedures and audited processes. Admin rights to your Active Directory will not be required and control over your PKI and its associated business processes will always remain with you. Furthermore, for security reasons the CA keys will be held in FIPS 140-2 Level 3 HSMs hosted either in in your secure datacentre or in our Encryption Consulting datacentre in Dallas, Texas.