Read time: 8 minutes, 30 seconds
In this discussion whiteboard, let us understand what is PKI? What are several components involved in Public Key Infrastructure (PKI)? Most importantly, how the recent global pandemic situation across the world is forcing companies to prefer remote working facilities and this in turn is posing a lot of threat for firm’s sensitive data. To secure the sensitive data, we need to understand how to scale the Public Key Infrastructure remotely in order to defend various data breach attacks. Let’s get into the topic:
Is still Cyber security practices such as Public Key Infrastructure still relevant during COVID-19 Pandemic Era?
To answer this question, we need to understand the findings from the survey conducted by PwC to understand the financial measures CFOs are considering during the COVID-19 global pandemic to reduce their business impact and continue sustainability. An interesting reveal from this survey is that out of all the CFOs who responded to the survey, 67% are considering cancelling or deferring planned investments to reduce the financial burden on their firms. Out of the 67%, only 2% are considering cutting planned activities in Cyber security, while the rest are not willing to slide down the budget on data protection. This clearly indicates the importance of Cyber security, especially encryption and PKI, during pandemic situations where data is spread across places, as many of the employees are working from remote locations.
What made Cyber Security especially Public Key Infrastructure (PKI) critical during COVID-19?
It is a well-known fact that Cyber Security is critical to any firm with sensitive data, even before the COVID-19 pandemic hit the globe. During the COVID-19 pandemic crisis, this aspect of cyber security became even more critical with employees handling sensitive data all over the world working remotely. This complicates the process of tracking down the sensitive data (at rest, in transit and in use) and protecting it. So, handling Public Key Infrastructure (PKI) remotely became critical for the revocation of short-lived certificates and managing the existing, live certificates. Also, managing PKI remotely is highly critical for compliance purposes as there might be huge penalties companies have to face for non-compliance to several international standards. Public Key Infrastructure (PKI) can be leveraged for protecting and performing email, VPN, user authentication, and website certificate management. PKI has become a business-critical asset during the COVID-19 global pandemic in the Cyber Security domain.
What is PKI?
PKI, or Public Key Infrastructure, is a cyber security technology framework which protects client – server communications. Certificates are used for authenticating the communication between client and server. PKI also uses X.509 certificates and public keys for providing end-to-end encryption. In this way, both server and client can ensure trust in each other and check their authenticity for proving the integrity of the transaction. With the increase in digital transformation across the globe, it is highly critical to use Public Key Infrastructure for ensuring safe and secure transactions. PKI has vast use cases across several sectors and industries, including the Medical and Finance fields.
What are important components in Public Key Infrastructure?
- Digital Certificates: Most critical component in Public Key Infrastructure (PKI) is Digital certificates. These certificates are used to validate and identify the connections between server and client. This way, the connections formed are very secure and trusted. Certificates can be created individually depending on the scale of operations. If the requirement is for a large firm, PKI digital certificates can be purchased from trusted third party issuers.
- Certificate Authority: Certificate Authority (CA) provides authentication and safeguards trust for the certificates used by the users. Whether it might be individual computer systems or servers, Certificate Authority ensures digital identities of the users is authenticated. Digital certificates issued through certificate authorities are trusted by devices.
- Registration Authority: Registration Authority (RA) is an approved component by Certificate Authority for issuing certificates for authenticated users based requests. RA certificate requests ranges from individual digital certificate to sign email messages to companies planning to setup their own private certificate authority. RA sends all the approved requests to CA for certificate processing.
That should have given you a good answer to the question how does a PKI work. Now let’s learn why you should scale your PKI remotely.
Why should firms worry about scaling PKI remotely?
COVID-19 has not only created a health crisis across the globe, but it also created a havoc in the cyber space, creating a cyber pandemic as well. There has been a multi-fold increase in the number of cyber-attacks right from the start of the COVID-19 pandemic. Cyber-criminals are exploiting the current situation of remote working facilities of employees and newly deployed remote access solutions for cyber-attacks. Numbers suggest that during the initial days of the global pandemic, there was an increase of 33% in the volume of cyber-attacks. Recent attacks on one of the largest gas pipeline and Meat supplier suggest that even major firms with huge infrastructures are no exception for these attacks.
Why use PKI?
There are several good traditional cyber security mechanisms, such as multi-factor authentication and password-based protection, implemented for securing sensitive data remotely, but these techniques are no longer fool proof with cyber criminals easily manipulating the aforementioned mechanisms and breaching secured walls. Cybercriminals are able to breach these techniques, so many cyber security research organizations are suggesting to move away from these approaches. Leveraging Public Key Infrastructure to implement certificate-based authentication provides better enhanced security for sensitive data when compared to the traditional approaches.
How can you leverage Public Key Infrastructure (PKI) remotely?
Public Key Infrastructure (PKI) can provide better and stronger security standards when compared with password-based protection or multi-factor authentication, which are often in use for protecting sensitive data. As several research firms, like Forrester and Gartner say, it is always preferred to go with a “Zero Trust Security Model” to reduce the risk of exposing your business and employees. PKI can be one of the most important layers in achieving a “Zero Trust” strategy. There are three critical steps that can be followed by your organization to scale Public Key Infrastructure remotely to protect data spread across different locations:
- PKI certificate-based authentication can be used to replace traditional password-based protection.
- PKI certificate authentication can be used to replace traditional multi-factor authentication.
- Automation of identity certificate management can also be implemented.
PKI Certificate based authentication vs Password based protection
As per the “Data Breach Investigations 2019 report by Verizon”, 62% of breaches are caused by either phishing, stolen credentials, or brute force. From this research data, we can deduce that the majority of data breaches involved password leakage either willingly or by accident or they were done through hacking techniques, such as brute force attacks, which makes this protection technique more vulnerable.
On the other hand, PKI-based user identity certificates used in certificate-based authentication can be considered one of the strongest forms of identity authentication. This also eases the process for employees, as they are not required to remember and update passwords frequently. In certificate-based authentication, digital certificates are used for user authentication.
Reasons why PKI based authentication is better:
- Private Key is used for authentication which can always reside in the client environment.
- Private Key/Certificates cannot be stolen in-transit or at-rest (in server repositories).
- Unlike passwords, digital certificates can take several years to decrypt using brute force attacks.
- There is no requirement to remember or frequently change digital certificates like passwords.
PKI certificate authentication vs Traditional multi factor authentication
It is a known fact that multi factor authentication, either via hardware token device or mobile SMS/call-based authentication, will provide additional security when compared to only using password-based protection. Unfortunately, this is a cumbersome process for employees as there are extra steps involved in going through the authentication cycle. PKI certificate-based authentication will help in eliminating this extra step and still be able to provide stronger data security.
Advantages of using PKI certificate authentication over traditional multi factor authentication are:
- Employees need not worry about carrying and securing extra hardware tokens or devices for additional security.
- Extra step of entering secure token ID or One time password (OTP) can be avoided.
- Connected devices can be trusted and authenticated.
- Using PKI certificate authentication, you can achieve several use cases for multiple entities such as users, machines and devices (mobile).
- Using PKI, you can satisfy multiple use cases such as user authentication, machine authentication, windows logon, accessing corporate emails, VPN access to name a few.
Automation of identity certificate management
The final step in scaling PKI remotely is to automate the process of certificate management. This will reduce the burden on IT staff by eliminating the intensive process of certificate deployment, renewal, and revocation. This will help in quickly replacing or revoking certificates by IT staff.
Benefits of automating certificate lifecycle:
- Certificate discovery: Performing discover activity to identify certificates in use across the business landscape.
- Certificate Deployment: Automated issuance of certificates and installation.
- Certificate Review: Automatically renew the certificates wherever necessary and revoke them if expired.