PKI – Assessment

continue

"The concept of risk is built around the fact that a lot of things can leave you open to a problem and often you don’t even know what these things are."

Encryption Consulting has their own custom framework for doing a Public Key Infrastructure (PKI) Assessment for a customer based on NIST, PKI & HSM best practices. Every area of the customer’s PKI is evaluated and assigned a risk rating. This enables organizations to identify high risk components and prioritize remediation efforts. The scorecard from Encryption Consulting is an invaluable tool to security teams trying to plug gaps with a limited budget.

The PKI Assessment engagement will consist of assessing the current certificate management practices used by the Customer and the development of a strategy and roadmap for certificate management.

Below are the objectives of the PKI Assessment.

We at Encryption Consulting strive to follow every objective on every engagement:

In this phase of the engagement, we will perform the following activities:

  1. Review Customers existing PKI (on-prem /Cloud-based PKI) procedures across the customers’ environment. The review will include an assessment of current certificate request, issuance and provisioning processes, and review the current policies.
  2. Analyze the current inventory of certificates provided by the Customer for the following certificate types: server TLS (Transport Layer Security), email S/MIME (Secure/Multipurpose Internet Mail Extensions), code signing, client and device certificates.
  3. Assist the Customer in defining a future state for certificate management with the following goals:
    • Enhanced security & governance
    • Consolidation and simplification of tools, processes etc. globally.
    • Automation (e.g., ServiceNow integration, end to end life cycle etc.)
    • Cost optimization
  4. Assist the Customer in developing a strategy for PKI based on the observations from the review program analysis, the Customer’s certificate inventory analysis, and the defined future state.

This engagement will be delivered over an eight-week period.

PKI Assessment

EC will perform the following activities and document the results for deliverables:

  • Identification of stakeholders and information gathering sessions
  • Review of current process followed across the business units globally
  • Analysis of Customer provided certificate inventory
  • Identification of gaps and provide recommendations as required

PKI Strategy and Recommendations

PowerPoint presentation with strategy and recommendations, including:

  • Summary of observations from the certificate management assessment
  • Definition of future state including, but not limited to, requirements for certificate management
  • Recommendations for process and technology for certificate management
  • A strategy and high-level transition plan from current to future state

PKI Assessment Engagement

The PKI Assessment engagement is described in the following steps:

Project Initiation

Project planning
  • Confirm stakeholders
  • Discuss kick-off meeting logistics and participants
  • Identify working space
  • Agree upon communication and status reporting protocols
  • Agree on read team testing scenario, scope and timing
Work Products
  • Confirmed stakeholder list
  • Work plan
Kick-off
  • Conduct kick-off meeting with key stakeholders
  • Coordinate and schedule interviews and/or workshops
  • Documentation request
  • Gain initial insights to Customer environment
Work Products
  • Kick-off meeting presentation
  • Interviewee list

PKI Program Assessment

Risk and Maturity Assessment
  • Review security policies, organization and governance
  • Conduct up to 5 interviews with executives, IT, InfoSec and business groups
  • Identify overall security program gaps and score security domains
  • Identify benchmark data
  • Develop key current state themes based on assessment
  • Conduct current state validation workshop
Work Products
  • Validated current state
  • Identification of security risks and gaps for each area
  • Top risk-ranked assets

Roadmap Development

Recommendations and Roadmap
  • Identify possible root causes and risks associated with gaps
  • Develop strategic, tactical, and “quickwin” initiatives
  • In collaboration with stakeholders, prioritize initiatives in a roadmap
  • Review roadmap with customer
Work Products
  • Detailed report outlining gaps and roadmap of prioritized initiatives

Reporting

Executive Summary
  • Draft executive summary and report
  • Obtain management feedback
  • Finalize report
Work Products
  • Executive level business and technical summary report
  • Final customer Information Security

Case Study

See how Encryption Consulting assisted a Retail institution in implementing a new PKI Infrastructure.

Icon

“Encryption Consulting developed a PKI Strategy for our organization which helped us remediate our current PKI environment in different areas such as PKI Operations, Certificate lifecycle management, and Design & Architecture .”

CISO, Financial Institution

Blog

Digital trends driving pki usage

Public key infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates

Report

nCIPHERS Global PKI and IoT Trends

According to the findings, the rapid growth in the use of IoT devices1 is having an impact on the use of PKI technologies

Download Report
Know more

Other Public key infrastructure Services