PKI – Assessment

continue

"The concept of risk is built around the fact that a lot of things can leave you open to a problem and often you don’t even know what these things are."

Encryption Consulting has their own custom framework for doing a Public Key Infrastructure (PKI) Assessment for a customer based on NIST, PKI & HSM best practices. Every area of the customer’s PKI is evaluated and assigned a risk rating. This enables organizations to identify high risk components and prioritize remediation efforts. The scorecard from Encryption Consulting is an invaluable tool to security teams trying to plug gaps with a limited budget.

The PKI Assessment engagement will consist of assessing the current certificate management practices used by the Customer and the development of a strategy and roadmap for certificate management.

Below are the objectives of the PKI Assessment.

We at Encryption Consulting strive to follow every objective on every engagement:

  • Understand the current state of PKI systems, processes, and use cases across the organization
  • Assess the maturity of the PKI environment against a defined framework and comparative organizations
  • Provide observations and recommendations regarding current and future PKI initiatives to help achieve Customer’ desired future state capabilities
Request Quote

In this phase of the engagement, we will perform the following activities:

  1. Review Customers existing PKI (on-prem /Cloud-based PKI) procedures across the customers’ environment. The review will include an assessment of current certificate request, issuance and provisioning processes, and review the current policies.
  2. Analyze the current inventory of certificates provided by the Customer for the following certificate types: server TLS (Transport Layer Security), email S/MIME (Secure/Multipurpose Internet Mail Extensions), code signing, client and device certificates.
  3. Assist the Customer in defining a future state for certificate management with the following goals:
    • Enhanced security & governance
    • Consolidation and simplification of tools, processes etc. globally.
    • Automation (e.g., ServiceNow integration, end to end life cycle etc.)
    • Cost optimization
  4. Assist the Customer in developing a strategy for PKI based on the observations from the review program analysis, the Customer’s certificate inventory analysis, and the defined future state.

This engagement will be delivered over an eight-week period.

Request Quote

PKI Assessment

EC will perform the following activities and document the results for deliverables:

  • Identification of stakeholders and information gathering sessions
  • Review of current process followed across the business units globally
  • Analysis of Customer provided certificate inventory
  • Identification of gaps and provide recommendations as required

PKI Strategy and Recommendations

PowerPoint presentation with strategy and recommendations, including:

  • Summary of observations from the certificate management assessment
  • Definition of future state including, but not limited to, requirements for certificate management
  • Recommendations for process and technology for certificate management
  • A strategy and high-level transition plan from current to future state

PKI Assessment Engagement

The PKI Assessment engagement is described in the following steps:

Project Initiation

Project planning
  • Confirm stakeholders
  • Discuss kick-off meeting logistics and participants
  • Identify working space
  • Agree upon communication and status reporting protocols
  • Agree on read team testing scenario, scope and timing
Work Products
  • Confirmed stakeholder list
  • Work plan
Kick-off
  • Conduct kick-off meeting with key stakeholders
  • Coordinate and schedule interviews and/or workshops
  • Documentation request
  • Gain initial insights to Customer environment
Work Products
  • Kick-off meeting presentation
  • Interviewee list

PKI Program Assessment

Risk and Maturity Assessment
  • Review security policies, organization and governance
  • Conduct up to 5 interviews with executives, IT, InfoSec and business groups
  • Identify overall security program gaps and score security domains
  • Identify benchmark data
  • Develop key current state themes based on assessment
  • Conduct current state validation workshop
Work Products
  • Validated current state
  • Identification of security risks and gaps for each area
  • Top risk-ranked assets

Roadmap Development

Recommendations and Roadmap
  • Identify possible root causes and risks associated with gaps
  • Develop strategic, tactical, and “quickwin” initiatives
  • In collaboration with stakeholders, prioritize initiatives in a roadmap
  • Review roadmap with customer
Work Products
  • Detailed report outlining gaps and roadmap of prioritized initiatives

Reporting

Executive Summary
  • Draft executive summary and report
  • Obtain management feedback
  • Finalize report
Work Products
  • Executive level business and technical summary report
  • Final customer Information Security

Trusted by

BlueCross BlueShield Logo
Intrado Logo
Pfizer Logo
Centene Corporation Logo
American Airlines Logo
CBC Innovis
JCPenny
Ncipher
procters & gamble
THALES
NTT Data
Verizon
Wells Fargo
Logo Of WellCare Health Plans
Securian Financial
LOgo Of Magellan Health
LUMEN - Global Partner
O U Health - Global Partner
Protegrity - Client
Previous
Next

Case Study

See how Encryption Consulting assisted a Retail institution in implementing a new PKI Infrastructure.

View Case study
Icon

“Encryption Consulting developed a PKI Strategy for our organization which helped us remediate our current PKI environment in different areas such as PKI Operations, Certificate lifecycle management, and Design & Architecture .”

CISO, Financial Institution

Blog

Digital trends driving pki usage

Public key infrastructure (PKI) is a system for the creation, storage, and distribution of digital certificates

Read Blog
Report

nCIPHERS Global PKI and IoT Trends

According to the findings, the rapid growth in the use of IoT devices1 is having an impact on the use of PKI technologies

Download Report
Know more

Other Public key infrastructure Services

×

The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.

Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security

The command line signing tool provides a faster method to sign requests in bulk

Robust access control systems can be integrated with LDAP and customizable workflows to mitigate risks associated with granting wrong access to unauthorized users, allowing them to sign code with malicious certificates

Support for customized workflows of an “M of N” quorum with multi-tier support of approvers

Support for InfosSec policies to improve adoption of the solution and enable different business teams to have their own workflow for Code Signing

Validation of code against UpToDate antivirus definitions for virus and malware before digitally signing it will mitigate risks associated with signing malicious code