Read time: 13 minutes
Six Key Factors that decide PKI Health
In this discussion, we are trying to understand a few of the following questions: What is PKI? What are several components involved in Public Key Infrastructure (PKI)? Most importantly, what are the key factors that can be leveraged to perform a PKI health check? Health checks with appropriate deciding factors are critical for ensuring the health of a Public Key Infrastructure. Let’s dive into the topic:
What is Public Key Infrastructure - PKI?
What are important components in a Public Key Infrastructure?
There are three key components to a PKI: Digital Certificates, Certificate Authority, and Registration Authority. PKIs can protect the environment using these three critical components. These components play a crucial role in protecting and securing digital communications and electronic transactions.
- Digital Certificates: The most critical component in a Public Key Infrastructure (PKI) is Digital certificates. These certificates are used to validate and identify the connections between server and client. This way, the connections formed are very secure and can be trusted. Certificates can be created individually depending on the scale of operations. If the requirement is for a large firm, PKI digital certificates can be purchased from trusted third-party issuers. These are the reasons why PKI certificate management is so vital.
- Certificate Authority: A Certificate Authority (CA) provides authentication and safeguards the certificates used by the users. Whether it is individual computer systems or servers, the Certificate Authority ensures the digital identities of the users are authenticated. Digital certificates issued through certificate authorities are trusted by devices.
- Registration Authority: The Registration Authority (RA) is an approved component by the Certificate Authority for issuing certificates for authenticated user-based requests. RA certificate requests range from individual digital certificates to signed email messages to companies planning to setup their own private Certificate Authority. The RA sends all the approved requests to the CA for certificate processing.
Why should firms worry about PKI Health?
A Public Key Infrastructure is not a one-time setup and forget activity. Regular health monitoring is as important as the initial implementation of your PKI, as it plays a crucial and deciding role in the firm’s cyber security. PKI Health monitoring and checking activity will ensure that a steady state of operations is achieved. The majority of certificate policies state that an audit has to be performed on a regular basis to safeguard the compliance of the Certificate Authorities (CAs). It is highly advisable to perform a complete check once a year, at least.
Public Key Infrastructure health checks involve multiple steps and factors. Out of all these, some of the important processes that are included in a standard PKI health check are:
- Patch management and backup.
- Certificate checks: Issuing and revoking of certificates.
- Auditing of the Certificate Authority
Six Key Factors / Indicators that decide PKI Health:
Public key infrastructures, or PKIs, have been around for a considerable amount of time. Most businesses are well aware of their benefits and capabilities by now. However, due to ever-growing cyber threats, it’s important to continually check for major signs of vulnerabilities. It’s important to do an analysis and fix the areas where a fix is needed. This early analysis is a proactive and vigilant measure that significantly reduces the risk of any cyber-attack. If it is passed over without giving it due attention, it may result in a loss of customer data or regulatory penalties.
To ensure PKI health, we have noted six factors that should be observed during the early stages.
- Certificate Validity – All digital certificates have expiry dates. For security reasons, it is unwise to reuse the same digital certificate for a long duration of time without any oversight. If the expiry date is not documented and tracked in an orderly fashion, then the chance of a breach increases. An expired digital certificate provides no security at all.
A good practice is to document the certificate lifecycle of each digital certificate in use and keep it updated. Along with this, ensuring you have strong PKI certificate management processes in place is also extremely important. This process can also be automated with the help of various certificate management tools. Early notification can also be configured, that way all stakeholders are notified before the issuance or renewal of a certificate.
- Certificate Integrity – To convince customers or potential customers to transact or share information over the Internet trust must first be established. One way to do that technically is by using a proper Certificate Authority. These are entities that verify the authenticity of a web-based service or product. Certificate Authorities prevent phishing attempts since they verify SSL/TLS certificates. Digital certificates which are verified by some known Certificate Authority are considered safe and many modern browsers and tools help identify that.
All stakeholders who are associated with the issuance of digital certificates should ensure that the certificates have all the parameters which are required to get them verified by the CA. The process should also be documented, with a clear depiction of association and accountability. This helps in various situations such as seamless renewal of an expired certificate, replacing a corrupted certificate, tracking a compromised certificate in a security event, and taking required preventative actions.
- Certificate Issuance Policy – A Certificate Authority can issue certain restrictions during the issuance of a certificate. There can be varied restrictions such as restricting or force allowing X.509 values, restricting allowed subject fields or allowed issuance modes, etc.
If these are kept in check then backtracking and troubleshooting becomes much easier. The stakeholders should be responsible for tracking all issuance policies associated with each certificate.
- Certificate Endpoints – SSL certificates can be added to endpoints. Sometimes one digital certificate can be associated with multiple endpoints. In such cases, it is important to track it. Hence, each one is updated in scenarios like if the certificate is expired and renewed. These endpoints can become vulnerable and exposed if not tracked appropriately.
- Encryption Key Size – The size of the encryption key is correlated and proportional to key strength. Keys such as RSA 4096 provide high security and assurance because of their larger size, which makes brute force attacks very difficult.
It is important to check for any key that is used which has a small bit size and is therefore weaker. For better PKI health, all existing weak keys should be replaced with stronger ones.
- Encryption Algorithm – A healthy PKI should always contain a strong and robust hashing algorithm. Algorithms keep on getting updated over time to become stronger and swifter. For example, SHA256 is much more secure than say, SHA1. Stakeholders should keep track of what algorithm is being used and if that is the industry standard or not. In the case that any stable update is available, it is better to replace the outdated algorithm.
How will PKI health checks benefit firms?
- Performing regular PKI health checks will ensure a strong overall cyber security posture for the organization.
- Operational effectiveness will be monitored on a regular basis by performing PKI health checking activity regularly.
- Compliance with regulatory standards and frameworks will be ensured as there are periodic checks on certificate health.
- Threat vectors of data loss will be reduced considerably with a reduction in risk.
High availability of critical processes will ensure smooth running of the business.