We
are regularly bombarded by news stories that announce the death of this or the
death of that. From memory, we have seen “the death of cash”, the “death of the
PC” and the “death of the token”. Usually, these predictions are triggered by
some sort of an event, perhaps the publication of a new report or after a
security incident, e.g. The RSA Security
breach. But, after the dust has settled and the crisis teams have moved onto
the next event, what impact, if any, is felt on the product or technology that
has been affected?
In
a guest blog, Calum MacLeod, EMEA director, Venafi, explores the role of PKI in
a post-Comodo world and suggests that 2012 could be “the year of Public Key
Infrastructure”.
Alan Goode May 2012
Why 2012 is the year of Public Key Infrastructure
Comodo,
Sony, RSA Security and many more have been badly breached recently - but does that
mean the death toll for PKI? Calum MacLeod, Venafi EMEA director, cautions on ringing
that bell yet
Recently, the IT security world was shaken to its very
core. Established and trusted organizations fell from grace as they became
victims of hacking. In the case of Comodo and StartSSL the resultant outcry has
seen many quick to declare that public key infrastructure (PKI) is dead or
dying. However, I believe it is the best we’ve got and it will not be replaced any
time soon – to argue otherwise is a waste of energy. In fact, I actually think
the reverse and that 2012 is the year of PKI.
I could spend ages telling you about the various hacks
and what went wrong but - as many others have already done that – including
myself. Let’s assume however you either know or have read about it elsewhere.
Instead, let’s focus on the critical role certificates
and PKI play in securing data and authenticating systems across all types of
organizations. And think of all the systems that now leverage (and very
effectively I might add) PKI, including the traditional IT data center
infrastructure, public and private clouds, and an exploding number of mobile
devices that require authentication, to name just a few.
Within a PKI, a certificate authority assigns each
system or user a unique identity - a digital certificate - that allows the
certificate holder to work within the protected environment. This allows organizations
to let customers, partners, and employees to authenticate to systems and users.
I would argue, perhaps controversially, that PKI delivers a virtually seamless
experience for users while providing trusted security.
And it is the word trusted that many of you will scoff
at.
How can they be trusted?
To pretend that they’re infallible is churlish. Instead,
what needs to be recognized is that the world we live in is imperfect and, a
bit like a car, we need more than one security feature if we’re to prevent
ourselves flying through the windscreen.
Let’s use the car analogy to illustrate the point.
Cars have brakes to stop them in an emergency. Yet, all too often, there are
accidents. Has anyone pointed the finger at the braking system and declared it
dead? Of course not. Instead, the designers have worked tirelessly to improve
the overall safety of vehicles, installing impact bars and roll cages, seatbelts,
and an airbag just to make sure. An organizations security should be approached
in much the same way.
To do this, we need to first understand the challenges
faced. Depending on the IT environment where keys and certificates are being
deployed, some or all of these risks may apply:
- Certificates that are not renewed and replaced before they expire can cause serious unplanned downtime and costly outages
- Private keys used with certificates must be kept secure or unauthorized individuals can intercept confidential communications or gain unauthorized access to critical systems
- Regulations and requirements (like PCI-DSS) require much more stringent security and management of cryptographic keys, and auditors are increasingly reviewing the management controls and processes in use
- The average certificate and private key require four hours per year to manage, taking administrators away from more important tasks and cost hundreds of thousands of dollars per year for many organizations
- If a certificate authority (CA) is compromised or an encryption algorithm is broken, organizations must be prepared to replace all of their certificates and keys in a matter of hours
- The rollout of new projects and business applications are hindered because of the inability to deploy and manage encryption to support the security requirements of those projects
Manage Certificates Properly
As this highlights, certificate and encryption or private
key management can be complicated. The fact that there are typically several
people involved in the management of certificates and private keys makes the
probability of error even higher.
By clearly defining roles and responsibilities so that
everybody knows what they’re responsible for can significantly decrease the
likelihood of failure and make it easier to work out how to improve processes
when something does go wrong. In some areas, system administrators will
manually enroll for and install certificates. In others, a central system may
be used for automated installation.
The last thing you want as an organization is to be
running around trying to figure out who is responsible for a key or certificate
when an issue arises. Compile a list of responsible groups and/or individuals
for each key and certificate in your inventory and develop a method for keeping
the information current.
Prepare for it
If you act on the principle that you’re going to be hacked
– it’s just a matter of time – then at least you’ll be prepared should happens.
Just like brakes in a car, encrypt everything. Ensure
that your encryption systems provide the security they are designed to deliver
while simultaneously reducing operational risk and administrative workload. Finally,
know where everything is.
PKI and SLL are sensible platforms for certificate
management. Abolishing them and putting something else in their place is not
feasible – the vehicle already exists and it is not going away anytime soon. Instead,
organizations need to recognize the challenge of using them and decide how
they’re going to handle the coming explosion in certificates.
No comments:
Post a Comment