Public Key Infrastructure

1. Summary

The role of the CIO has evolved and encompasses more than managing servers, data centers, and the applications that run on them. The CIO must now come to grips with potentially hundreds of cloud applications and platforms, including some that are not being secured within their organizations.

Most importantly, CIOs must manage the interconnected nature of these many SaaS applications. They must understand their use cases, the administration, and ownership of them as well as be able to make risk-based decisions about what should and should not be allowed to interconnect. At the core of it, applications, identities, and data must be validated so informed decisions can be made upstream. While the focus of the CIO has shifted, the job description is only now being updated. Given this, the CIO needs to be as flexible as possible while leveraging the cloud to control risks such as keys being lost in multi-factor authentication or security event management. This flexibility is not just about the tools they choose, but proactively addressing risks to secure treasury, customer data, and supply fulfillment; and of course, managing audit and compliance requirements.

Public Key Infrastructure (PKI) ensures higher levels of security when deployed within organizations by validating the authenticity of resources and encrypting data as follows:

• Verifying the authenticity of an endpoint, such as mobile devices, insulin pumps, industrial control systems, and even file servers. This verification is critical when you consider the importance of something like downloading quarterly financials.
• Ensuring data has not been tampered with.
• Controlling who can get access to the data.
• Guaranteeing the servers are authentic.

Enterprises that want to stay competitive understand that reputation and trust are very difficult assets to earn back once they are lost. By using PKI, they are able to gain an edge that enables them to make security decisions based on sound cryptographic fundamentals. Doing this ensures decisions made upstream with SaaS, PaaS and identities, applications, and encryption are sound and grounded.

PKI can and should be applied to every digital identity across the enterprise including devices, apps, and people. Yet all too often it is not, due to the complexity and cost associated with an on-premises do-it-yourself implementation. Despite their necessity, successful deployments have historically remained out of reach for most organizations, and concernedly so, mistakes can put you out of business should you become unable to decrypt critical data. If not correctly deployed, the foundation of subsequent security decisions will be intrinsically flawed.

Keeping PKI centralized on-premises requires a tremendous amount of resources to run and may not even adequately cover everything like signing or public Certificate Authorities (CAs). Failure of any one facet can be catastrophic. For this reason, a cloud-based deployment model allows enterprises to fully secure the environment with simple deployment while reducing maintenance operations – resulting in real Total Cost of Ownership (TCO) savings over time. Table 1 outlines the necessity and risks involved in certificate use cases.

Table 1: Necessities and Risks in deploying certificates

Technical Examples

Fundamentally PKI is the creation, issuance, management, distribution, usage, storage, and revocation of digital certificates. These certificates authenticate the identities of various parts of the data transfer process, as well as encrypt traffic between different endpoints. Take the following three online banking examples:

1. Identifying phishing sites that pose as authentic websites. Phishing sites try to trick unwitting users into entering personal information. Using PKI, the bank is able to create certificates that cryptographically prove they are who they claim to be and the user can distinguish the phishing site from an authentic site.
2. Encrypting sensitive data. Entering credit cards or other information to a bank site needs to be encrypted so that other devices on the network are not able to capture the information. Using PKI, banks are able to encrypt the traffic from their web servers directly to the user’s desktop or mobile device.
3. Authenticating software to prevent malware. Malware can be inserted into code that users believe to be safe, and when installed, create vulnerabilities. With PKI deployed, software manufacturers are able to sign their software, allowing their customers to verify the authenticity of the code and confirm it has not been tampered with.