2 days Ago
Jason Sabin, CTO of DigiCert Inc. Passionate about digital trust, including digital certificate management for web, device & user identity. For most enterprises, public key infrastructure (PKI) has been the foundation of digital trust for so long that it's almost taken for granted.
As the mechanism that lets parties establish trust inside an enterprise and across the internet, PKI enables users and devices to prove they are who they claim to be. Many are aware of its role in securing web pages, but it's also essential for encrypting files, code and object signing, machine identities, authenticating and encrypting email, VPN connections and nodes to wireless. PKI has been in use for decades, quietly supporting key business processes.
However, like any essential technology, PKI must be maintained and aligned to each organization's specific needs. That's not always easy when an enterprise and its business processes constantly evolve. Today's organizations need a modern approach to PKI to help them maintain their business agility, efficiency and, most importantly, security.
We all know that as an organization grows, the likelihood of technology siloes grows with it. Whether through long-term organic growth or more rapid changes from mergers and acquisitions, many enterprises support multiple PKI implementations. Each PKI use case might have its own specific tools and security policies, separately managed by different teams with different skill sets.
Without adequate visibility, management and automation capabilities, the PKI systems that are so vital to digital trust become more vulnerable to risk. Digital certificates are a key resource used in PKI authentication, and they can be found everywhere. Enterprises use them to identify and authenticate everything from users to software applications, machine identities, servers, phones or other devices.
A 2021 Ponemon Institute study found that a typical enterprise company managed nearly 60,000 certificates , and the number is likely higher today. Certificates have a limited lifespan, and many industry leaders propose making them shorter as security threats grow. As the volume of certificates grows and their lifespans become shorter, automation for renewing and revoking them will become more critical than ever.
Certificate expiration can lead to outages and compliance issues. Manual management and renewal processes are often the cause, but poor certificate visibility can also create issues. In a growing, complex enterprise environment, IT teams may not know which certificates they're using, where they're deployed and how they're being used.
Adding PKI systems introduces additional management and maintenance expenses. The more disparate, diverse and isolated the PKI systems are, the higher the likely costs of keeping them operational and up to date. A modern PKI platform can empower organizations to use their cryptographic assets more efficiently, cost-effectively and securely.
It can also automate tasks to enable organizations to manage their cryptographic assets consistently at scale. Organizations will need to not only select a solution that provides centralized oversight capabilities but also empower teams throughout the organization with self-service capabilities to acquire, manage and use certificates. For example, certificate lifecycle management can offer unified control of capabilities like policies for the use of the system.
It can also provide a web portal that lets users request certificates or get support from their PKI team for more complicated tasks. Bringing together multiple, diverse PKI systems will require support for various architectures and certificate authorities (CAs). Private CAs are helpful for applications that may use large numbers of certificates for short, distinct tasks such as high-volume container applications.
Today's enterprises use workloads on end-user devices, VMs, containers, applications, machines and servers. A PKI system should work smoothly out of the box. It should also integrate and interoperate smoothly with various enterprise architectures.
With a modern PKI system, organizations can do more than simply manage and maintain their existing certificates. They can apply analytics to be proactive in their planning and cryptographic strategies. A modern PKI system can also alert users of relevant events such as certificates nearing expiration.
They can notify users about issues like policy violations, certificate revocation and other unusual events. A robust PKI system can also generate customizable reports to help administrators better comply with company security policies as well as government and industry regulations. As PKI's reach extends across many systems and applications throughout every enterprise, interoperability is increasingly important.
A robust, modern PKI should also support smooth integration with software in the enterprise ecosystem. It should work smoothly with leading cloud services and DevOps infrastructure providers, using standard interfaces and proprietary ones. For example, web servers and network devices like firewalls and routers use PKI to keep communications secure, while developers often use DevOps tools secured by PKI.
A modern PKI system can enable an enterprise to manage all of its PKI systems together under one umbrella. It can also help organizations prepare for future security risks associated with quantum computing, enabling them to rapidly implement large-scale post-quantum cryptography. Moving to a modern PKI system will likely be complex and take time, but the good news is that organizations can continue to use their existing cryptographic assets—and do it more efficiently and securely.
The first step is the discovery and inventory process. It should identify public and private certificates in use, where they reside and which processes and applications they support. As part of the discovery step, the organization can determine who owns the certificates and assign management and budget responsibilities.
After gaining insight into the current state of their cryptographic assets, an enterprise can prioritize its next steps, targeting the most critical business use cases. This approach will deliver the maximum impact fast. Centralizing an organization's PKI into a single system may work in certain situations, but focusing on centralizing policy and governance is likely a safer bet for complex organizations.
With a well-planned, methodical approach, enterprise organizations can keep their existing PKI systems running smoothly within a resilient environment and stay prepared for new security challenges over the horizon. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?.
