Lessons learned from Public Key Infrastructure

chris hickman

Chris Hickman


“PKI has emerged as a vital tool to maintain security in today’s connected world. The proliferation of IoT and its rapid adoption in organizations has led to millions of devices that all need to authenticate and securely receive firmware updates,” says Chris Hickman, Chief Security Officer, Keyfactor in an exclusive interview to IT SecurityWire


How has Public Key Infrastructure evolved over the years?

In its earliest days, public key infrastructure (PKI) was most commonly used to issue certificates to eCommerce websites to secure connections for online payment transactions. In the 2000’s, enterprise use cases rapidly expanded with higher demand for remote network access and connections. At that time, enterprise-issued certificates became akin to corporate ID badges, and corporations started deploying their own certificates on the internal web servers to improve security. Nowadays, modern PKI has expanded further to govern the issuance of digital certificates and authenticate mobile workforces, applications, and devices.

PKI has emerged as a vital tool to maintain security in today’s connected world. The proliferation of IoT and its rapid adoption in organizations has led to millions of devices that all need to authenticate and securely receive firmware updates. Securing and authenticating IoT devices has become one of PKI’s most compelling and critical uses, especially with life-impacting IoT like connected cars and medical devices.

What, according to you, are the common obstacles in PKI deployment, and how to avoid them?

Organizations are less challenged when it comes to deployment but more challenged in operationally managing their PKI. Often, organizations focus more on getting certificates to machines and devices and less on the care and feeding required to maintain those certificates once they’re deployed. They don’t take lifecycle management into account and the necessary continual attention to ensure that every certificate is tracked correctly and handled in the event of certificate revocation and reissuance.

Read More: Top Strategies CISOs Can Use to Control Hefty Security Costs

Lifecycle management is challenging when it isn’t built into the system from the start. A customer once said that the art of PKI is 20% deployment and 80% operations, which is an accurate assessment. Organizations have to look beyond deployment to consider how lifecycle management and PKI operations will run through the long term and as the business scales.

What are your recommendations and best practices to be followed when enterprises deploy and run PKI?

First and foremost, organizations can’t deploy PKI in a vacuum. We often see businesses build PKI to address a very specific set of use cases. They seek to solve the problems of the day without taking the transformational nature of the business into account, especially as it grows. We recommend organizations work with professionals who have done this before and understand the intricacies of building, deploying, and managing PKI.

Organizations have many options with the availability of cloud services, and they need to look to leverage commercial options rather than try to build their own, which takes a lot more time and expense. Commercial and cloud-based options will also scale with the business versus an internal PKI built to meet current business requirements.

In terms of sourcing a commercial option, there are several core capabilities to look for, including:

  • CA Integration – Synchronizing in real-time with any certificate authority (CA) to regularly pull certificates into inventory. Certificate discovery should start at the source. The solution you choose should synchronize directly with your internal and public CAs to identify and inventory every certificate, regardless of how they may have been issued (i.e., rogue certificates).
  • Network Discovery – Distributed architecture to discover SSL/TLS certificates across IP ranges and subnets. Next, you will need to discover where certificates reside. Many vendors provide built-in SSL/TLS discovery, but the main difference is in deployment. Scanning across networks from one location is significantly disruptive and mostly non-compliant. Explore for solutions that offer flexible tools that can be deployed to multiple locations in your network and throughout your environment to reduce network load.
  • Integrated Discovery – Orchestrating certificate discovery, enrolment, and provisioning across network endpoints. If a certificate is not bound to an IP or port, it won’t show up in network discovery. More integrated solutions use agent-based or agentless methods to inventory key and certificate stores. Roots of trust inventory are vital as well because it allows users to find or eliminate rogue root certificates or add an updated new root of trust

Organizations should also field these questions with prospective vendors:

  • Can the vendor discover and manage every certificate, even those not issued through its platform?

Read More: Edge Computing Trends to watch out for in 2021

  • Does the solution require significant changes to firewall rules and port configurations when deployed in environments with multiple network segments or cloud services?
  • Does the solution inventory and manage the root of trust certificates on network endpoints?
  • Can the solution discover and inventory certificates issued via EMM/MDM and IaaS platforms?

What are the major differences between digital transformation and legacy PKI?

Cloud technology and cloud-based PKI offers expandability and reach that extends beyond legacy PKI. Traditional PKI typically runs into issues when it tries to reach beyond the boundaries of the corporation. Organizations need to focus on securing data wherever it lives, and legacy PKI is limited in its ability to do that.

Digital transformation and moving manual processes to digital platforms is absolute. Securing data through those business processes and beyond is mission-critical.

Chris Hickman is the chief security officer at Keyfactor, a leading provider of secure digital identity management solutions. As a member of the senior management team, Chris is responsible for establishing and maintaining Keyfactor’s leadership position as a world-class, technical organization with deep security industry expertise. He leads client success initiatives and helps integrate the voice of the customer directly into Keyfactor’s platform and capability set. For more information visit: www.keyfactor.com or follow @Keyfactor on Twitter and LinkedIn.