/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsFor decades now enterprises have been in a battle to protect information while at the same time striving to improve business processes and make information readily and easily available to employees, customers, partners and other stakeholders. Applications are now Internet-enabled and employees are allowed access to intra- and extra-nets through personal devices. To add to that, business partners are often provided entry to ensure everything from immediate access to information to the attainment of service level agreements.
THE NEED TO PROTECT INFORMATION ASSETS
As financial institutions, manufacturers, government agencies, healthcare organizations, and other enterprises leverage the Internet to link business processes, streamline communications, and conduct commerce, the protection of information assets has become a vital, yet increasingly complex. Enterprises not only must safeguard sensitive information and maintain the trust of online trading partners, but also must comply with government and industry regulations related to online data.
As information becomes more valuable, cyber-attacks have become more sophisticated with the prevalence of evolved distribution methods. In protecting information assets, enterprise security is now expected to provide gate-keeping functions such as data protection and network isolation, as well as facilitative functions, such as exposing enterprise data to outside applications, connecting users for extended collaboration, and enabling online transactions and communications.
Definition of PKI refers to the technology, infrastructure, and practices that support the implementation and operation of a certificate-based public key cryptographic system. The system uses a pair of mathematically related keys, called a private key and a public key, to encrypt and decrypt confidential information and to generate and verify digital signatures. (Digital signatures are used to sign transactions or to authenticate users or machines prior to granting access to resources.)The main function of PKI is to distribute public keys accurately and reliably to users and applications that need them. The process employs digital certificates which are issued to users or applications by an enterprise certificate authority (CA). Issuance of a certificate requires verification ENTERPRISE PUBLIC KEY INFRASTRUCTURE
In a connected world, Public key Infrastructure (PKI) is the foundation of high-level, certificate-based security. It safeguards business applications that demand the highest level of security, enabling web services based business process automation, digital form signing, enterprise instant messaging, and electronic commerce. In addition, it protects firewalls, virtual private networks (VPNs), directories, and enterprise applications. An enterprise should choose a PKI solution that offers comprehensive functionality, integrates easily with internal and external applications and ultimately is scalable to millions of users with flawless round the clock operation.
THE TWO MODELS OF PKI
While it is established that an enterprise needs to deploy a PKI solution, there are two models that are available with enterprises - an in-house implementation and an outsourced PKI. The two approaches differ mainly in their total cost of ownership (TCO), the time to deploy the solution, the usage of internal resources, success rate and scalability.
1)In-house Deployment
In a typical in-house deployment, an enterprise purchases standalone PKI software and creates a stand-alone PKI service. In this scenario, the enterprise assumes total ownership for provisioning, deploying, and maintaining the PKI itself as well as all the surrounding technology, including systems, telecommunications, and databases. The enterprise is also responsible for providing a secure facility. . The in house deployment should satisfy the prerequisites of physical-site security, Internet-safe network configurations, disaster recovery, viable PKI legal practices, financially sound liability protection, and highly-trained staff. If any of these components is weak, the enterprise may be compromised.
However, regardless of these capabilities the adoption of PKI-enabled services by partners, customers, and suppliers may be hindered by lack of confidence in the unproven PKI or unfamiliarity with the enterprise itself. Additionally, the in-house PKI function may not have the capability to provide third-party auditing further diminishing the PKI's value. Also, the process from planning to deployment may take months together delaying the returns of investment from a business point of view.
2)Outsourced deployment to an integrated PKI platform
In the second model, an outsourced deployment to an integrated PKI platform, an enterprise delegates planning, deployment, and maintenance to a trusted third party whose services include certificate processing, root-key protection, and security and risk management. Being a core business, the integrated PKI platform providers can devote time, specialised resources and efforts to the solution. Additionally, a third party provider will have expertise in security practices, procedures, and infrastructure and moreover the services offered would have been time-tested.
This speeds up deployment and ensures that the PKI operates at the highest levels of availability and security. From a business point of view - there are various models of payments available in terms of flat rates, per transaction i.e. number of digital certificates issued, or a hybrid model. This enables an enterprise to predict costs more accurately and simply add PKI capability as business grows. Also with respect to user authentication and certificate lifecycle management - an enterprise is able to better control and executes its security policies.
CRTITICAL FACTORS ENTERPRISES NEED TO CONSIDER
While enterprises select the model and a PKI solution, some key factors need to be considered which cut across technology, infrastructure, and business practices:
PKI functionality - For strong security, easy administration, and hands-on control of certificate management, an enterprise PKI must be based on a modular design that includes reliable, high-performance support for certificate issuance and lifecycle management, protocols and processing capabilities for diverse certificate types, comprehensive administration functions, records retention, directory integration, and key management.
Ease of integration - To minimize costs, leverage existing investments, and ensure compatibility in diverse environments, enterprises should choose a PKI that integrates easily with all the new and legacy applications it is intended to support. The PKI should not lock end users into proprietary PKI desktop software.
Availability and scalability - The PKI must be available to an enterprise around the clock. In addition, it must be scalable to keep up with enterprise growth.
Security and risk management - To preserve trust and minimize financial and legal liability, enterprises running an Internet-based PKI must safeguard the PKI infrastructure, private keys, and other valuable assets from not only network-based attacks, but also threats to the physical facility housing the assets.
Expertise - To ensure that the PKI is properly deployed, maintained, and protected, enterprises should employ security professionals who are extensively trained in PKI.
Scope of operation - To maximize return on investment (ROI), promote collaboration, and ensure business agility, enterprises investing in PKI should make sure that the offering can be easily enabled to operate across intranets, extranets, instant-messaging communities, Web-services networks, Internet marketplaces, VPNs, and other communities of interest.
The success or failure of an enterprise PKI would largely depend on these factors, which are strongly driven by the model chosen and the short and long-term plans for the exchange of high-value data.
CONCLUSION
As the role of Internet security evolves to include functions such as protecting information assets and network facilitation, PKI can lay the foundation for providing application and network security.
A well-managed PKI Service can alleviate the burdens and risks of building, deploying, and maintaining an in-house PKI while allowing enterprises to maintain internal control over vital aspects of security such as certificate issuance, suspension, and revocation. This not only reduces costs, speed time to deployment, and strengthens security, but also wins the confidence of partners, customers, and stakeholders and allows an enterprise's security to be aligned to business goals.
(The author is Director, Product Management, Symantec)