We know what PKI is, but do we know what it may be?
Fri, 09/27/2019 – 22:23
In Shakespeare’s Hamlet, Ophelia says: “Lord, we know what we are, but know not what we may be.” The unknown potential of one’s future self can be the subject of introspection. It also makes sense to reflect on how technologies we know well today are changing to accommodate future requirements. That is the case with public key infrastructures (PKIs) – a technology that has been around for decades and now is becoming indispensable as the main enabler for digital transformation. In this blog we examine the critical elements needed to ensure PKIs meet today’s demands and those of the future.
As a foundational building block for digital communications, a PKI includes the hardware, software, policies, processes, and procedures needed to manage digital identities. Introduced to issue and validate the identities of individuals and web servers, PKIs have evolved as the de-facto mechanism for establishing trustworthy systems and trustworthiness within systems. Their use has been essential to the success of ecommerce. But, the number of connected devices and applications that need to be securely identified and validated to operate within trusted ecosystems has exploded, and so too, has the demand on PKIs.
Major Drivers of Change
The IoT is being used for consumer-linked applications, such as mobile phones, connected vehicles, smart metering, and medical devices. IoT is also widely used in industrial applications, such as predictive maintenance, asset tracking, fleet management , providing AI to jet engines, and optimizing power grids . As I noted above, ecommerce is based on trust, but consider the consequences if we could not trust devices and applications involved in our medical care, the engines propelling the jets we ride in, or the management of our power grids.
The list of applications goes on and on, and all require PKIs and certificates of authority to ensure the systems are and will remain under the control of authorized users. Consequently, PKIs are being stretched to their limits to generate and authenticate the ever increasing number of certificates for these devices and applications.
The Internet of Things
The IoT is the fastest growing force affecting PKI planning and evolution. According to nCipher’s yearly Global PKI Trends Study, conducted by Ponemon Institute:
There is growing recognition that PKI provides important core authentication technology for the IoT. Since 2015, respondents who say IoT is the most important trend driving the deployment of applications using PKI has increased significantly from 21 percent of respondents to 41 percent in 2019.
As we await the complete results of this soon to be released 2019 Global PKI Trends Study, I am reminded of Ophelia and can’t help but ponder if we know what this technology is becoming, particularly with regards to security certifications for PKIs. I anticipate the full 2019 study will give us a better picture of the trends and practices being applied to PKIs as their use extends to include IoT.
Privacy and Regulatory Compliance
IoT devices collect data, and much of that data is tied to individuals. Therefore it must be protected to comply with industry and government regulations around the world, such as the General Data Protection Regulation (GDPR) among others. Data security and regulatory compliance is another vital function where PKIs provide the mechanism to control access to critical devices and the information they collect.
Indeed, initial findings of the 2019 Global PKI Trends Study revealed some very interesting statistics with regards to security certification for PKIs:
Globally recognized security certifications are becoming more significant. Common Criteria EAL 4+ was considered to be the most important security certification when deploying PKI and PKI-based applications. The study found that 64 percent of respondents picked Common Criteria and 60 percent FIPS 140-2, followed by regional standards such as digital signature laws at 25 percent.
Best Practices for Secure PKIs
To protect private keys used for certificate issuance and signing processes, security professionals recommend the use of a hardware security module (HSM) as a best practice. An HSM root of trust segregates and protects critical cryptographic keys within a certified protected environment, away from the rest of the IT infrastructure, facilitating auditing and regulatory compliance. In addition, HSMs, such as the Common Criteria and FIPS certified nCipher nShield, can protect sensitive code by having it run within its secure boundary.
nCipher and its nFinity technology partners can deliver customers the strongest PKI solutions available in the market. Whether designing and standing a completely new PKI or assessing the health of your current PKI, we can ensure your applications’ demand for digital credentials and identities are met, and that the security of your underpinning signing keys is protected at all times. To learn more about self-managed or fully-managed PKI alternatives we can offer in collaboration with our nFinity technology partners, visit our PKI webpage.
Ophelia struggled to come to terms with what the future could make her become. Today’s PKI’s have become critical infrastructure for the once unimagined IoT. We must examine today’s organizational PKIs to ensure they are up to their current tasks. Moreover, we must look forward to ensure PKIs will enable trust and security tomorrow.
Stay tuned for our next blog in which we will share more of the results of our 2019 PKI Global Trends Study. To learn more about nCipher, please visit our website or follow us on Twitter, LinkedIn, and Facebook. If you want to reach me for further discussion, contact me on Twitter @asenjoJuan.
*** This is a Security Bloggers Network syndicated blog from Drupal blog posts authored by juan-asenjo. Read the original post at: https://www.ncipher.com/blog/we-know-what-pki-do-we-know-what-it-may-be