April 09, 2018 | SSS Security Consulting Team
The concept of trust for identity is not new. To travel across borders, you need a credential that represents who the traveller is – a passport. The acceptance of this travel document is largely based on the way in which it was manufactured. How was the citizen identified? How were they enrolled? How did they prove their identity – e.g. drivers licences, and proof of address etc.? Was the printing process and delivery secure? When countries have confidence in this process, they readily accept this travel document as certainty of the identity of the traveller and permit trusted relationships between countries.
In the digital world, we need a functionally equivalent level of assurance of identity and trust. This need for trust in cyberspace, coupled with the rapid advancement of technologies and increased connectivity, creates an identity challenge that needs to be addressed. The answer? Many organisations are turning to PKI or Public Key Infrastructure to solve the problem of identity – regardless of whether that identity is tied to a human, device, application or server.
But all too often organisations rush into building a quick least-cost “technical” PKI without understanding the trust requirements at all. This usually means the organisation ends up with a PKI that is not fit for purpose, because they have in effect sacrificed trust for the sake of budget.
Many organisations deploy a PKI as a tick box item for compliance to one or more of the ever growing regulatory or legislative demands expected of government agencies and private sector companies. PKI is often implemented as a stand-alone solution for a single problem. But, few take an enterprise view of what this PKI can mean for them.
PKI is more than just the technology that is used.
For it to meet the organisation’s requirements of trust it is important to follow a well-defined process to design and implement a PKI which will ensure a functionally equivalent level of trust (to current practices).
This process includes:
- Planning to clarify the intended uses of the PKI
- Designing the PKI to include the elements that provide the appropriate level of trust to sustain those use cases (this usually includes use of Hardware Security Modules)
- Creating the required policy documents and practice statements
- Installing and documenting the PKI with the appropriate ceremonies
- Operating of the PKI in compliance with the policies (with ongoing audit assurance)
When you implement your PKI, remember that to have a high level of trust and assurance you need to do more than just install the software. A well-designed implementation will set you up and provide you with a strong foundation to meet the identity and trust challenges that the constant technological advancements of the digital world presents. This will create credentials that will permit trusted electronic relationships inside and outside your organisation. Thus enabling a host of business benefits and business process efficiencies through integrations with document signing, secure use of mobile devices, IoT and signing of financial transactions.
At SSS we have consultants with extensive experience in the end-to-end process definition, advisory services and implementation of effective PKI solutions.
If you would like to discuss how a PKI solution could benefit your organisation (or how to progress if your existing PKI is no longer fit for purpose), please contact us.