Do you PKI?
Over the past several years we have seen a steady rise in the importance of Public Key Infrastructure. Why is this trend occurring? I would attribute this to 3 things – more and more applications can consume PKI, legal compliance requirements have made it happen, and also the underlying technology continues to mature.
More applications consume PKI. In the early days of the Internet SSL and S/MIME (secure email) drove the growth of public PKI providers such as Verisign. Smart Cards have been getting more attention and many companies are integrating a building access card with the smart card you use for VPN or workstation logon. Secure Wireless Networking and 802.1x are increasingly demanding certificates. Microsoft’s corporate wireless networks are secured via machine certificates which are only available to domain-joined machines. One of my favorite technologies, Federation and ADFS, uses X509 certificates not only for SSL connections (which are mandatory when using ADFS), but also for token signing, and this is the key for how we allow trusted authentication to cross organizational boundaries. And of course the Windows operating system supports features such as auto-enrollment which increase the usage of PKI infrastructures while lowering the costs and reducing complexity.
Secondly we see more business and legal requirements involving the use of PKI. This trend is illustrated by HIPAA requirements in the healthcare industry, requiring patient data to be encrypted both at rest and in transit. Financial data and other forms of PII (Personally Identifiable Information) also require data encryption. Interestingly, HIPAA requirements have been driven into every other type of organization, where for example the HR department handles records of workers injured on the job, etc. With data encryption on the rise, key recovery (more importantly, data recovery) becomes an important scenario. One of the better books that discusses this area is “The Executive Guide to Information Security: Threats, Challenges, and Solutions” (link) which was written by Mark Egan of Symantec.
Thirdly, the technology continues to mature. With Windows Server 2008 Microsoft has brought a number of great new features to PKI, such as fault tolerance in the form of failover clustering support. Other new features include OCSP, new Crypto algorigthms and more. For more information on Microsoft’s offering see the AD CS Technet library at https://technet.microsoft.com/en-us/library/cc534992.aspx. Another area maturing rapidly is the lifecycle management of credential in a PKI environment. Microsoft is a leader in this space with the ILM 2007 product (https://technet.microsoft.com/en-us/library/cc720598.aspx) which allows comprehensive lifecycle management of digital credentials. In the data encryption / data recovery scenario mentioned above ILM plays a crucial role in automating the key recovery process. We also see ILM being used to manage the distribution of certificates to third-party business partners.
Of course, security is purely about risk management and is represented by a set of tradeoffs. The most secure computer is the one nobody can access, it is locked away in a vault somewhere. On the other hand, we are moving in a direction where (nearly) every bit of information you can imagine is or should be freely accessible. In the 21st century and information accessibility growing exponentially, every enterprise of any size needs a security strategy. Public Key Infrastructure is one of the crucial elements of a strong enterprise infrastructure architecture.
My next blog entry will discuss the rise of federation technologies as a solution for identity and access management challenges.
Glenn Walton
Bay Area, California
October 16, 2008