Can public key infrastructure help protect your enterprise network?

Wondering whether a public key infrastructure (PKI) is the right investment for your business? Read on.

Let’s start with a general overview: A PKI is used to guarantee that people and devices accessing network resources are actually valid and trusted users. The PKI itself is a set of hardware, software, policies and procedures that handle how digital certificates — the piece of the PKI that identifies users and devices — are generated and managed.

Sounds pretty important. But can it protect your business? Well, yes and no.

To find out why, we need to go a little deeper.

Public key infrastructure in the house

PKI technologies, in the form of certificates, are ubiquitous. They can be found in email signing and encryption, VPN authorization and access, instant messengers, and other applications that touch users every day. Every time a user opens up an HTTPS connection on the internet, they’re making use of PKI. If your corporate remote email client is using SSL, you’re making use of PKI. Providing some level of trust that users and devices are who they say they are is implicit in all these connection types. This means that PKI, to an extent, is part of your enterprise — even without the explicit configuration of your own PKI, or even understanding anything about how it works.

PKI may also be integrated directly into your network operating system. In Windows Server, PKI is known as Active Directory Certificate Services, and is tightly integrated with the Active Directory service. It has been enhanced with each release of Windows Server, and will likely already have migrated to the most current standard, assuming your network has upgraded to Windows Server 2012 R2.

PKI as an add-on

Additionally, there are devoted PKI packages you might consider adding to your enterprise security suite. Every PKI system will consist of a:

• Certificate authority that issues and verifies certificates.

• Registration authority that verifies the users requesting information from the certificate authority.

• Central directory where the keys are stored and indexed.

• Certificate policy.

• Certificate management system.

The explicit standard for PKI is ITU-T X.509, which has been in use since 1988. Many commonplace protocols support the X.509 standard certificate for PKI, including SSL, S/MIME, IPsec, HTTPS and LDAP.

Because there can be hundreds, if not thousands, of certificates issued throughout your enterprise, there are many third-party certificate management systems available for cost-effective control and management of certificates. Vendors such as Symantec (who acquired well-known PKI vendor Verisign) offer a cloud-based managed PKI service. Open-source public key infrastructure is available from EJBCA, and complete end-to-end security systems that include PKI are available from IT infrastructure vendors.

Is a PKI implementation the answer to your data security woes?

With all of that in mind, let’s re-ask that earlier question: Can PKI protect your enterprise network? The answer is both yes and no because your PKI implementation alone will not fully protect your enterprise. It can certainly help, however.

In fact, public key infrastructure is a crucial part of your overall security strategy. Every piece of that strategy — from firewalls to threat management systems, policy management, antivirus and PKI — needs to work together to provide the secure computing environment that will protect your enterprise from threats, both external and internal. This sort of end-to-end security management requires significant IT resources, which can put a strain on already overtaxed IT staff — especially in small and medium-sized businesses.

However, assuring that fundamental components such as PKI are in place and properly configured and optimized for your environment is well worth the investment. In an environment where new threats are popping up seemingly every single day, verifying the validity of everyone on your network is a must.