PKI, or public key infrastructure, is the backbone of secure and private digital communications. Originally invented by the UK government’s central intelligence authority, GCHQ, in the 1960, most security professionals know PKI best through the work of Whitefield Diffie and Martin Hellman. In the mid-1970s, the pair published their paper, New Directions in Cryptography,[i] which explained a new method of exchanging cryptographic keys to ensure more-secure digital communication, a.k.a. Public key cryptography.
In short, the introductions of public key cryptography allowed two parties to securely exchange information over public channels, at greater scale and with improved speed and efficiency over then-current methods, while “assuring the sender of a message that it is being read only by the intended recipient.” Further, the paper explained how a digital signature must be created to ensure authenticity of the message. This signature, they wrote, must be “impossible for anyone other than the legitimate signer to produce.” Thus was born the idea of digital certificates, an authentication method governed by a third party—a certificate authority (CA)—to manage the creation, distribution, use, storage, and revocation of digital certificates.
This new scheme was a marked improvement over past methods, but as the number, frequency, and types of entities communicating over digital communication channels increased, key management and certificate management began to become, ironically, unmanageable. Today, PKI is perceived by many security practitioners as hard and messy. Keys generation isn’t the problem, but key lifecycle and certificate management are enough to keep an already-busy IT or security manager up at night. If you’ve ever been in the position to handle this daunting task for your organization, you know that a missing or expired certification can keep a user from accessing files or systems, creating tension with the business.
In worse cases, CA failures have led to serious security incidents. Insufficient request and domain validation, rogue certificates, missing signatures, and more have led to large-scale breach and brand damage. In one of the most notable cases of poor certificate management, Equifax exposed 147 million people’s PII due, in large part, to an expired certificate.
Platform-izing service expertise
Enterprise PKI-as-a-service provider, Keyfactor, is a new-old company helping enterprises tackle the challenge of PKI. Initially known as Certified Security Solutions, Keyfactor has its roots as a 20-year old consulting company that helped the Fortune 2000 stand up their PKI. Over the last several years, the founders realized that many of their clients were calling the team back to help with implementations, and that companies weren’t prepared to handle the arduous process of managing PKI on their own. Although their background was in consulting, in 2014 the team decided to enhance their capabilities by building an automated PKI management platform to complement their service offerings.
“Increased network exposure has led to a critical trust gap,” said Jason Fiorotto, Keyfactor’s SVP of Marketing, during a recent call. “Enterprises create more connections every day. Certificates need to be renewed with increased frequency, and there are more and more of them to manage,” he said. It’s simply not a situation that can reasonably be managed with manual methods. Cloud, DevOps, and IoT are all adding to the challenge, and there is no slowdown in sight.
In addition, given the work-from-home environment that is today’s business reality, Keyfactor is noting even greater panic around PKI management: “The sheer number of VPN connections added in the last few weeks has caused several of our clients to call and ask for increased volume; we’re finding we need to stand up a new CA to handle remote employees,” said Mark Thompson, SVP of Product Management at Keyfactor. And though (hopefully) the pandemic won’t last long, the likelihood is that once employees are able to return to their workplaces, many businesses and employees alike will have realized the increased productivity and financial benefits of home working, thus requiring greater levels of certificate management than before.
How many certs?
Thompson and Fiorotto told me and Ed that the vast majority of their customers don’t know or underestimate the number of certificates they’re managing, sometimes by as much as 10X. This jives with TAG Cyber’s experience with enterprise customers. “Any engagement we have on the enterprise side," Ed told the Keyfactor team, “starts with a discussion about scope. I don’t think we’ve ever had a consulting project where the perceived scope was as big as actual scope!” With the number of certs growing exponentially, increasing numbers of devices, and smaller expiration times, organizations need to rely on automation.
Keyfactor’s platform automates certificate lifecycle management, from generation to secure signing to storage and rotation. Keyfactor Command provides crypto agility, allowing the automatic renewal and deployment of certificates. Keyfactor Control focuses on device identity, authentication, and encryption by automatically provisioning secure credentials and keeping track of required certificate updates and renewals over the device’s lifetime. “Our platform provides convenience and speed, but not at the expense of high assurance,” said Thompson.
Scalability and assurance
From a technical perspective, Keyfactor’s claim to fame is its ability to scale for any size organization while remaining “zero touch.” That said, Keyfactor maintains a skilled professional services staff who are on hand to help companies when they start with a “crypto mess,” said Thompson. “We will come in and front end your deployment with professional services, then support your entire PKI lifecycle with the platform.”
In short, Keyfactor’s PKI-as-a-service removes enterprises’ internal, manual administrative burdens and automates the entire process. Even if the engagement starts with professional services, you're hiring experts focused 100% on PKI management—they’re not also running 10 other IT or security functions—and can take PKI entirely off your hands and run it for you. Automation is becoming the key for many once-manual security functions, and PKI is no different. This is one area where automating processes makes a huge difference in efficacy and assurance, and we see no downside. Automating certificate management will free up your team to focus on higher-level, strategic initiatives and eliminate an unnecessary administrative onus.