I’ve just participated in a LinkedIn Live session with my colleague Jules Anderson where we discussed a number of PKI related topics, all in the space of 20 minutes! I will recap some of the items we discussed below.
We covered some of the issues we've seen in relation to PKIs as a result of the coronavirus pandemic and some of the effects that the pandemic has had. One thing this has brought home to me is the importance of proper planning when it comes to PKI lifecycle events. What I mean by 'PKI lifecycle events' is regular activities which need to be undertaken to ensure your PKI continues to run smoothly. The specific example we discussed was Root CA CRL renewals.
The pandemic has really underlined the importance of good planning and well documented procedures when it comes to PKI. We had one customer who wanted our assistance with their annual Root CA CRL renewal. For something like this, we'd normally attend in person but due to the pandemic it just wasn't possible. Moreover, the ceremony itself had to be postponed. It was scheduled for April, but because the UK was in ‘lockdown’ it was impossible to access the relevant buildings where the Root CA artefacts were securely stored. Now, because the customer had planned the Root CA CRL renewal well in advance and considerably prior to when the Root CA CRL actually expired, they were able to postpone the ceremony and perform it at a later date without any operational impact to their PKI. When the ceremony was eventually able to run, I don't think I've ever attended a Root CA CRL issuance remotely using collaboration tools before, or ever seen hand sanitiser used as part of such a ceremony!
We also talked about why certificates are considered fundamental as part of a good cybersecurity strategy. I think that is due to the pervasiveness of keys and certificates when it comes to IT systems and services. Keys and certificates are used everywhere. We covered examples such as certificates to identify and secure commercial websites via TLS, as well as similar certificates that are used to secure IT administration portals that many IT administrators use as a matter of course during their day-to-day IT management activities. Without such certificates, administrative credentials might be passed over the network 'in the clear'. We also mentioned other use cases such as certificates for digital signing activities, network authentication and other possibilities.
Whether an organisation needs to deploy their own PKI to be able to issue certificates to secure such services is largely down to the following; the number of different use cases for keys and certificates an organisation has; the legal and regulatory requirements that need to be met by those certificates; and whether they possess the level of knowledge to be able to deploy and manage a PKI internally. For some organisations, it may make sense to obtain a managed PKI service. This removes the pressure of managing the PKI themselves away from the organisation and leaves it in the hands of experts to manage it on their behalf. Some organisations though do want to retain the relevant skills in-house and if these don't exist, we have previously worked with customers to ensure that those skills can be learned and maintained. This is via our training courses and also during PKI deployments where we do 'knowledge transfer' with customers. This along with well documented PKI operational guides ensures that an organisation’s own employees have the confidence to manage their own PKI.
Finally, we discussed the need to have a good set of requirements for PKI documented if an organisation is considering the usage of keys and certificates to support projects, systems and services. Requirements for keys and certificates should be documented as 'clear, unequivocal statements of intent' and this is really important in ensuring that whatever PKI solution is put in place is capable of meeting those requirements. Requirements should be mapped to design artefacts such that it is clear what aspect of the solution meets the stated requirement. Designs can then be used for deploying internal solutions or can be taken to Managed Service Providers (MSPs) where an organisation may be considering having their keys/certificates managed by a third party. For a good guide to writing requirements, see the NASA Handbook, which I mentioned during the event. Writing requirements and helping with PKI solutions is also something that we can help with at nCipher Security.
We really enjoyed collaborating on our first LinkedIn Live session and are keen to hear from you as to what PKI topics you'd like us to discuss in future. You can contact me via LinkedIn with your thoughts and ideas.
If you missed the live session, why not catch it now here.