Building and maintaining trust with customers, stakeholders and the wider community is an integral part of any successful business. Yet, in today’s cyber-attack era - with attackers developing more advanced techniques every day – sustaining that trust has never been more of a challenge. It is for this very reason that many organizations by necessity are “upping their game” to safeguard data and protect themselves, and ultimately their customers, from cyber-attackers.
As an example, an organization with a critical role in maintaining trust for the internet met just last week for an important ritual. They got together for the DNSSEC Root Signing Ceremony – which is defined as “a rigorous procedure around signing the root Domain Name System (DNS) zone’s public keying information for the next few months”.
This ceremony is critical to safeguarding the DNS – which houses the database that translates web addresses such as google.com into the numerical IP addresses that computers use to identify web pages. This database and the cryptography that protects it employ a combination of multiple physical and electronic security processes to protect its crucial data; we only need to think back a couple weeks to the DDoS attacks that took down DNS services from Dyn and disrupted service to the likes of Twitter, Amazon and Netflix to demonstrate the importance of this data.
But how does this relate to your organization?
Well, firstly, it is important to note that increasingly elaborate security ceremonies occur in more organizations than you might think. When highly sensitive data is at stake, or audit and compliance standards are rigorous, or big money or reputations are on the line, establishing a root of trust is serious business. And with organizations placing more reliance and trust on their public key infrastructures (PKIs), you have to start right at the top: the root key.
The private portion of a public-private root key pair is the most sensitive data element in a PKI. If compromised, the trust in all certificates issued below it is nullified. Best practices dictate several levels of physical and electronic security, involvement of multiple parties, and detailed documentation for audit purposes for any operations where root keys are generated or accessed. Deep within those layers of security, Hardware Security Modules (HSMs) – purpose-built, certified cryptographic devices -- are typically used to generate and protect private root keys. Many organizations choose to take the HSM offline and store it in a safe when it is not in use.
As you can imagine, HSMs are also used to enforce strict policies for access to root keys, which is typically a very infrequent process that requires multiple authorized individuals – strongly authenticated and with access credentials issued using a highly secure process – to participate. This access is highly scripted, and can include video recording, notarization, and other legal representation, depending on the requirements of the organization. As with the DNS example, the logistics of bringing the right number of authorized participants together alone is sometimes onerous, not to mention all the technical measures – forgotten smart cards or passcodes can derail the most meticulously planned root key signing ceremony.
While these ceremonies are conducted in secret – and seem like something from popular fiction – they play a critical role in establishing and maintaining trust for an organization. If a root key was to be compromised, the effects range all the way from downtime of applications that depend on the PKI, to a loss of trust in the transactions that depend on the PKI until a new root and subordinate issuing certificate authorities beneath it could be established, and user and device certificates below it reissued. Not to mention potential reputational damage and other business-level consequences.
Our most recent study examining global PKI trends – conducted by the Ponemon Institute – reveals some positive steps that are being taken regarding safeguarding PKIs. We found worldwide usage of HSMs, most prevalent with offline root Certificate Authorities (CAs) and issuing CAs, rose four percent over last year’s study, up to 32 percent. We also saw increased use of automated means of certificate revocation – another important best practice that helps assure that compromised, or potentially compromised, keys and associated certificates are taken out of use and not accepted for subsequent transactional use.
While this is certainly a step in the right direction, many firms are still using lower security options such as passwords to safeguard mission-critical PKI. And this could put them, and their customers’ data, at risk. And as we saw in the example of how the root DNS keys are protected, those that take trust seriously are taking security of sensitive data and critical applications to greater heights.