If there’s one thing I know, it’s public key infrastructure (PKI). PKI enables a trusted environment by authenticating, encrypting and ensuring the integrity of data and users. PKI is more important than ever, as organizations are doing a less-than-stellar job protecting their users’ data from inadvertent exposure, such as exposed APIs or poor authentication. Forty-three percent of businesses were a victim of a cybersecurity breach in the past year, based on the recent “Cyber Security Breaches Survey 2018.”
There are a lot of misperceptions and assumptions about PKI and encryption. In fact, many people are afraid of it. Working with people to better understand and implement the technology is hugely rewarding to me. Here are 10 questions about PKI I have has received this year. While most of these questions typically require lengthy discussions, I thought I’d boil them down to one or two lines to make for easy reading:
Do I need a Hardware Security Module?
Yes. You know you need it, but the complexity and cost are scaring you away. Your PKI will be nowhere near as secure without it.
Should I publish my Certificate Revocation List to Active Directory?
No. Build a highly available website (two or more sites) and publish the CRL there. You will be providing access to everything in your environment without locking yourself into Microsoft’s AD walled garden of access. Unless you are doing a click-click-click install of ADCS, don’t use LDAP integrated CDP/AIA.
Do I really need two-person integrity?
Yes. Who has access to all of the authentication and information in your organization? Well, indirectly at least, YOU do (or your network admin does). You may be trustworthy, but what about your new team member you hire a year from now? Everyone’s luck runs out eventually. Don’t gamble with your security; your best administrator today is your worst security nightmare tomorrow.
What should I do with my PKI?
Well, besides love, care and talking to it nicely, do what most organizations are doing: Wi-Fi authentication, mobile device management, VPN authentication, internal SSL/TLS and code signing. But be careful of code signing; if you aren’t it will come back to bite you.
Help me. My PKI XXXXXX needs to be rebooted, restarted, talked to daily or it breaks. Is this normal?
No! Your PKI should be like a Sherman tank: slow-moving, sturdy and mostly boxy looking (this keeps the DevOps people from playing with it!). If your PKI is unable to run months on end without daily rituals, then something is seriously wrong.
Will the cloud make my PKI more secure?
No, nothing about the cloud will make your PKI more secure. We can use the cloud to make your PKI more accessible and more dynamic, but it doesn’t add a single security layer.
Do I need two Certification Authorities?
No. You only need one CA.
Virtual or physical servers for a CA—which is better?
Virtual machines do nothing to improve CA security. Physical is better.
What key size and hash should I use?
Do you like secure things? RSA 4096 and SHA384. Do you like to please people? RSA 2048 and SHA256.
Another admin wants a subordinate CA certificate for their fancy appliance. What should I do?
Say no! First, though, make sure they aren’t completely wrong in their request. Then, if they do need it, make sure you restrict the heck out of that certificate (application policies, path length, etc.).
Don’t be shy about implementing a PKI solution. It is designed to manage the creation, storage, transmission and authentication of digital certificates and their associated encryption keys—exactly what’s needed in organizations today.