How PKI Enables Your Digital Business
The role of PKI in digital business transformation
Why effective key management is important
Secure and reliable exchange of information has been one of the most important topics in cyber security over the past decade. The protection of information with cryptographic means is the number one measure against unauthorized access to information. Where crypto processes have not been implemented in the past sufficiently, IT often decided to protect information with other measures, like network isolation or manual, offline data exchanges.
In a digitalized business, exchange of information with different business applications in various IT operation environments is fundamentally necessary to realize the business benefits. The business lines need to be able to rapidly on- and off-board business applications, depending on their needs. Applications are already consumed from cloud providers because on-premises deployments take often too long or are even not available. This implies the need for excellent IT asset management processes, but also the ability to protect business information in distributed IT deployments without a long lead-time and high cost.
Network-based mitigation measures for information access risks are less applicable because information cannot be kept in central places, however to realize business benefits, exchange of information between different services must be secure, reliable and of integrity of the sent data.
Cryptographic practices can provide those measures by either encrypting information to prevent unauthorized access or digitally signing information to provide senders’ verification. Public Key Infrastructure has been the first choice for a trusted and managed environment around cryptographic key material in the past. For a long time it was mainly owned and operated by IT departments on best effort for secure exchange of information in web application cases (HTTPS), but not with a solid foundation of rules, processes and automation capabilities. In a digitalized business, reliable and secure access to information is incredibly important, where ad-hoc cryptographic key management practices offer more risk than supporting business to achieve their targets. Big business service outages (e.g. caused by expired TLS certificates of core components) were often caused by non-existing or insufficient certificate monitoring, discovery and key lifecycle practices.
Other than securing information from unauthorized access, the role of PKI in IoT will be more in the field of allowing the receiver of information to verify the integrity of the information and the sender. Where companies digitize their factories and production lines, reliable information from such facilities is foundational to implement effective and secure IoT services (e.g. predictive maintenance). Thus, verification of cryptographic keys in such use cases will have a stronger position in the overall cyber security and business continuity concepts.
Current PKI challenges of enterprises
Many enterprises struggle with PKI due to several reasons:
- There is no sufficient support in the organization because the importance of PKI for business success is underestimated by top management
- CISOs are faced with many other cyber security challenges and thus put PKI often aside because it is working somehow in IT operationally
- Missing expertise in IT hinders implementing effective key management processes and PKI solutions
- Companies struggle with a required invest into the topic due to lack of transparency of PKI market services and the right mix of self-operated and managed service components
Often, key management lifecycle processes are performed ad-hoc and within decentral operation units. PKI is somehow provided and operated centrally, however certificate discovery and key lifecycle processes are either not triggered automatically at all or based on fix schedules and email notification of business application responsible persons or IT operation personnel. If a recipient is on vacation or the email is overseen, certificates quickly expire and interrupt the business service.
Ineffective PKI service setups
If central PKI teams exist, they typically have been made responsible by business for ensuring certificates do not expire, without the ability to exchange them prior expiry without business or operation IT involvement. Thus, central PKI teams have built services with optional adoption and the clear responsibility for certificate expiration monitoring on business application side. This does not help the enterprise, as certificate management is only one little piece of successful application operation and development. Here, very specific skills and tools are necessary to successfully ensure effective monitoring and management of cryptographic keys, which is often not available on business IT side.
Missing chain of trust management
PKI is based on trust about cryptographic keys. This is implemented in PKI based on Certification Authority levels. A certificate in each level is issued by a certificate of an issuing Certification authority, with the exception of the Root Certification Authority (Root CA) certificate. Root CAs build the trust anchor of the PKI and are very important for its integrity – they sign their certificate requests with their own private key. As soon as a business application trusts a certain Root CA, all certificates sent by any of the subordinate CAs of this Root CA are also trusted inherently. Enterprises typically do not actively manage the trust chains of their applications very seriously. If a malicious Root CA is trusted by the application, it would accept information sent with a malicious signature certificate, too. This opens an additional attack vector for
- Clients, which need to rely on the trust worthiness of the server, where to send sensitive business information and
- Servers or applications, which need to be sure, information provided by the client is reliable and authentic.
Thus, trust chain management is also an important pillar of a successful PKI ecosystem and must be implemented in a scalable and automatic way.
No active certificate monitoring
Due to the fragmentation of responsibilities for cryptographic services, there are often no established monitoring services for digital certificates available in enterprises. It is rather a task of the IT or application operation department to remind themselves by when an application certificate needs to be exchanged. Central PKI teams support them with email notifications prior expiry, but once a certificate has been renewed in the CA centrally, there is no further control if it also has been installed in the target service. Thus, as long as no active monitoring of certificate expiry in the business applications take place, risk of business service non-availability through certificate expiration is real.
Timely renewal of certificates
Certificate expiration can interrupt business services, if the one administrator who has the responsibility for renewing the certificate is on leave or does not get the approval for business service interruption due to restart of the application server. Often, time windows for such operational activities are very small because business application owners target to 100% application availability and even restart of an application server after certificate and private key exchange must be planned long time in advance. If the administrator is not available in this small time windows of allowed restart of the application server, key exchange might not happen and the business application would take the risk of becoming unavailable.
Future challenges – Why headaches will grow
Everywhere, we read about digitalization and how business needs to increase their ability to adopt new market trends and revise product strategies. Cyber security and cryptographic key management must keep pace of business development as foundational business information protection measure. The practices for PKI and key lifecycle management must fulfill new requirements, which are new to many enterprises and their PKI teams.
The rise of cloud services
The adoption of cloud services by enterprises is growing since years. Consumed service offerings span from IaaS, PaaS up to SaaS, where complete application services are rent.
Every cloud provider and service offering has its own interfaces and mechanisms to manage cryptographic key material. With IaaS, the provisioning of certificate material for TLS connection security typically has to be provided by the customer (if not offered as component by the cloud provider). With SaaS, the cloud provider takes over the responsibility for TLS certificate management as part of the application operation service. Nevertheless, application level certificates might be required to secure information transport between different applications of different providers. Such use cases require interfaces in the SaaS service or automated key lifecycle management, if the customer does not want to handle keys manually.
Often, key management is not the most important topic, developing a service offering in the cloud. Providers tend to focus on functionality and shift security integration features to a later point on the timeline. This makes it harder for the PKI team of the enterprise to provide effective cost based key management services.
Adoption of DevOps
The term DevOps has been used over the past years by many executives, mainly in combination with speed of business and solution development. This is not entirely wrong, nevertheless it does not accurately address the purpose, which is automation of test, deployment, monitoring and development activities in cycles. Automation in DevOps practices is key because otherwise cycles of new product releases would take much more time due to manual installation, configuration, test and deployment work of employees.
The more DevOps components take over the work of employees operationally, the more permissions such services need in the IT ecosystem. Prevent misuse of permissions, manipulation of test data and results and access to production components is a foundational requirement for secure DevOps practices.
Cryptographic keys have an important role in the overall practice. Almost everything in comprehensive DevOps practices is code, which is interpreted by the involved services for setup, test and deployment. This code must be protected against unauthorized manipulation, which would change the behavior of the affected service – this can be done with digitally signing an automation script. Furthermore, components need access to technical accounts in the IT ecosystem and need credentials to authenticate themselves against central services. Authentication certificates, assigned to respective technical accounts, provide the authenticity of the account in the IT ecosystem and access must only be given to the respective user account of the affected DevOps service component.
Where big risks for the economic stability and thus the society exist, regulations for the respective legal environment set requirements for business operation to mitigate such risks as much as possible. The increasing dependency on IT in digitalized business models force regulators to identify possible issues of business models and prescribe generic requirements, how to mitigate them.
Cryptographic key based protection of business information and processes will be one of the main drivers for many business models, to secure transactional exchange of information and access to sensitive business information. While some industry sectors like financial services is already well regulated in many jurisdictions, key management processes and practices of other industry sectors will be faced with stronger regulation in the digitized age.
Complexity of IoT
The complexity of IT ecosystems will dramatically grow with the further development of Internet of Things use cases and devices. IoT use cases are not only a target in enterprises to improve business excellence, it is also a huge trend in the consumer industry.
Smart devices in enterprises often support transparency of production processes, quality improvements and the reduction of maintenance efforts and get their own identity, which is represented by service accounts in the respective applications they interact with. Smart devices generate data and share it through the service accounts, which have to authenticate against business applications to proof they are authorized to share data. This is often done with digital certificates, which combine identity management and authentication in one token. The ability to generate a digital signature of an authentication request proofs, that the device owns the certificate’s private key. In the certificate the identity of the device is registered, which gives the application immediately the capability to identify the corresponding service account and validate the required permissions for sharing or consuming data.
The number of smart devices will grow dramatically in the coming years, thus the management of corresponding credentials must be heavily standardized and automated in a secure way. Key management, which is done for employees still partly manually, must be heavily automated in IoT use cases to realize the business value and reduce operational cost to a minimum.
Next Level of PKI for Enterprise IT
While PKI for the workplace becomes more and more unimportant due to cloud based workplace loads and centralized services for encryption and digital signature generation, the management of TLS certificates for IT infrastructure components will still be crucial for secure IT operation and service provisioning.
Apply certificate discovery and monitoring
Expiring certificates and weak cryptographic algorithms in self-signed certificates often generated by decentral business IT are a big risk for business operation and information security. Publicly available cases show that certificate expiry can cause big business interruptions, which can cost millions of Euro. Continuous monitoring of issued certificates, automatic key and certificate renewal support enterprises in preventing business services from being interrupted and show customers the degree of maturity in secure information handling, which will be the basis for trust in future especially with consumers and can be a market differentiator.
Establish chain of trust management
PKI forms an ecosystems, which is based on trust for issuing certification authorities, which have the duty to prescribe and control the correct issuance, management and also the revocation of certificates, when necessary. By trusting a Root CA, the client trusts inherently all subordinate CAs and their certificates. Thus it is very important to take educated and careful decisions on which Root CA and its infrastructure a client should trust.
Often, clients come with pre-set chain of trust containers, where a set of trusted CAs has already been provided by the vendor at the time shipping the solution. Enterprises should review these chains of trust and remove all Root CAs, which are not necessary and not used by the organization. This reduces the risk for the enterprise, whenever one of these unmanaged Root CAs become insecure, the company could be faced with malicious certificates provided in secure communication channel establishment.
Several key management solutions provide capabilities to monitor and actively manage the chain of trust for various key container solutions. Such capabilities help enterprises to keep track of which Root CAs are trusted in the environment and allow with that transparency proactive counter actions on only affected assets in a timely manner, whenever a Root CA is reported as untrusted.
Automate key and certificate lifecycle processes
Too often, key and certificate exchange or rollover operations rely on operational staff with required manual interaction. Given the fact that productive business applications have a very small maintenance window in a rather long time range, this requires the availability of the responsible operational staff at this point. Due to vacation periods and typical sickness times, availability of operation staff can become a critical case.
Automating the key and certificate lifecycle processes take this burden from the shoulders of the operation departments and ensure a timely execution of the required actions – standardized and auditable in the key management solution. The scheduling can be combined with maintenance planning solutions and triggered immediately, when a service ticket status gets changed.
This does not only reduce operations cost, but also increases the reliability of the performed actions because the process is executed in a reliable way and effectivity can be tested automatically by the certificate discovery service afterwards.
Position PKI as business enabler
Due to regulatory cyber security requirements, but also due to the intrinsic motivation of companies to protect against cyber criminal attacks in the digital age, PKI is still seen as a mainly cyber security measure and driver for regulatory compliance and cyber security maturity and resilience.
While the trend in big enterprises goes towards decentral IT to increase the fit for business purpose, PKI service can be better provided centrally, as long as business IT and central PKI teams work together. Central PKI teams must care more about the demand and fear of the business side, while business IT must understand central PKI teams more as enablers for fast business solution development, where IT is required.
PKI as Enabler of Digitalization
Many enterprises run digitalization projects to increase productivity by interconnecting different, in the past isolated services. This requires interoperability between various solutions in use and a common authentication and trust layer beneath all services.
PKI is there for decades and nearly all solution providers support the concept to some extent. It has the potential to solve the interoperability problems for authentic communication between all your services. It is the number one authentication solution for IoT platforms. It supports to ensure confidentiality as well as integrity targets you may have in your services. Thus, PKI is a strong enabler for digitalization, where security shall be built-in from the beginning.
Data Privacy – The differentiator in consumer business
Data privacy has been discussed a lot in the past years. In growing connectivity of enterprises and consumers and the domination of central platforms controlling consumer personal behavior and information, a call for more self-sovereignty in decision-making who is allowed to get what information gets louder. Enterprises need to convince consumers, which they deal with personal information consumers share with them responsibly. Consent management in such platforms stores decisions of consumers, but are today mainly handled in the platform itself. Thus, consumers might be cautious about the decisions as long as they cannot proof that a decision has been taken by them personally.
PKI can help here too. There is a rise of digital wallets, where consumers store credentials and make use of them in situations to give consent on a certain action. This can be ordering goods, renting a bike or even allowing enterprises to use their personal information for clearly defined purposes. With digital signature certificates stored in their wallets, they can sign those consents and proof afterwards, what exactly had been signed. Of course, service providers need to provide transparency how the signature calculation is being performed. Nevertheless, this shows consumers, credentials to give consent lies with them exclusively.
IoT device identities and credentials
Probably the most exciting role of PKI falls into the area of the IoT. Already today, most of IoT platforms rely on PKI to issue access tokens in form of digital certificates to authenticate a device, but also identify the authentication token holder. The beauty of digital certificates is, they combine different pros in one concept:
- Vendor independency – Digital certificates are not bound to a specific vendor. This means you do not need to buy authentication credentials from the IoT platform provider. Instead, you have the freedom to buy this centrally from any other provider supporting the certificate needs of your IoT platform providers or even run your own PKI environment.
- Authentication token – Most of IoT platform providers (at least all big ones) support X.509 certificates for authentication purposes of devices you manage in their environment. A digitally signed authentication request, which is signed with the private key of the certificate, is used to proof the device holds the corresponding private key and is thus allowed to access the device’s assigned services.
- Identity token – Certificates store information about the certificate holder. This information can be used to identify the corresponding device identity. Thus, digital certificates combine authentication and identification tokens in one.
- Decentral authentication and authorization – Components, which do not have continuous connectivity to central platforms can make use of PKI functionality to authenticate and authorize offline other components. Especially for authorization, the IETF has standardized in RFC 5755 attribute certificates, which can be provided to show a service what the device is allowed to do. The service does not need to ask a central platform, as long as the attributes can be understood by the service and the certificate is successfully validated against the chain of trust and revocation information.
IoT device vendors must implement interfaces to manage keys and certificates in their smart devices fully automatically. Then, operational efforts for device identity and authentication key management can be reduced to a minimum and scalability of IoT device deployments can be ensured.
Service to service communication
Machine to machine communication has been there already for decades. It has been built in the past on a case-by-case basis with a lot effort. Maintenance of these connections was very expensive due to the unique nature of each of them.
In digital business models, flexible communication of various services with each other is very important. Recurring tasks, today fulfilled by operational staff shall be automated in future. Robotics Process Automation (RPA) has already been adopted by many enterprises in yet a few, but soon many business processes. Robots do not act in the IT backend, what was the case in the past for machine-to-machine communication, they act in the business frontend and business applications directly. Nevertheless, robots are (software) machines and must have access to credentials to be able to authenticate. Assigning static passwords to them is not a good idea because other business users should not have access to such credentials to prevent impersonation of robotics users by employees.
There are plenty of vendors in the market, providing services for automatic password management, which can solve the issue. However, PKI has the beauty being vendor independent and working with various other solution providers together. An X.509 certificate is not dependent on a specific identity repository technology and can be used with any identity provider for authentication and authorization. With the right solutions in place, key rollover in the credential store of the RPA user can be done fully automatically.
Integrate PKI in your IAM environment
As shown above, PKI supports enterprises strongly in all of their IAM tasks. Especially in IoT use cases, PKI helps a lot to achieve a scalable and secure identity and access management setup. Enterprises should seriously evaluate, if PKI can support them achieving their digitalization and IoT targets with reasonable effort, even if expertise first has to be built-up. IAM processes can be heavily automated, which gives enterprises the ability to scale with their services a lot and keep operational cost on a reasonable level.
The process and production industry is going to make their production lines much smarter and further optimize them with service monitoring and analytics services. Today’s biggest challenge of those enterprises is, they do not have visibility, what is running where in their factories.
Applying a new device, which wants to communicate with its environment, could trigger an asset discovery service, which is then triggering the identity management service to identify the device uniquely and create an identity for it. In a service network with asset, vulnerability, patch and credential management, many of the operational processes to create transparency in production environments can be automated.
As soon as an identity has been created and the enterprise knows what type of device has been plugged into the production network, it shall communicate with the production and potentially with the outside world. A key management solution can connect to the device and start key generation, communicate with the PKI services to get a certificate request signed and import the certificate into the device. Depending on the information, which was gathered about the device already, no human interaction is required for that. Keys and certificates will be handled with the key management solution fully automatically, which is integrated into the overall service management platform not to interrupt operation.
Role and entitlement management
The asset management solutions store various information about the device and service environment. Depending on this information, access rights can be assigned to the device, which is held centrally and updated according to your role management processes.
Provisioning of access rights
An access governance solution, which is available in most enterprises already and handles employees’ access rights in business applications, can be extended to provision devices’ access rights. If provisioning to IoT platforms is required, it depends on the platform providers’ integration capabilities, if separate provisioning solutions have to be integrated. However, the central access governance solution maintains the access roles and rights centrally and would integrate the IoT platform provisioning solution. Most of the big access governance solution providers have very flexible provisioning engines.