Subscribe to Email Updates

By Walter Cooke


Text Size

- +

Topics: Risk Management

There are many important components used to provide proper organizational cybersecurity. Identity & Access Management (IAM) and cryptography are two of the most important aspects of building an effective security environment. You cannot assume that someone accessing company data is automatically allowed to do so; you must confirm the person’s authorization and ensure all sensitive information is protected using robust access controls, cryptographic services, and security best practices. 

Download "The CISO’s Guide to Cybersecurity Management" e-Book

Public key infrastructure (PKI) employs hardware and software services that generate and manage public and private encryption keys used to create digital certificates—authorized and non-reputable identification that is much like a virtual ID card. This allows both users and networked computers to exchange data securely over internal and external networks while being able to verify and identify each party and cloak their data from any other observer. 

Today, digital certificates provide services such as secure online banking, encrypting private email messages, authentication and establishing the non-repudiation of business transactions, and hosting secure cloud services over the internet.

How Does PKI Work?

A full PKI service consists of several components: a certification authority that generates keys and digitally signs certificates, a registration & management service, a certificate database for storing certificate information, certificate publication services, and a key archive server to securely back up sensitive keypairs. 

The “key” creation process in PKI uses a complex algorithm that generates a pair of long numbers with unique properties. A digital certificate is created from a pair of cryptographic keys—one key that is public, the other being private—that are used to encrypt and decrypt sensitive information. The public key and private key are generated together. 

The public key is securely stored in a digital certificate that can be freely published and used to establish the identity of the certificate user. Usually, the private key is securely held by the company to decrypt data that has previously been encrypted using the corresponding public key. Alternatively, a user’s private key can be used to digitally sign a message that can be subsequently verified as having originated from that user by checking the message’s digital signature using the corresponding public key.

Why Should I Use PKI?

Regulatory bodies define and approve the types and use cases for cryptography, and regulatory requirements often require you to secure sensitive, regulated data that your company acquires from its clients. You must use an approved process to protect sensitive information such as credit card and PII data, and PKI has shown to be a mature, effective means of doing so. 

With PKI, you can enforce encryption of sensitive information. Your end users can use digital signatures to verify that content originates from the expected source and establish non-repudiation services over sensitive and high-value business transactions. 

PKI is not a perfect system, especially if you have no key management system in place. The ease with which companies of all sizes can now implement a standard PKI system (for example, using Microsoft’s certificate authority service) has ensured its central presence in the enterprise IT environment. 

Often, these services are quickly installed with little oversight or thought for compliance and auditability requirements. However, the addition of one specific management service can help ensure the ongoing success of the system.

The Importance of PKI Management and Oversight

The productivity and security automation practices that PKI and associated cryptographic services bring to your organization depend on your ability to manage and maintain the security of the certificates and associated keys over their full life cycle. Cryptographic processes are rarely broken by inherent weaknesses but more often through poor key management. 

Effective PKI management must consider all stages of a key’s lifecycle through generation, storage, usage, revocation, renewal, archive, and, ultimately, destruction. A breakdown at any point in the lifecycle can reduce the trustworthiness of the PKI and leave your company scrambling to repair the damage to trust and security over the PKI. 

Some companies, in response to the ease with which intruders can breach networks, control access to sensitive cryptographic services by providing separate secure networks and making them accessible only through specially secured, monitored, and audited servers. 

Public key infrastructure is an effective method of providing cryptographic services for businesses of all sizes. An appropriate system that will manage both public and private keys in order to maintain the confidentiality and availability of your company’s sensitive IT assets is required. The first step is to plan for the ongoing lifecycle requirements that are needed to keep your keys safe over their entire lifespan, using appropriately managed security services.


Walter Cooke

Walter is the senior manager of cyber advisory at Difenda. He has over 40 years of IT security experience in the health, telecommunications, insurance, financial, government, military, and intelligence communities. He specializes in public key infrastructure, threat modelling, and risk assessment work. Walter also has expertise in security governance and management including policy and standards development, and audit and insurance work using ISO, ETSI, OSFI, and FIPS standards.

Find Walter Cooke on: