PKI a panacea? It's only part of your strategy on security
- By Carlos A. Soto
- Jun 09, 2005
Carlos A. Soto
PKI'public-key infrastructure'is a term that gets thrown around a lot but one that, I think, few people truly understand.
Most people know that PKI has something to do with security, and many think of it as a total solution for identity management and access control.
But unless you actually work within the walls of IT security, it's tough to understand that PKI is just the first step in creating a secure agency.
A techie would define PKI as a system of certificate authorities that use digital certificates to verify and authenticate the validity of data transmitted in an Internet transaction between two or more parties.
Raise your hand if you know what that means.
Put more simply, PKI is a way of making sure that the person on the other end of the e-mail or transmitted data is the person you're trying to reach. PKI requires that a provider of registration services, called a certificate authority, issue a digital certificate, or an attachment in the form of a capsule at the end of encrypted data.
The capsule seals all the information and contains instructions on how decode the transmitted data. The principle is similar to sealing medieval scrolls with wax. If the digital signature is tampered with, the recipient will know.
PKI has proven effective in securing data and replacing the user name and password system, which is time-consuming and easy to hack.
The problem with PKI is cost. And by cost, I mean not only money but also time. Whether you set up a CA in your own network or outsource the job, it involves considerable planning and takes up a lot of staff time.
And digital certificates have to be set up differently for each agency, since they must contain agency-specific information.
More important, PKI is not a panacea for your security needs. In the grand scheme of things, it should be only part of your agency's identity management and access control policies.
PKI is an effective way to ensure that your data arrives undisturbed. But there's more to keeping your data secure. How do you know the person sending the information is authorized to see or send the data? How do you really know who's reading the data on the other end?
Does all this make your head spin? Relax: Here are some tips to help you organize your IT security.
First, see where PKI fits in your organization and what security holes you need to plug. Communication is essential. Make sure you address your concerns to your staff, get requirements from them and provide those requirements to your superiors.
Second, plug security holes one at a time. Don't overwhelm yourself by trying to kill two birds with one stone. It's also important for you to establish realistic goals. Taking baby steps not only helps appease the boss but also helps with funding.
Third, recycle old technology. Recycling old but usable equipment frees up funds you can use to buy technology you do need. Pull that Radius server out of the closet, revamp it and get a state-of-the-art firewall.
Fourth, determine the importance of the data you're securing. If you can quantify the importance of your data, you can make a case for getting the right security tools for the job and taking the time to plan effectively.
PKI is often sold as a total cure for securing your network. But keep in mind that it's only one part of a secure network, and apply the rules for structuring a secure network. This will let you sleep at night.