What do you think about using a PKI to manage laptop encryption? Is an isolated product preferred?
The decision to use public key infrastructure (PKI) for laptops, or any other part of your network, should be based on the risk level of the systems you're trying to protect and the compatibility of PKI with your network architecture. Depending on your requirements, PKI might be appropriate, or it may be overkill, in which case you should consider a laptop encryption product.
PKI systems can be expensive and complex. But in the past two years, they've had a bit of a renaissance, as prices have come down and they've become easier to deploy. They still aren't for the faint of heart, but they're also more flexible and can integrate mobile devices like PDAs and laptops.
First, let's briefly review what PKI entails. PKI is a way to store public keys and their certificates when using asymmetric, or public-private key encryption. Unlike symmetric encryption, which uses a single secret -- or private -- key, asymmetric encryption uses two keys, one public and one private. The idea behind asymmetric encryption is to solve the problem of securely transporting an encryption key over a public network like the Internet. Obviously, a private key moving across the Web could be easily compromised.
In asymmetric encryption, the two keys are mathematically related but one can't be used to generate the other. So, if the public portion of the key is captured or sniffed off the wire, it can't be used to generate the private key. Someone wanting to encrypt a message uses the receiver's public key, freely available from a public key store, like PKI, and the receiver decrypts the message with his or her private key. The private key always remains on the sender's and receiver's individual systems and is never sent over a public network.
PKI provides a neat and clean way to manage this whole process by storing the public keys and the digital certificates that verify their authenticity.
If the idea is to prevent the loss of data from a stolen laptop, a full-disk encryption product, like those offered by SafeBoot Technology or Entrust Inc., might fit the bill. These products encrypt the hard drive and require a user ID and password before the machine boots up.
If the idea is just secure communication from the laptop to the office, then VPN solutions like Citrix Systems Inc. and Cisco Systems Inc. might be the way to go.
But you may want to integrate laptops into an overall PKI architecture if the laptops are accessing high-risk systems, such as those holding sensitive customer data.
Microsoft Windows Server 2003 uses Windows PKI that can be extended to laptops on the network. Another interesting product is eToken from Aladdin Knowledge Systems. The eToken is a USB client that securely generates and stores keys and their certificates. The token can be plugged into a laptop and then removed when done, keeping keys off the laptop, where they could be compromised.
Other PKI vendors include RSA Security (now owned by EMC Corp.), VeriSign Inc. and eTrust from CA Inc.
For more information:
- In this tip, Noah Schiffman discusses the pros and cons of IP-based and signature-based authentication systems.
- Joel Dubin discusses the best ways to compare PKI products and vendors for enterprise implementation of PKI.
Dig deeper on PKI and Digital Certificates
Related Q&A from Joel Dubin, past SearchSecurity.com expert
The security of RFID chips and smart cards may not be fully mature, but there are best practices to keep facilities safe. Identity and access ...continue reading
Picture passwords for mobile device security aren't a new idea, but they have been recently improved. Identity and access management expert Joel ...continue reading
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.