My organization is exploring the idea of implementing our own public key infrastructure. What are the benefits...
of having our own internal PKI -- especially in terms of costs and management?
It's quite common for large enterprises to run their own public key infrastructure (PKI), acting as an internal certificate authority (CA) and installing their own root certificate in the trust stores of all the company's devices. The main benefit of having internal PKI is that internal services can be configured to only accept certificates from the enterprise's own CA chain, in theory making it harder for hackers to impersonate genuine users. Digital certificates are a vital part of PKI security technologies like signed and encrypted email, signed documents, VPN access and SSL authentication because they provide a means to establish the ownership of an encryption key. The other benefit is that self-issued certificates are free, and that it's a solution that scales well. However, reality is somewhat different.
Microsoft Certificate Services, for example, provides all the software and programs needed to run an internal PKI, and is included with Windows enterprise servers. The root certificate can also be distributed to all domain-connected objects based on group policies. However, adding it to the trusted store of every version of every app on every machine is a lot more challenging. The certificates themselves may be free, but the resources required to securely manage internal PKI have to be factored into the overall cost. Not that many enterprises have internal IT staff who are qualified and capable of properly managing and securing a PKI in accordance with standards like CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates, or the Mozilla CA Certificate Policy.
The security and integrity of the root signing keys are critical and require physical as well as logical security controls to be deployed. The mission-critical nature of a PKI means enterprises must be able to provide a constant quality of service, and perform specialist tasks required in certificate lifecycle management and validation services, such as renewing certificates, maintaining and updating certificate revocation lists and running online certificate status protocol services.
Before deciding to implement internal PKI, carefully weigh the costs of the necessary hardware, staff and infrastructure against the costs of outsourcing. An in-house CA is only really useful for internal corporate use, as its certificates won't be trusted by devices and services outside of the organization. Internet-facing servers will still need a certificate from a publicly recognized CA. Most public CAs specializing in outsourcing now offer Active Directory integration and cost-effective certificate options for internal purposes, eliminating the hassle of managing an internal CA, while offering technical expertise and the latest in security technologies.
Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Find out how to address challenges in AWS Active Directory integration
Read about the fragmentation of common PKI approaches
Learn if the eDellRoot certificate vulnerability points to a larger problem
Dig Deeper on PKI and digital certificates
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading