More and more companies are becoming targets of terrorists and other nefarious cybercrooks. But you can help make...
yourself more secure through the use of digital certificates.
With cyberterrorism and random cracker attacks becoming a constant threat today, many organizations need to tighten their security, both internally and externally. And pretty much any company should heed this statement; as much more of the nation's industrial and public support infrastructure -- including water supply, energy, military and communications systems -- becomes automated, the consequences of cyberattacks that would disrupt those functions grow. In particular, companies that do business with the government may soon be required to enforce certain security levels.
If you're not a government contractor, though, you may think that your business isn't that much of a target. But heed the lessons of the past; many of the Allies' primary targets during World War II were industrial targets such as ball bearing factories or oil refineries. But even if you don't qualify for such a classification, you still may be vulnerable, if not to terrorists, then from a wide array of threats ranging from bored script kiddies and crackers to business rivals.
It's a jungle out there for sure, but you can help protect your network and enhance your corporation's security with digital certificates. These are collections of data that bind a public key to an entity's private key. Digital certificates provide a means by which users, computers, programs or other entities can verify identities. They also help administrators provide services such as secure e-mail, smart card authentication, software source verification, secure Web sites and solutions such as confidentiality, non-repudiation, integrity and authentication.
Organizations use certificate authorities (CAs) to issue certificates to their clients. Certificate authority is a very formal sounding term, but it is merely an entity on a network that issues and manages secure credentials. Companies can choose to set up and manage their own certificate authorities or use a third-party provider that specializes in security solutions, such as VeriSign (www.verisign.com). They can also use a combination of these two options to create customized solutions. There is no one ideal solution that fits everyone. Your solution depends on business needs, budget constraints, your degree of interaction with outside entities and the sensitivity of your data.
A small company, for example, without in-house expertise or free IT staff time, may choose to use a third-party solution to handle all of its certificate needs. Because the actual CAs are located in a secure facility at the third-party provider's site, such an option avoids a large part of the cost of running a secure CA enterprise.
Large companies, on the other hand, may want to either set up their own CA systems or use third-party companies to handle part of their workloads, while reserving approval or denial of certificates to their own security administrators. In such an instance, users submit requests for certificates to a third-party provider, and the company's security administrator can then review and approve or deny each request.
What kind of CAs can you set up? You have two choices: enterprise and standalone. The one you pick usually depends on whether you're running Windows 2000 and Active Directory or just Windows 2000 without Active Directory. Let's consider how the business requirements that cause your organization to need certificates can affect your choice of a CA model.
Enterprise certificate authorities
Enterprise certificate authorities use Active Directory and have the advantage of having user and group information readily available to assist in user verification. Enterprise CAs can use templates for certificates, allowing individual CAs to issue specific types of certificates. Enterprise CAs for larger companies are typically set up in certificate hierarchies, with one or more root CAs, one or more intermediate CAs and issuing CAs that actually issue certificates to various clients. This allows for sub organizations, such as departments or groups, to control issuing certificates for appropriate interactions with those organizations. So an intermediate CA might be the sales department that issues certificates to each salesman in the company for accessing corporate inventory information. The sales force could get that info, but not info from the HR department, which would issue its own CAs for whatever purpose is appropriate.
The security of root CAs is critical to any organization. If your root CA is compromised, your entire CA structure is compromised. The cost of providing and monitoring physical and network security of CAs, especially root CAs, can be high. That's one reason many companies choose a third-party company to either host their root CAs or provide for all of their CA needs.
Standalone certificate authorities
Standalone CAs are often used when an organization wishes to use certificates in an extranet wherein, for example, communications occur with a supplier. Standalone CAs can also be used in a hierarchy, depending on the volume of expected traffic. One disadvantage of standalone CAs is the fact that, by default, they always put all requests into the Pending Queue until review by an authorized individual for approval or denial, causing increased administrative overhead.
With a standalone CA, you also have to address the issue of user verification. (This is also an issue with enterprise CAs, where a network becomes compromised through unauthorized access via a variety of methods, ranging from password hacks to someone's obtaining a user name and password by subterfuge.) Some readers may remember when an imposter was able to obtain a couple of Microsoft certificates by posing as someone authorized to request them.
Verification is always a major issue and one that is critical in both standalone and enterprise CA environments. Administrators may require faxed proof such as a driver's license, company ID, a code, a supervisor's phone call or e-mail, or even fingerprints before issuing a certificate. One of the disadvantages of a standalone CA is that you cannot issue smart card certificates for Active Directory logon.
You can choose to use a mixture of enterprise and standalone CAs if, for example, you wish to strictly separate internal and external network functions. However, this adds significantly to your administrative overhead and increases other costs.
Administrators should remember that digital certificates do not by themselves encrypt or otherwise prevent others from reading information. One must use either Secure Socket Layers (SSL) and/or another solution in combination with certificates to provide security for secure Web sites, encryption and so on.
Some excellent sources for further information are:
- Digital Certificates, by Jalal Feghhi, Jalil Feghhi and Peter Williams, published by Addison-Wesley
- Windows 2000 Security Little Black Book, by Ian McLean (excellent author), published by Coriolis
- ISA Server and Beyond, Real World Solutions for Microsoft Enterprise Networks, by Dr. Tom Shinder (another excellent author), published by Syngress Publishing
- The Microsoft Resource Kit for Windows 2000
- Microsoft's TechNet
- There is a white paper on the Microsoft Web site that discusses public key infrastructures in general and Microsoft's implementation of PKI specifically.
About the author
Douglas A. Paddock, MCSE, MCT, CIWSA, CIWCI, A+, N+, is a frequent contributor to SearchWin2000.com and has written many articles on the subject of Windows security.
For more information, visit these resources:
- Executive Security Briefing: It's a matter of trust: Digital certificates and e-signatures
- Scheier's Security Product Roundup: PKI complexities, cost hold promising technology back
- Ask the Expert: Different digital certificates for different company Web sites?