Back in the late ’90s at the height of the Dot.com boom, I worked at a new company that would today be classified as Information Security. People were less worried about security than they are today, and the industry as a whole was a fraction of the size.
We were selling two main capabilities – Web Single Sign On and Public Key Infrastructure, both of which are as relevant today as they were at the start of this century. While Web SSO – or Access Management – was something that users were starting to grasp within the outset of the internet explosion, PKI was not a topic to discuss over a beer with your friends – unless your friends were all into crypto algorithms.
The reason I’m reflecting on this all these years later, is that as I recently met with a group of people at a social event, and it amazed me that they were all talking about certificates, and the management of their lifecycle. These were not IT people, but come from all walks of life and industry ranging from finance to car manufacturing to agriculture.
For those readers in the UK, the reason for this topic will have been difficult to avoid – the outage on the O2 mobile network. It quickly transpired that the offending component — an expired certificate – was the reason behind the outage and that the “faulty software” that was being decommissioned was actually a core piece of the infrastructure to ensure the secure communication between the inter-components of the mobile network – something that should never be seen or heard once deployed.
The challenge is that because of where certificates and PKI are in the ecosystem, and the level of competency needed to understand this, most organisations struggle to effectively operate and manage their PKI. According to Wikipedia, “A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.”
Thus a PKI is not just a technology – it requires appropriate policies and procedures, suited to an organisation’s needs. As the next iteration of technology advancement is underway with Cloud Services, there are ways in which experts in this field can relieve some of the tasks organisations try to manage in-house today, which typically are only looked at on an infrequent basis.
Entrust Datacard has seen an increasing number of customers looking at the potential to move their Certificate Authority to the cloud and have experts like EDC manage the roles, policies and procedures needed for several reasons – from high assurance requirements – to coping with a lack of in-house skills or the expense thereof.
We have also seen the somewhat false economy of it being cheaper to use a “free” CA and manage this internally. There are cost effective options available; but this might mean considering different commercial models than deployed or bundled software and moving to a managed/cloud service.
As outlined above there is more to PKI than a technology, and there are experts out there to help. But nothing is free in this world, and as the saying goes “buy cheap, buy twice.” Be careful on what you are promised and speak to the customers of the vendors you are considering. The CA you run today, may not be considered a business critical risk, but it underpins so much of what organisations rely on today that it can’t be set up, put in the corner and forgotten about.