The reality is that your PKI is critical infrastructure, that’s not just our view, but also of analysts, and the many organisations who have experienced an outage of their PKI which has directly impacted other critical business systems.
So Entrust has launched the Cryptographic Center of Excellence (CryptoCoE) to help our customers maintain a healthy PKI and cryptographic estate. But what does it mean for a PKI to be healthy? How do we judge that?
First we must define what a PKI is. Very often we see organisations taking a very technology centric view of Public Key Infrastructure (PKI). We agree that technology is hugely important, which is why we launched the first commercially available PKI product in the mid-1990s, and continue to expand our product and feature set to integrate with the latest applications and platforms. But technology does not define a PKI. A PKI exists to facilitate trusted transactions and secure communications through the issuance and management of digital credentials. Any secure credential issuance process requires governance to ensure the appropriate assurance level is maintained. When we talk about governance for a PKI, we are talking about the policies, practices, and technology that provide oversight and operational guidance, as well as the technical capabilities of the PKI. Organisations increasingly demand their PKI issue high assurance credentials, rather than just to pump out certificates.
So, we can conclude that a healthy PKI should be suitably governed. Governance for a PKI starts with a Certificate Policy (CP) – which documents what the digital credentials (the certificates) should be used for – the Certification (CPS) and Registration Practices (RPS) Statements or procedures for certificate issuance and management, the technical and operational controls enforced, and the audit practices to ensure ongoing compliance of the PKI to the CP.
Where the CP can be thought of as the “what” of PKI governance, the Certification Practices Statement (CPS) forms the “how”, and details the practices employed to implement the policy. Due to the often sensitive nature of the contents of the CPS, particularly regarding the security controls around the Certificate Authority keys, many organisations decide to extrapolate some of the contents into a separate Registration Practices Statement (RPS) document. The RPS provides the details necessary to explain how the PKI will perform tasks such as vetting the identity of the certificate subscribers without divulging confidential details. The CP, CPS and the RPS define the governance of the PKI, and thus allow the PKI to be trusted.
Within the CryptoCoE offering, Entrust delivers services to help customers to establish and maintain the governance of their PKI (PKI Governance Health Check and Consulting). This can involve assisting with the initial production of the CP and CPS, or perhaps reviewing existing governance documentation against latest standards and the current and future business demands on the PKI.
Of course, any outage or vulnerability within the core technology of a PKI must also be identified and resolved in order to maintain its health. This typically includes at least the Certification Authority, the Registration Authorities and the Hardware Security Modules. That is why we also offer services to check the health of the PKI system itself. This involves an analysis of the overall PKI architecture to ensure it provides the appropriate resilience and is compliant with the CPS. Each of the individual technical components of the PKI are then examined to identify any issues. The PKI System Health Check concludes with a report highlighting any issues discovered and recommended remediation steps to be considered.
We feel that a healthy PKI is one that is fit for purpose both in terms of its governance framework and technical implementation. Our CryptoCoE building blocks are thus designed to help our customers establish processes to ensure that their PKI is healthy, and can remain so. This is no more than is appropriate given the critical function your PKI plays in securing your business in the context of the ever increasing pace of digital transformation.
Further definition of CP, CPS and related documents: RFC 3647 – Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (ietf.org)