Using PKI to Protect Your Business Information

  • Written By: Arash Nejadian
  • Published: December 24 2003

Using PKI to Protect Your Business Information
Arash Nejadian - December 24, 2003

Executive Summary

As organizations evolve, they require new business models to become more efficient or to simply survive in this electronic age. Interconnection between vendors, suppliers, customers and employees through ERP and CRM tools, has become a competitive edge. The value of intellectual property has skyrocketed and the need to protect it has become more critical. Information security can be summarized in three categories:

  1. Secure applications framework

  2. Intrusion detection and response

  3. Perimeter control

Public Key Infrastructure (PKI) addresses the first of these categories. Secure applications framework implies that not only the software and hardware infrastructure exist but also that a cohesive plan, often called the security policy, has been put in place. In general terms, this security plan must consider people, business processes, technologies and how they will interact to conduct business in a secure and trusted fashion. The infrastructure must provide services such as data confidentiality and integrity, user authentication, non-repudiation on transactions and access control.

Like ERP and CRM infrastructures, a Public Key infrastructure has become an enabler of business objectives by increasing revenue, reducing costs, meeting industrial and governmental compliance mandates or reducing risk.

PKI provides a systematic approach to information security. Rather than addressing the security service needs individually, PKI builds an infrastructure that cohesively provides security to a broad range of applications and resources.

Secure Desktop Environment
Desktop computers and laptops have become home to the most important assets an organization has: its intellectual property, sales forecasts, customer information and strategic plans. This leads organizations who want to conduct sensitive business electronically to implement enhanced security for the files and folders that reside on their organizations' electronic devices.

Secure Messaging
By adding security to each e-mail message, PKI makes it possible to increase confidence in the identification, privacy and verification of e-mail communications. Any Secure Messaging Solution should provide the ability to encrypt and digitally sign important communications, including any type of attachments, so that only intended recipients can access the message, both in transit and at its end destination(s). This solution should also protect against the proliferation of viruses and malicious code by integrating with industry-leading content scanning products. These safety measures make it possible to optimize e-mail usage and increase the reach, speed and return achieved through an organizations messaging activities.

Secure E-Forms
Private organizations and government agencies spend a lot time and money handling paper forms. The benefits of moving those data collection processes online are in the form of cost reduction, processing error reduction and decreased processing time. The benefits of using e-forms translate to virtually any government or business process, including applications such as:

  • Enrollment for services (benefit or loan applications)

  • Financial services (invoicing, purchase orders)

  • Regulatory compliance and reporting (environmental reports)

  • Employee services (timesheets, expense reports)

  • E-Filing (revenue or court documents)

  • Law enforcement reporting (arrest, transfer or release reports)

  • Licenses and permits (driver's and hunting/fishing licenses)

While the benefits of using e-forms are tremendous, security and privacy concerns, including digital signature requirements must be addressed prior to implementing e-form solutions. Secure ERP & CRM: Using PKI-enabled ERP and CRM Solutions, companies can accelerate the deployment and acceptance of secure business processes. Through existing products used for Secure Desktop and Secure Messaging and additional toolkits, Secure ERP and CRM Solutions make it possible to authenticate the parties involved in a business process transaction and digitally sign transactions.

Secure VPN Solution
A VPN is achieved by establishing an encrypted tunnel for users and devices to exchange information over the Internet. Username/password is the simplest method of authentication but it carries inherent risks. Integrating VPN products with a PKI solution addresses those risks.

Secure Wireless LAN
802.11 wireless LANs, pose significant security threats to nearly all corporate and government enterprises around the world. By using 802.11-compliant wireless devices, which are readily available and increasingly deployed, an organization may in fact be offering a drive-thru window to its network resources. Drive-by Hacking and war driving can pose serious security threats to an organization. The 802.11 standards include a security component called Wired Equivalent Privacy, or WEP, and a second standard called Shared Key Authentication. But most of the times these components are not enabled. Therefore it is necessary to layer more security on top of any wireless 802.11 system. The preferred method for securing wireless networks is to layer additional security by using a PKI-enabled VPN.

Secure Web Portal
Creating a secure online doorway increases the value of services delivered to customers, partners and employees. It is necessary to mitigate the risk of sharing information, accepting commitments and delivering services over the public Internet. A secure Web portal mitigates risk of unauthorized access to resources and has an auditable trail to support transactions.

Single Sign On
With users spread across multiple platforms and accessing multiple applications, the single sign on feature of a PKI allows them to logon only once and gain access to all the resources they are entitled to.

Technology Overview

PKI Security Services
The Public Key Infrastructure will be used to provide authentication, confidentiality, non-repudiation and privacy for a variety of applications running on multiple hardware platforms. Encryption and digital signature technology provides many security needs such as data confidentiality, integrity, authentication, and non-repudiation. It is important that the company providing this technology is a strong corporate entity The Public Key Infrastructure will consist of hardware and software to issue and revoke keys mapped to X.500 objects, and software development tool kits for developing client and server applications.

The PKI will use public key encryption and digital signature technologies to ensure the authenticity and integrity of sensitive information in electronic transactions, to protect the confidentiality of such sensitive information and to support non-repudiation. It will provide a range of services to its users, including digital signature key management services, confidentiality, certificate management services, directory services, end-entity initialization services, support personal tokens if required, and non-repudiation services.

The issuance of digital certificates does not ensure that a user's access is properly monitored, that privileges associated with access are accurately and currently defined, or that the certificates in question have not been withdrawn or replaced. To address these needs, enterprises require a robust public key infrastructure that supplements the straight certificate issuance functions with full life cycle issuance of public keys.This includes issuance, authentication, storage, retrieval, back-up, recovery, updating and revocation of keys and certificates in an easy-to-use cost-effective manner.

The certificate management capability will maintain and distribute X.509-based public key certificates and certificate revocation lists to ensure secure communications between any pair of entities supported by the PKI. Provisions will also be required for inter-operation with end-user systems supported by external PKIs operated by other organizations.

PKI Architecture
The architecture of a PKI describes the organization of its Certificate Authorities (CA) and their trust relationships. In a real world enterprise environment, users under one CA need to communicate with users under a different CA. There are two basic solutions to this problem. First, each user can maintain a list of the CAs he deems trustworthy. This may be reasonable for a small number of CAs, but places the burden squarely on the user. Alternatively, the CAs can establish trust relationships between themselves. Users can combine these trust relationships to form a certification path. This shifts the burden from users to the infrastructure but it adds additional complexity in the certificates that CAs issue to each other. Certificates issues to CA's may contain information that describes or limits CA trust relationships. Such information is not required in user certificates.

Problem Overview

The following is a partial list of questions a prospective customer would need to address in order to find the optimal PKI solution:

  • What lifecycle management features are required?

  • What is the optimal platform for hosting the directory?

  • What are the optimal encryption and digital signature algorithms?

  • How many CAs are directly trusted by the user?

  • What types of trust relationships exist between the CAs?

  • How easily can new CAs be added to the PKI?

  • How complex is the construction of certification paths?

  • How complex is the verification of certification paths?

  • What is the impact if a CA is compromised?

  • What X509v3 compliant applications need to be supported?

TEC's PKI Knowledge Base

PKI Knowledge base is a tool that provides a structured, repeatable process for evaluating PKI technology solutions and the vendors that provide them. There is certainly room to ask the fundamental question of whether the traditional practice of RFI/RFP processes has been adequate to the task of selecting complex systems. The record indicates there is much room for improvement. In essence, for complex selections like the case of PKI solution, the human-machine combination has to work together to drive the solution. Both sides have to be understood and complement each other in the process. It is easy for the human to be overwhelmed, or simply run out of time, and the machine interface and engine to be inadequate to the task. However, the results must benefit the process if human and machine can function effectively together to process information and avoid the pitfalls of past selection processes.

TEC experts are presently evaluating some the leading vendors such as: Baltimore Technologies, Certicom, Digital Signature Trust, Entegrity Solutions, Entrust Technologies,, IBM, Microsoft, RSA Security, TC Trust Center AG and Verisign.

To accommodate different needs and/or budgets, TEC offers different options for accessing PKI Knowledge Base content at Interested parties are invited to visit the site regularly for updates and new vendors.

comments powered by Disqus