There are several key elements that make up mature public key infrastructure implementations. We’ll explore 5 questions you can ask to ascertain how mature your organization’s PKI is.
The PKI Consortium, formerly the CA Security Council, rolled out its first draft of a PKI Maturity Model (PKIMM). The idea, which is inspired by Carnegie Mellon University’s Capability Maturity Model Integration (CMMI), aims to help organizations evaluate and gain better insights into the capabilities of their public key infrastructure (PKI) implementations to achieve greater security and digital trust.
It should come as no surprise that virtually every organization’s security, to some extent, relies on PKI. After all, it’s the foundational technology and framework that internet security is built upon. But creating this proposed maturity model brings to mind a question every organization should ask: How mature is my PKI implementation?
Let’s hash it out.
5 Questions to Ask Yourself to Evaluate Your Organization’s PKI Maturity
Public key infrastructure (PKI) is about having the right people, policies, and technologies in place to secure your organization’s data and create digital trust via cryptographic security and digital identity. Achieving a mature PKI involves carefully assessing and evaluating your existing PKI capabilities, security posture, processes, tools, and performance to identify areas for improvement.
The Consortium’s proposed framework assesses PKI maturity by reviewing your PKI implementation and breaking it down into four modules comprising 15 total categories. Each category is evaluated from the perspective of one of five maturity levels; these levels are calculated to generate an overall average across all of the PKI categories.
Of course, there’s more to it than that, but we aren’t going to get into the nitty-gritty details. (Click on the links above to learn more about the specifics of the PKI Consortium’s proposed PKI maturity model.) Instead, we’ll focus on some questions you can ask to evaluate the maturity of your organization’s PKI implementation.
1. Where Do PKI Security and Compliance Rank Among Your Organizational Priorities?
Your PKI Engineer can scream about PKI-related concerns until they’re blue in the face. But if they’re the only person saying it, and those concerns aren’t recognized or shared by the company’s executives or board members, then nothing is likely to change.
Strong PKI security is supported and promoted from the very top. Without robust, leadership-driven security and compliance initiatives, you’ll likely:
- Not have access to the tools and systems you need
- Struggle to achieve organizational security goals with insufficient budgets
- Be hard-pressed to get others to follow best practices
- Be non-compliant with industry standards and risk regulatory penalties
If you’re unsure how to talk to your boss or other leaders about PKI (or cybersecurity in general), we’ve put together a list of things to keep in mind.
2. How Do You Track and Manage the Certificate Lifecycle (And Is It Enough)?
The certificate life cycle encompasses everything from how your certificate is created to its expiration and eventual destruction (and everything in between). An essential element of this process is visibility. This means knowing vital information relating to each certificate and the cryptographic key pairs associated with it:
- What PKI certificates you have
- How many certificates and keys you have
- Where they’re in use within your network
- When the certificates will expire
- Who is responsible for managing them (and do they have appropriate access)
If you have a mature private PKI, you’ll have already evaluated how best to optimize your organization’s life cycle management capabilities to increase its security, performance, and efficiency. But if you’re a large enterprise that’s still using Excel spreadsheets to manually manage and track the hundreds of thousands of digital certificates that exist within your IT environment, it may indicate that your PKI maturity is in the early stages of development and needs work.
Here are some resources for cryptographic key management that you might find helpful:
- PKI Management: Private Key & Certificate Life Cycle Management Best Practices
- Certificate Life Cycle Management Best Practices (eBook)
3. What Are You Doing to Lock Down Access to the Company’s PKI Systems?
Access to your PKI should be carefully managed and protected. Only some people need or should have access to your cryptographic resources. As such, access should be given only to those who need it to carry out specific functions. Furthermore, access to all sensitive systems and data should be based on authorized and validated digital identities.
Without these digital safeguards, virtually anyone can pretend to be your employees or other authorized users to access your critical system and data.
To learn more about how to secure access to your PKI and IT infrastructure, check out these resources:
- The Role of Access Control in Information Security
- Client Authentication Certificate 101: How to Simplify Access Using PKI Authentication
4. How Secure Are Your Cryptographic Keys?
Carefully evaluate your key management technologies, processes, and resources to determine how they align with industry standards and best practices. Use this information to identify areas for potential improvements.
Are you storing your private keys on servers that have public-facing elements? Are you securely storing them on compliant hardware or in cloud-based key vaults? Are you using a CA hierarchy so your root keys can be stored offline? The difference between these approaches is like night and day; how organizations choose to answer these questions speaks to the range of PKI maturity levels that organizations span.
Here are some resources on key management best practices that you might find helpful:
- What Is a Key Management Service?
- The Ultimate Guide to Key Management Systems
- 12 Enterprise Encryption Key Management Best Practices
- 14 SSH Key Management Best Practices You Need to Know
5. Are Employees Equipped to Securely Manage the Organization’s PKI?
The president at one of the higher education institutions where I worked used to have a saying that stuck with me: No matter what your role, it’s your responsibility to help students get to class in the best condition for learning.
The same concept applies to organizations and their employees. You have a responsibility — to your customers, employees, board members, and other stakeholders — to ensure your team is trained, equipped, and otherwise prepared to keep your PKI secure, effective, and operational. Some ways to help prepare them to do their best include:
- Equipping employees with the necessary tools to help employees be more effective in their roles
- Giving them informational resources to help them develop new skills and expand existing ones
- Encouraging employees to seek additional educational opportunities beyond what your organization offers
10 Signs You Have a Mature Public Key Infrastructure
So, what are some signs that your organization ranks among PKI mature organizations?
- Implementing a scalable PKI that meets your organization’s future needs.
- Using digital identity-based authentication in lieu of less secure security measures.
- Having a robust set of security goals and using PKI automation to help achieve them.
- Adopting sufficient budgetary allocations that support future PKI-related goals and initiatives.
- Having robust and up-to-date policies, documentation, and related resources to guide day-to-day activities.
- Meeting (or, ideally, exceeding) standards and compliance with relevant laws and regulations.
- Enforcing policies that mitigate risks and reduce potential costs.
- Providing the specialized training, tools, and resources your PKI team needs to be successful.
- Educating non-technical employees to recognize and respond to potential cyber threats.
- Incorporating interoperable tools and technologies within your IT environment
PKI maturity isn’t something that any organization can achieve in a day. It’s an investment of effort, time, and resources that will take a while to build but will pay off in the long run. The more secure and mature your PKI is now, the better prepared you’ll be to deal with future threats and minimize the risks and costs associated with them.
Have other pertinent questions you think should be added to the list to better gauge an organization’s PKI maturity? Be sure to share them in the comments below.