In a world of persistent, advanced cyber threat, data loss and leak, building trusted networks is essential. It has become a strategic imperative to secure information and address the threat from hostile groups including those involved in crime, espionage, activism, warfare and terrorism.
Every user and device must be authenticated and have controlled authorisation to access sensitive data. Overlay the need to comply with industry regulation and government legislation for data protection, the need for a robust, future proof encryption strategy becomes an immediate concern for many organisations.
What is Public Key Infrastructure (PKI)?
Public Key Infrastructure (PKI) is a term used to describe the technology that enables authentication of users and devices on a network and protects communications in the digital world. Made up of certificates, encryption, software, hardware, processes and policies, the establishment of PKI architecture allows organisations to build trust into their networks and data to be sent securely through authentication, confidentiality and data integrity.
How does PKI work?
A PKI is a set of hardware and software that is able to create, manage, distribute, use, store and revoke digital certificates and public keys. A Certificate Authority (CA) is a PKI with policies, processes and procedures as well as people in defined roles that are used to administer and run the PKI for a system or systems. Certificates are broadly used for three purposes, for Encryption, Identification and Digital Signatures.
PKI works through the deployment of cryptography, providing all users in a group with a set of cryptographic keys; a public key and a private key. The public key is available to any user that connects to the website or network and is used to encode a message sent to you. The private key is a unique key generated when a connection is made which is kept secret and used to decrypt the message when you want to receive it. When communicating, the client uses the public key to encrypt and decrypt, and the server uses the private key.
In order for PKI to work, digital certificates, much like a person’s passport, are used to establish the identity of the users involved. CAs manage the lifecycle of all digital certificates within a system. The CA is trusted by both the owner of the certificate and a party using the certificate, underpinning the security of the system and all transactions and exchanges protected by the certificates they issue.
What is PKI used for?
The most widespread implementation of PKI is Transport Layer Security (TLS) (which was preceded by Secure Sockets Layer (SSL)) where it is used to provide communications security over a computer network. However, there are many other uses of PKI including:
- Digitally signing documents, transactions, software, applications
- Authentication of; smart phones, tablets, games consoles, citizen passports, mobile banking, smart cards
- Providing a recovery key for an encrypted hard drive
- Securing internal communications with database servers
- Securing local networks
- Securing and encrypting messages and emails
- Securing access to Internet of Things (IoT) devices
- Encrypting and decrypting files
Why is PKI important?
Almost all security controls come down to authentication and access control; determining who has the right to decrypt data and access to applications is critical. PKI combines encryption and authentication to make trustworthy communications online possible, delivering the essential elements for a secure and trusted business environment.
As business models evolve and become more dependent on electronic transactions, digital documents and IoT devices, PKIs are expected to support larger number of applications, users and devices across complex ecosystems. Without the deployment of a PKI, the integrity of an organisations data and systems remain exposed and increasingly vulnerable.
How to check the health of your PKI
The Airbus PKI Health Check exposes hidden operational, compliance and security issues along with specific recommendations to optimise your PKI, ensuring it meets organisational, regulatory and industry policy. By looking cross the business we ensure no obvious weaknesses are ignored, whether physical, people, process or technology.
Our infrastructure and networks cover the globe and are tailorable to meet your requirements. Get in touch today to find out how together we can optimise your security posture.
Jeffrey Farr
Principal Engineer, Airbus Secure Communications