PKI and its role in facilitating remote work

PKI and its role in facilitating remote work
Anand Purushothaman
4 Aug, 2020

Remote work is the new normal, and it’s here to stay, at least for the foreseeable future. As workforces adapt to it, analysts predict that working from home will continue to be accepted as a paradigm even once the COVID-19 pandemic ends. 

However, it is not perfect. It comes with baggage such as bandwidth issues, or interruptions by pets, and more importantly, security concerns. When employees need to access the company’s servers from home using their personal devices, the threat of malicious actors trying to infiltrate corporate networks gets amplified. 

To make remote working seamless and safe, DevSecOps teams need to constantly review and revise encryption and authentication policies and practices. PKI (Public Key Infrastructure) is the most popular way to not only ensure secure and encrypted communication between parties, but also help authenticate the identity of all parties who communicate or transact with each other. Public-key cryptography is employed to guarantee data integrity and to prevent hackers from intercepting data in-transit or at rest.

PKI rests on the concept of certificates and keys. Digital certificates (or x.509 certificates) serve as proof of endpoint authenticity. These are documents assigned to any user or server that participates in encrypted communication, a bank for example. When you contact your bank’s website, a digital certificate ensures that the information displayed on your screen comes from a genuine site that you requested to access, and not a sham website designed to collect and misuse personal info. 

This stamp of authenticity is what a digital certificate provides, and this is facilitated by Certificate Authorities (CAs). In simple terms, CAs, certify that the owner of a private key is indeed whom they claim to be.

PKI is used in many different ways -- securing emails, web transactions (for eg: e-commerce or bank transactions), signing of documents digitally, smart card authentication, etc.

The role and importance of PKI gets amplified during occurrences such as a pandemic, where there have been increased incidents of cybersecurity attacks/breaches. That’s why every modern enterprise is leveraging digital certificates to ensure secure communication between itself and its users and which could potentially spread across multiple sets of connected devices or endpoints. 

Typically, the IT, SecOps or NetOps teams are responsible for managing and maintaining the every-increasing number of certificates, each with their own expiration date, issued by multiple certificate authorities (CAs), and dealing with unique system vulnerabilities that need to be individually monitored and addressed.

Why? While working remotely company resources get opened to external access (the use of VPN notwithstanding) every single touch-point becomes a potential weak link for hackers to break in and steal data. For instance, if the certificates associated with an application have expired, not only would it result in downtime, it would also mean that consumers of the application might be sending and receiving information over an unencrypted line thereby making data breach all the more vulnerable.

The bottom line is that certificates and keys should be constantly renewed and rotated, especially in remote working scenarios. 

But how can organizations hope to do that with hundreds or thousands of users and an equal number of certificates on file, if not more? This puts the focus on the need for a certificate management system. 

A certificate management system does away with the need for manual maintenance of certificate lifecycles and renewals. As the number of connected devices continues to grow, it is becoming virtually impossible to maintain control over the PKI infrastructure, prevent security breaches and system outages without a dedicated automated certificate management system.

The Gartner X.509 Certificate Management report states that:

  • Many weak and damaging outages both in external and internal-facing systems can be traced directly to unplanned X.509 certificate expiry issues.
  • In the absence of a certificate management system organizations tend to rely on manual tracking methods and manual processes to keep track of certificates, which may or may not account for undocumented installations. This increases exposure to risks.
  • Unknown and unmanaged X.509 certificates pose a security risk because some may be based on deprecated cryptographic algorithms.
  • New sources of X.509 certificates, such as free SSL/TLS certificates, makes the use of undocumented certificate by developers and DevOps teams more likely (much like shadow IT).

The use of a certificate management system assumes more importance especially when dealing with complex, multi-vendor, and multi-cloud environments, especially at a time when operational agility and efficiency can spell the difference between businesses surviving the rough times or buckling under the pressure of strenuous circumstances.

In times like these, when many organizations are deferring investments on their NetOps and SecOps processes and tools, we believe that this is the right time to explore a solution that could not only help you weather the current storm by protecting your networks and assets while your employees are working remotely, it might just be an opportunity to put in place new business practices that will continue to serve you in the future. 

The number of connected devices is only going to increase and having an end-to-end certificate management and automation platform could prove to be a worthwhile long-term investment.

Anand Purushothaman

Anand Purushothaman

Anand Purushothaman is founder and CTO of AppViewX. The views in this article are his own.