Public key infrastructure (PKI) is a powerful security solution for implementing identity-first security and a zero trust approach. PKI uses digital certificates and associated cryptographic keys working together to establish identities for resources on networks and authenticate them for secure access. The key pair corresponding to a digital certificate is used to create a secure encrypted channel for communication. The authentication and encryption combination ensures trusted network access and protects data in transit.
Even though PKI is not a new security strategy, many organizations still struggle to understand its potential to avert security breaches. Frequently, PKI is used only to secure internet-facing websites and applications. However, increased concern regarding organizational risk in today’s global cybersecurity landscape is driving organizations to see PKI in a new light and leverage it for more use cases.
A broad range of PKI use cases
PKI technology is used to securely enable and support a broad range of capabilities required for modern infrastructure and applications. Common use cases include:
Server certificates and automation
PKI is the basis for digital certificates, including the secure sockets layer (SSL) and transport layer security (TLS) protocols that lay the foundation of HTTPS secure web browser connections. These digital certificates and associated keys encrypt HTTPS communications and establish trusted client-server connections. Without PKI certificates like SSL and TLS, threat actors could more easily exploit the internet and other IP networks to intercept messages and access their contents, including private card industry (PCI) data and personally identifiable information (PII).
PKI is also the basis for secure shell (SSH) keys. SSH keys are a type of X.509 certificate that provides secure access credentials used in the SSH protocol. SSH is widely used for communication in cloud services, network environments, file transfer tools, and configuration management tools to authenticate identity and safeguard those services from unintended use or malicious attacks. SSH keys also enable the automation of connected processes like single sign-on (SSO), as well as identity and access management at scale.
Modern security teams require the ability to establish and authenticate identities enterprise-wide regardless of whether those identities belong to humans, devices, data, or applications. Passwords offer a measure of security, but they are not as effective as they once were because bad actors have become increasingly capable at:
- Misleading users into entering passwords at phishing websites or through other social engineering tactics
- Stealing passwords insecurely exchanged over the internet
- Discovering passwords by conducting reconnaissance of repositories
- Deriving passwords through brute force algorithms designed to discover passwords
Compounding these issues is the human factor: people habitually reuse, share, and forget passwords for any number of reasons, including password overload due to the sheer number of systems they need to access.
An efficient passwordless authentication solution via PKI certificates with hardware tokens can help ensure that only legitimate users and employees gain access to sensitive information and corporate resources. Digital certificate-based authentication, which relies on PKI architecture, validates the identity of the users to the servers. With signed public-key certificates you can validate the identity of the key holder. Digital certificates, such as X.509 certificates, contain a public key and an identity, and are either signed by a trusted certificate authority (CA) or self-signed. Certificates issued by a CA can also be used to secure user interactions on websites and endpoints.
Certificate management for DevSecOps
ACME (automated certificate management environment) is a protocol for automating the lifecycle management of certificates issued by a CA to clients such as company servers, devices, and more. Expanded use of certificates, including TLS, to secure applications, services, and databases increases the burden and operational risk associated with manual certificate management. The ACME protocol solves many of these risks by enabling security and platform teams to:
- Automate the management of certificate domains
- Provision trusted certificates
- Monitor certificate expiration
The primary rationale for DevOps teams to adopt ACME is the simplification and automation it provides to manage the complexities of modern certificate management. IT teams rely on ACME to help manage their certificate needs because:
- It has reduced IT costs
- ACME is an open standard
- It is considered a best practice for PKI certificate management
- It has ongoing community-based enhancements and support
- It increases organizational agility by adding and supporting backup CAs
Based on PKI technology, code signing is the process of digitally signing executable files and scripts using a signing tool and a digital certificate. Code signing protects your company, partners, and end users from software tampering when downloading executable program files — especially ones from unsecured channels like the open internet.
There are two main reasons to digitally sign code:
- To share the identity of the organization publishing the signed file
- To verify the integrity of the file – making sure that it has not been corrupted or maliciously altered since it was signed
Best practices associated with code signing include:
- Controlling access to private keys
- Protecting private keys with a FIPS-140-2 Level 3 hardware Security Module (HSM)
- Time-stamping code
- Understanding the difference between test-signing used in non-production environments versus the more secure release-signed certificate used by end users in production.
- Authenticating code to be signed
- Revoking compromised certificates
Digitally signing code brings two additional benefits:
- Increased user confidence in your software.
- Boosting your reputation as a software developer. The more signed software you publish, the better your reputation. For example, Microsoft code signs its software to help ensure customers are downloading the right files. Signed software also helps antivirus and malware detectors: signing your software lets them flag suspicious, unsigned versions of your software.
Private certificate authority
As noted above, a certificate authority (CA) is the trusted authority that ultimately verifies and confirms the identity of users, machines, or applications accessing an organization's IT infrastructure. Without the strong identity authentication PKI provides, threat actors could design an attack to compromise data, which can result in data loss, security breaches, and financial theft. Certificate authorities can be public or private. The primary rationale for leveraging a private CA are:
- Your organization requires a high volume of certifications because of rotation frequency to improve security.
- Your organization requires limited, or private, access to the CA instead of public access.
By leveraging a private CA, an organization can establish itself as the source of truth for its connected devices, employees, and processes inside its network.
The benefits of a private CA include:
Lower risk: By using a private CA an organization can significantly reduce the risk of unauthorized access to its data and systems because employees are generally restricted to specific servers, file directories, or devices in the organization.
Increased efficiency: Private CAs enable management of certificate provisioning, installation, and revocation of digital certificates by allowing network administrators to define and automate PKI standards and practices that meet their organization's specific requirements. This level of control is particularly useful for organizations, such as financial institutions, that need to comply with specific security requirements.
Faster speed: Finally, the control and agility provided by managing private CA certificates can reduce time to market, while automating administration of these internal certificates can free up employee time for more strategic tasks.
Authenticated IoT devices
While connected internet of things (IoT) devices provide many business benefits, their environment is only as secure as its weakest link. Identities and credentials are often hardcoded into IoT devices or are left unmanaged, leaving networks susceptible to malicious distributed denial of service (DDoS) attacks. PKI makes it easier for organizations to ensure that only authorized IoT devices connect to their networks and can more easily manage identity security and standards across all their IoT devices.
PKI is essential to identity-first security
PKI is a key component of a holistic approach to establishing and securing digital identity and staying ahead of threats. PKI has been available for decades and is considered a gold standard for authentication, encryption, and secured communications. PKI-enabled digital certificates are routinely used to authenticate, digitally sign, and encrypt credit cards, passports, e-commerce websites, connected devices, and much more, shielding them from compromise or breach.
Using HashiCorp Vault to meet your PKI needs
The demand for protecting workloads, applications, services, and IoT-connected devices is driving rapid growth and demand for PKI services. These environments tend to be highly distributed — geographically as well as technologically — forcing IT teams to cope with multiple PKI automation platforms.
PKI is a critical pillar in HashiCorp Vault’s zero trust security architecture, where everything is authenticated, every action is authorized, and data is always protected.
Vault is a multi-cloud platform that automates and unifies certificate management with a single control plane. It supports automated provisioning, installation, revocation, and renewal of a wide array of X.509 certificates via industry standard PKI protocols, APIs, and more than 200 partner integrations.
Learn more about Vault and PKI
- What is public key infrastructure: See how PKI governs the provisioning of digital certificates to protect sensitive data, establish digital identities, and secure communications.
- What is ACME PKI? Learn about the ACME protocol for PKI, the common problems it solves, and why it should be part of your certificate management roadmap.
- PKI hosting: Cloud-based PKI vs. self managed: Discover the benefits and differences of hosting PKI workloads in the cloud versus an on-premises approach.
- X.509 certificate management with Vault: Practical public key certificate management in HashiCorp Vault using dynamic secrets rotation.
- Certificate issuance external policy services (CIEPS): Vault Enterprise includes an external policy service for issuing PKI certificates. Learn about its benefits and how it compares to existing policy services.
from HashiCorp Blog https://bit.ly/4aECf9n