By Tomas Gustavsson, PrimeKey
As cybersecurity gets more complex and the threat landscape evolves, PKI is there as always, as one of the underpinnings of a robust security infrastructure. As technology evolves faster, so does the PKI, and your teams that are responsible for operations must be on their toes to keep up. Running a PKI is requiring more from your team for a number of reasons.
Technical standards change fast
Technical standards evolve fast with new protocols and algorithms taken in use, and old ones being phased out as insecure and insufficient. New products in your environment use new protocols to communicate and new algorithms for protecting their communication. On the PKI side, we see new protocols such as EST and extended use of REST APIs, as well as changes in how older protocols are used such as OCSP with the introduction of OCSP stapling. New algorithms such as ECDSA and RSA-PSS are quickly coming to the mainstream. Neither your old PKI, nor your old systems, were equipped to handle this 5-10 years ago and a transition and continuous evolution is needed to keep systems secure.
Audit requirements become stricter
If you are in a larger enterprise or in a regulated industry, chances are high that you will be affected, one way or the other, by audit standards like WebTrust, eIDAS or industry specific requirements such as CAB Forum. In addition to these, there are other domain specific requirements, such as Certificate Transparency for web server certificates, Cloud-, IoT and Grid security standards. More regulations are coming.
In response to increased threat awareness, audit standards are also rapidly evolving and keeping up, meaning that it is nothing you can implement once and after that can rest. You must keep abreast with new changes in the requirements every year. Examples where strict guidelines have changed recently, and you need to adapt, are for TLS, code signing and digital signature certificates.
Software changes faster
You may think that you are not affected because you only run an internal PKI in your organization, and that these standards only affect regulated CAs. But that can be a dangerous assumption. Much of the software in the ecosystem, such as web browsers and email clients that your users rely on everyday, also change rapidly in response to new threats and updated requirements. Therefore, you may find that if you don’t keep yourself updated, your users cannot one day connect to your internal systems, or are faced with security warnings, after a simple web browser update.
Be educated and keep security and DevOps together
Keeping up to date is hard for seasoned security experts, so how can the normal enterprise be on top of it? The simplest recommendation is that if you are affected by any of these standards, you should set time aside for a person responsible for compliance, to monitor the landscape and plan changes in good time. Changes are usually announced well in time, before going into effect and with good planning, these changes can be rolled into your normal DevOps routines.
Security today is an integral part of an agile enterprise and security and operations teams must work closely together, align goals and plan activities together.
Upgrade your PKI systems
PrimeKey spend a lot of time implementing new standards and features as they emerge, both in EJBCA for the pure PKI and in SignServer for time stamping and digital signature standards. Our aim is that new versions of our solutions containing the features you need to be compliant, are out there in good time. We love working with you to understand your discussions about new requirements.