Don’t get left behind by quickly changing PKI Standards

By Tomas Gustavsson, PrimeKey 

As cybersecurity gets more complex and the threat landscape evolves, PKI is there as always, as one of the underpinnings of a robust security infrastructure. As technology evolves faster, so does the PKI, and your teams that are responsible for operations must be on their toes to keep up. Running a PKI is requiring more from your team for a number of reasons. 

Technical standards change fast 

Technical standards evolve fast with new protocols and algorithms taken in use, and old ones being phased out as insecure and insufficient. New products in your environment use new protocols to communicate and new algorithms for protecting their communication. On the PKI side, we see new protocols such as EST and extended use of REST APIs, as well as changes in how older protocols are used such as OCSP with the introduction of OCSP stapling. New algorithms such as ECDSA and RSA-PSS are quickly coming to the mainstream. Neither your old PKI, nor your old systems, were equipped to handle this 5-10 years ago and a transition and continuous evolution is needed to keep systems secure.

Audit requirements become stricter 

If you are in a larger enterprise or in a regulated industry, chances are high that you will be affected, one way or the other, by audit standards like WebTrust, eIDAS or industry specific requirements such as CAB Forum. In addition to these, there are other domain specific requirements, such as Certificate Transparency for web server certificates, Cloud-, IoT and Grid security standards. More regulations are coming.

In response to increased threat awareness, audit standards are also rapidly evolving and keeping up, meaning that it is nothing you can implement once and after that can rest. You must keep abreast with new changes in the requirements every year. Examples where strict guidelines have changed recently, and you need to adapt, are for TLS, code signing and digital signature certificates.

Software changes faster 

You may think that you are not affected because you only run an internal PKI in your organization, and that these standards only affect regulated CAs. But that can be a dangerous assumption. Much of the software in the ecosystem, such as web browsers and email clients that your users rely on everyday, also change rapidly in response to new threats and updated requirements. Therefore, you may find that if you don’t keep yourself updated, your users cannot one day connect to your internal systems, or are faced with security warnings, after a simple web browser update.

Be educated and keep security and DevOps together 

Keeping up to date is hard for seasoned security experts, so how can the normal enterprise be on top of it? The simplest recommendation is that if you are affected by any of these standards, you should set time aside for a person responsible for compliance, to monitor the landscape and plan changes in good time. Changes are usually announced well in time, before going into effect and with good planning, these changes can be rolled into your normal DevOps routines.

Security today is an integral part of an agile enterprise and security and operations teams must work closely together, align goals and plan activities together.

Upgrade your PKI systems 

PrimeKey spend a lot of time implementing new standards and features as they emerge, both in EJBCA for the pure PKI and in SignServer for time stamping and digital signature standards. Our aim is that new versions of our solutions containing the features you need to be compliant, are out there in good time. We love working with you to understand your discussions about new requirements.

Tags: , ,

Categories: Vault

SUBSCRIBE & CONNECT

Subscribe to our RSS feed and social profiles to receive updates.

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: