Seven best practices for PKI deployments

Posted On

By Prateek Panda

Share


Public key infrastructure (PKI) is the well-established protocol for organizations that need to secure distributed points of communication, such as browsers and IoT and mobile devices. For device manufacturers and application developers, revenue security depends on creating a highly secure ecosystem that ensures regulatory compliance and consumer trust. 

The security needs of networks and the infrastructure protecting them change over time in response to new threats and advances in technology. With tens of billions of IoT devices already in operation, the potential attack vectors for hackers to steal data or infiltrate systems are great and growing exponentially. 

Problems with PKI deployments

Although PKI helps secure these device networks, many organizations have not fully adapted to the gravity of the situation. In a 2020 survey by Ponemon, 74% of respondents said their organization didn’t know what kind of keys and certificates it was using or when they expire. Not surprisingly, mismanaged digital certificates caused unexpected downtime or outages in 73% of these organizations. And while the majority indicated they were attempting to improve protection of IoT devices with additional layers of encryption, 46% categorized their organization’s capacity to maintain IoT identity and cryptographic standards as “low.” 

Seven PKI deployment best practices

To ensure your PKI deployment starts on the best note and maintains the standards required to ensure IoT device security over time, we’ll look at some of the most important PKI deployment best practices to implement.

1. Start with a well-planned and documented design

Many PKI architectural issues, limitations, and security gaps can be headed off by starting with a structured and well-considered implementation plan. Many PKI design aspects cannot be changed after configuration without a complete redeployment so take the time to get them right from the beginning. Make sure you thoroughly understand your current and potential future PKI use cases. Taking a haphazard approach to a PKI system not only leads to vulnerable “creases” and security risks but also increases costs due to teams needing to engage in reactionary security firefighting rather than proactive scaling and implementation.

2. Address the entire key and certificate lifecycle

Define key and certificate security policies and protocols that address every stage of their lifecycle. Establishing a PKI may seem straightforward from the outset, but when one considers the millions of certificates that will possibly be issued, their expirations, and the security issues that would require revocation, it can quickly become very complicated. This in itself becomes a potential security flaw, as the more complex a PKI is, the more difficult it is to track identities and revoke certificates that could be used to breach a system. 

An important PKI deployment best practice is to plan for the entire lifecycle of certificates. By fully mapping the policies regarding the issuing, updating, monitoring, expiry, revocation, and decommissioning of certificates, all future managers of the PKI will have a clear outline of what should happen with certificates at all stages of their existence.

3. Employ strict protections for private keys

The cryptographic keys that are used in the PKI are the most vulnerable point of a PKI deployment and must be protected at all times. Hackers can use a variety of techniques to analyze and detect keys while they are in use or transit. Once in control of these keys, they can decrypt private data or pose as authenticated users to access systems. Use hardware security modules (HSMs) to store keys and perform cryptographic operations.

If you need to provision older devices without a secure update mechanism, which are already in the field, make sure to use white-box cryptography so that keys are not exposed in the clear during the provisioning process.

4. Conduct regular certificate authority audits

Throughout a PKI deployment, regular checks should be performed to ensure that the Certificate Policy and Certificate Practice Statements (CP/CPS) are being implemented and adhered to. Even for internal deployments, it is still a PKI deployment best practice to create audit trails that can be easily accessed and monitored. This ensures compliance with security policies and with the desired assurance level of the organization. 

5. Protect the roots 

The root CA is the master key that underpins the entire PKI. If it is compromised, every certificate issued is invalid and would have to be revoked and reissued. PKI deployment best practices dictate that the root CA remain strictly protected and is never published online. The initiation of a PKI should begin with a root signing ceremony, where the policies surrounding root are established, such as what the chain of custody of the root is, where it is stored, and how it is scripted.  

6. Ensure internal security 

Unfortunately, attacks on PKIs are not just an external issue. The private keys and other data surrounding your PKI can be extremely valuable. For that and other reasons, threats can also come from employees. There are a number of PKI deployment best practices that can be implemented to mitigate internal threats. These include using secured rooms for key and root programming that require two or more security IDs to access, and using a distributed security model that ensures there is no single point of responsibility that can be compromised.

7. Revoke compromised keys and certificates

Issuing certificates and provisioning keys and identities is only one step in running a secure PKI. The ongoing integrity must be maintained. This includes a process for revoking keys and certificates that can no longer be trusted. Certificate authorities should maintain a certificate revocation list, which contains all suspended security certificates. Communications with a device or application using a revoked certificate should be blocked. For example, an IoT device using a certificate that is no longer authorized will not be able to gain access to a server. 

How to implement PKI deployment best practices

Creating a highly secure and trusted ecosystem for your organization’s devices or applications depends on a successful and ongoing PKI implementation. While it’s possible to develop and manage a PKI internally, it requires resources and expertise outside of many organizations’ capabilities and may not scale smoothly as production grows. 

Intertrust’s Seacert is a managed PKI for IoT service that is trusted across the world and already secures the identities of billions of devices. Our scalable and flexible identity provisioning and PKI management utilizes industry-leading security technologies, including white-box cryptography, to ensure that your networks and organizations are secured against risks arising from distributed communication points. 

To find out more about how our managed PKI service can lower risk and secure revenue for device manufacturers and app developers, you can learn more here or talk to our team.

Share

About Prateek Panda

Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.

Related blog posts

Blog

Nine use cases for IoT data analytics

Read more

Blog

Secure data processing for smart grids and IoT

Read more

Blog

Build or buy your PKI for IoT?

Read more