Your PKI Implementation—What’s Involved?
Public key infrastructure (PKI) strict implementation management is not optional—it’s necessary. Whether your organization is in the wireless space, implementing a BYOD initiative, or tackling the upgrade to SHA-2, managing a PKI project isn’t a simple process. However, there are a number of best practices your business can employ to ensure a successful implementation.
If you’re planning on building out a PKI using internal resources, make sure you’re aware of the potential hurdles you can face when depending on your staff to get a PKI up and running:
- Appropriate level and availability of internal expertise.
Having available, knowledgeable staff who has the expertise necessary to set up, implement and sustain a PKI on an ongoing basis critical. As recommended by Microsoft, you will need specialists with the ability to:
-Issue and revoke certificates.
-Carry out server administration duties: hardware, applying patches, and backups.
-Publish Certificate Revocation Lists and manage the CA itself.
- Extreme sensitivity to policies and practices.
A PKI cannot be implemented haphazardly. Robust policies and practices must be in place in order to sustain the PKI over the long-term, and ensure trust that it is not, and will not be, compromised.
Best Practices for a Successful Implementation
The biggest hurdle to a strong PKI project is understanding that the entirety of the project, from beginning stages through implementation, has to be prepped appropriately. Beyond that, Michael Thomas, Director of Delivery at CSS, commented that the following best practices are good considerations for initiating implementation:
- A common error organizations make before beginning a PKI project is fully understanding what goes into the design—it may look simple on paper, but the process of architecting a design that fits your business needs and use cases is critical to verify before starting. Know your needs and applicable use cases ahead of time.
- Build out a robust policies and practice statement so that your security team has a baseline to engage against when it comes to making sure the PKI is healthy along its lifecycle.
- The root signing ceremony needs to be planned and accounted for. Chain of custody must be intact from the minute of inception through its entire lifetime. If by chance there is malware installed on a machine, or the security of a root CA is compromised, your PKI is already not trustworthy.
- As you move into steady state, make sure all components are properly operationalized. When a PKI moves into being part of the corporate infrastructure and there’s no longer a project team, making sure proper ongoing maintenance takes place is key.
In-house, or Working with a PKI Partner?
There’s nothing wrong with carrying out a PKI deployment internally, so long as you have the necessary, strong expertise and toolsets required to correctly execute on all aspects of the project. The biggest common pitfalls are a lack of the right expertise and failure to give credence to preparation steps. PKI is complex, but if your security team is substantial and armed with knowledge of all aspects of PKI, it’s a project that can be carried out favorably.
The advantage of working with an external party is having access to industry best practices for dealing with a complex infrastructure, as well as the knowledge and sensitivity of policies to ensure that your PKI isn’t compromised right out-of-the-box. If you’re not confident that you have the right internal specialists, do not attempt a PKI implementation alone.
Don’t Press Go Without the Facts
Whether you deploy internally or work with a reputable provider who can support your PKI project, it has to be done right. Make the best decision for your business based on the resources available to you.