Jun 9, 2020 12:18:28 PM

Your Questions Answered: Scaling PKI Remotely

When it comes to preparing your security for life’s unexpected circumstances—whether it’s a breach, failed audit, or a global pandemic forcing your business to figure out how to scale PKI remotely—some situations may seem easier to prepare for than others. 

But what if we told you, and showed you, the blueprint for how to best prepare for all situations? 

nCipher experts joined our team to discuss how security has changed with a predominantly remote work environment, how and why enterprises are effectively utilizing PKI to secure their business landscape and expected trends in cryptography.

Read the highlights or watch the full 30-minute discussion below: 

 

What are common priorities IT and Security professionals looking to accomplish, and how have those priorities changed with a predominantly remote workforce?

The biggest priority at the top of everyone’s list is to keep everything up and running as seamlessly as possible, with many folks having transitioned to remote work. 

Many face challenges in checking that off their list, as it was already a challenge to find qualified people and resources to manage encryption and PKI before COVID-19.

That challenge paired, with the rise of phishing attacks, has pushed organizations to demand an immediate solution that will allow them to scale their security to cover situations now-remote employees have never faced before.

With more enterprises expressing a sudden and immediate need for skills and resources to check ‘fast and seamless security’ off their priority list, the best and only solution would be one based in the cloud, managed by experts. 

 

nCipher releases two reports with Ponemon every year. What are the highlights from the latest report that highlight struggles and solutions enterprises should be looking for?  

The number one reason people are encrypting is to protect a specific data type. From customer information and IPs to business-critical information, there’s been a wide shift from audit-centric to data-centric in the last five years or so. 

The even bigger struggle that this magnitude of data lives in a multitude of places. This makes things hard to track down and secure, if not monitored correctly.

With mobility and the cloud, important data and information continue to move forward while teams tasked with managing all that information take a step back when trying to track everything down.

On the PKI front, while there’s been an increase in folks using some form automated revocation, there are still a third of companies that have no way to revoke certs. This especially causes a serious risk for short-lived certs.

Compliance is still important, but the need to protect specific data types has crept up into the number one need enterprises are looking for when it comes to a security solution.

 

What have you seen, and what do you do, about the renewal and security of shorter-lived certificates?  

One of the more interesting things we’ve seen comes from IoT vendors who have gotten in the habit of issuing certificates with a 20 year-or-so lifespan with an expectation that they don’t have to ever touch it again.

But, as crypto operates with a significantly faster speed of depreciation and breakability, those vendors who used the, “set it and forget it method,” for their devices have put the devices and the users of those devices at significant risk.

 

What role does code signing play in remote security?

It’s definitely another big piece of the remote security puzzle enterprises are trying to put together.

For high-value collateral, it is absolutely critical to have a piece of code-signed from a validated source to ensure it can be trusted and doesn’t fall into the wrong hands. 

From a development standpoint, it’s very hard to have practices in place to protect that code signing certificate while making sure developers can access it, build, sign and code, creating a need for balance between security and workflow.

Unfortunately, in many organizations, security is the one that gets the short end of the stick.

 

What is the real business case for the use of PKI versus just “Secure at Desk?”

PKI is used to underpin so many of the core access technologies. People are using it for their email, VPN, website certificates, and user authentication. It is such an integral part of so many things, yet it doesn’t always get the attention it deserves.

Having a robust PKI isn't just about holding up one or two applications anymore. It’s about holding up 8,9 10, 11+ applications, and it needs to be treated as such. It needs to be treated as a business-critical asset.

 

CLICK HERE TO VIEW OUR EBOOK ABOUT THE NEW PKI BEST PRACTICES

hero-3