For decades, the cornerstone of IT security has been Public Key Infrastructure, or PKI, a system that allows you to encrypt and sign data, issuing digital certificates that authenticate the identity of users.
If that sounds too complicated to grasp, take a look at the web address of the Avast Blog site: https://blog.avast.com/. See how it begins with HTTPS? The S in HTTPS stands for “secure.” Your web browser checked the security certificate for https://blog.avast.com/ and verified it was issued by a legitimate certificate authority. That’s PKI in action.
As privacy comes into sharp focus as a priority and challenge for cybersecurity, it’s important to understand this fundamental underlying standard.
Because it functions at the infrastructure level, PKI is not as well known as it should be by senior corporate management, much less the public. However, you can be sure cybercriminals grasp the nuances about PKI, as they’ve continued to exploit them to invade privacy and steal data.
Here’s the bottom line: PKI is the best we’ve got. As digital transformation accelerates, business leaders and even individual consumers are going to have to familiarize themselves with PKI and proactively participate in preserving it. The good news is that the global cybersecurity community understands how crucial it has become to not just preserve, but also reinforce, PKI. Google, thus far, is leading the way.
Here are the fundamental things all companies and informed consumers should know about the ongoing efforts to shore up PKI – for the long haul.
PKI revolves around the creation, distribution and management of digital certificates. For websites, it does this by distributing digital certificates – electronic documents – which are issued by companies known as certificate authorities, or CAs. The role of the CAs is to diligently verify the authenticity of websites, and then help the website owners encrypt the information that consumers type into their web page forms.
Two different cryptographic keys – a public key and a private key – get issued. The public key is available to any user that connects with the certified website. The private key is a unique key generated when a connection is made, and it is kept secret. The user makes use of the public key to encrypt and decrypt information exchanges with the website, while the web server uses a private key. This protects the data from being stolen or tampered with.
Thus PKI serves two crucial functions: It’s a way to authenticate identities during the data transfer process, and also to keep data encrypted as it moves between endpoints.
PKI started out as a tool primarily used to validate the authenticity of websites and protect data, especially during online financial transactions. Going forward, there is a strong consensus that PKI clearly needs to be applied to every type of digital identity, whether it be for a human connecting to a website, a machine to another machine, or an application to another application. That’s a lofty goal, but it is also believed to be a way to reduce malicious activity.
“Certificates and keys assure the validity of any given digital identity; think of it like the lock on your front door, plus a way to know who’s at the door, and why they’re at the door,” observes Chris Hickman, chief security officer at Keyfactor, a supplier of digital identity security systems. “PKI is one of the few truly battle-tested and time-tested security mechanisms in the industry.”
PKI requires proactive care and feeding, even more than other security systems. It’s a big undertaking for any organization. The number of certificates in use continues mushrooming as organizations increase their reliance on cloud services and third-party suppliers. Not only that, certificates expire – some as often as on an annual basis.
Yet manual renewing remains a widespread and inconsistent practice. A Keyfactor-sponsored survey of 596 IT professionals polled by the Ponemon Institute, for instance, found 74% of respondents reporting instances of digital certificate issues causing unanticipated downtime and outages. And some 73% of those polled said they were aware that failing to secure keys and certificates eroded the trust in their organization.
Not surprisingly, threat actors have pounced. There has been a steady rise of attacks over the past few years involving spoofed or stolen digital certificates, says Anand Kashyap, co-founder and chief technology officer of Fortanix, a Silicon Valley supplier of advanced encryption systems.
Some threat actors don’t even need spoofed or stolen certificates to game the system, Kashyap told me. Instead, they lay patiently in wait for companies pushing ahead with the deployment of new applications comprised of software microservices. A common practice is to run such apps through load-balancing servers, during which time the PKI protections are temporarily switched off. And that’s when the threat actors act.
“As companies get accustomed to this happening, it makes it easier for attackers to take advantage of the situation to steal private keys and launch a man-in-the-middle attack,” Kashyap says. “Such man-in-the-middle attacks have been on the rise, as they are relatively easy to pull off.”
Threat actors are also on the lookout for expired certificates, something companies routinely overlook. It was through a single expired certificate, for instance, that hackers were able to gain a foothold inside the firewalls of credit-monitoring bureau Equifax – and go undetected for months as they pilfered 143 million customer records. “Two years on and Equifax is still paying millions in damages and spending billions more investing in security tools,” says Hickman.
So where can an organization begin to get a grip on PKI issues? One good place to start is to study what Google has been doing for the past several years on the PKI front. The search giant has been at the forefront of developing consensus around PKI best practices, and it has also been a major participant in a wave of innovation to reinforce PKI.
For instance, over the past few years, Google has steadily intensified penalties for websites that fail to use HTTPS – by flagging them as untrustworthy. Cloudflare, DigiCert and a number of other tech companies coordinated the delivery of support services to make it easy and inexpensive for website publishers to embrace HTTPS. The result is the percentage of websites using PKI has climbed above 55%, up from 42% a year ago.
Last month Google announced something called Google External Key Management Service, a new way for companies to more directly control cryptographic keys generated as part of the expanding cloud services they’ve come to rely on. Fortanix is supplying the advanced encryption technology underpinning Google’s new service.
And companies like Keyfactor, Venafi, Cyberreason, CyberArk and Duo, a subsidiary of Cisco, among many others, are developing new technologies to equip companies to more efficiently implement and manage PKI and systems tied to PKI.
“The amount of digital certificates and corresponding private keys that companies must manage has exploded in recent years,” Kashyap says. “There is a push towards microservices, and the need to encrypt everything at rest or in motion. Every service, user or device which communicates on a company network needs a digital certificate. Managing these keys and certificates at scale, in a secure way, has become of acute importance in the current environment.”
Addressing PKI exposures is just one of many material security challenges companies face – but it may just be the top priority. PKI is so deeply interwoven in the emerging hybrid networks that starting with a clean slate is going to be crucial for many organizations.
PKI also directly affects every one of us. Consumers should be wary of PKI-fueled risks they face online today – and take steps to avoid them. Compromised certificates pose an insidious risk of fraud and data theft.
Social engineering to support malicious activity will only get more sophisticated, which means reducing one’s digital footprint and resisting the urge to click on something on impulse remain more important than ever.
A shared burden
In a perfect world the software developer, the device manufacturer and the digital service provider would share the burden of keeping end users safe. Yet the reality is that many corporations focus on scaling operations profitably first, avoiding legal and regulatory pitfalls second, and keep consumer trust as a distant also-ran. This explains why even well-defended enterprises like Capital One, Marriott and Equifax continue to sustain catastrophic breaches.
That means a good chunk of the security burden will remain with the individual for the foreseeable future. “Consumers can check for visual cues and avoid going to sites which don’t have a proper certificate or have an expired one,” Kashyap says. “They need to be extremely careful about checking the authenticity of a site when providing personal information, passwords or payment information.” The most obvious visible cue would be verifying that a site’s web address begins HTTPS.
PKI, while imperfect, is destined to remain a core part of the privacy and security infrastructure that makes digital commerce viable. It will be vital for the corporate sector to make great strides in reinforcing PKI to withstand the privacy and security exposures to come. I’ll keep watch.