What CFOs Need to Know: Public Key Infrastructure is a Foundation of Cyber Security
Encryption is one of the key elements of information security, allowing you to protect data and share it only with authorized users. Public key infrastructure, PKI, is how you integrate encryption into your information technology. PKI underlies the encryption that enables secure web pages, digital signatures, and secure access to data, among other uses.
You use PKI every time your web browser establishes an “https” connection or when you use single sign-on to access multiple accounts with just one password.
Two Keys to Support Encryption
Public key encryption is built around pairs of keys. One key is made public and the other is kept private. When someone wants to send you an encrypted message, they use your public key to encrypt it. Your private key can decrypt it, and since you are the only one who knows that private key, the message is secure.
Since your public key is just that, public, this means anyone can use it to send data to you. In order to know who is sending the message, it can be digitally signed. The digital signature also uses a pair of keys. The sender creates a signature with their private key; because their public key can decrypt the signature, you can trust their identity.
PKI requires hardware and software to manage the keys. Digital certificates, issued by a certificate authority (CA), are used for distributing public keys and authenticating the identity of the key’s owner. A certificate store houses the private keys.
Once you’ve got the necessary PKI infrastructure in place, you can use digital certificates as credentials that support secure e-mail, secure web sites, digital signatures, smart card authentication, and other secure applications.
Working with Digital Certificates
Some server applications may come with their own digital certificates; others require certificate installation along with other configuration. You will have to choose a certificate authority to provide certificates. Organizations commonly create a CA hierarchy that includes both external authorities and internal authorities. The internal authority can provide certificates that ensure authentication and integrity over your local network, which third-party certificates support secure external communication. Because you don’t pay for certificates you issue yourself, this is the most cost-effective way to generate certificates. You will need to use a special piece of hardware or software to generate keys and provide the encryption services needed as a certificate authority.
Ongoing Support for PKI
Digital certificates have expiration dates, so ongoing monitoring and management of your certificates is needed to ensure you have valid credentials. If you’re serving as a local certificate authority, you need a process to manage user requests for certificates and to store the generated credentials.
Security is More Than Encryption
While encryption is fundamental to information security, encryption by itself doesn’t provide security. Encryption blocks unauthorized users from reading data, but there are other security challenges to address, such as monitoring how data is used by authorized personnel. Designing an effective security strategy requires a careful assessment of your IT infrastructure to identify all the vulnerabilities that can lead to exposing data, and then leveraging the full set of technology available, including encryption, firewalls, antivirus, data loss prevention software, and other tools, to protect your data.
Prescient Solutions has more than 20 years experience developing and supporting cybersecurity solutions. Contact us to learn how our team of certified experts can help you protect your business’s most valuable data.
Additonal Cybersecurity Resources
Encryption Isn’t Enough to Protect Applications in the Cloud
What CFOs Need to Know: Internet of Things Security Risks
Spend Your Information Security Budget Wisely in 2017
What CFOs Need to Know: Small Firms Should Pay for Security Now or Pay More After a Breach