PKI - Enterprise Security

What's Driving Enterprise Adoption Of PKI?

Five factors have developed over the last several years which are driving enterprises to consider widely deploying PKI architecture:
  • Weakness of passwords i.e. they are very easy to rip off and/or break
  • Adoption of smart cards
  • Emergence of biometrics
  • Emergence of service orientated architecture
  • Document management intertwined with digital rights management

Weak Passwords

The ease with which passwords can be obtained has already been covered in the Authentication - Password password section of this website.  This is forcing enterprises to rethink their user authentication strategies.

Smart Cards

Smart cards are now widely adopted around the globe.  They carry computer chips on them which enable them to be "smart".  The smart card is a physical token the user carries with them.  The challenge with any token is ensuring that the person presenting the smart card is the same person to whom it was issued to.  The ability to use digital certificates in the card and encrypt things like biometrics and user identity information provides additional validation the user is who they claim to be.


The emergence of biometrics, with some forms becoming lower priced for deployment, has seen a widespread implementation of biometrics.  However, a biometric IS NOT A SECRET.  Therefore, depending on the type of biometric used and the level of risk for which the authentication is to be used for, means that multi-factor authentication is desirable.  The combination of biometrics with smart cards and digital certificates results in much stronger validation of the identity.

SOA (Service Orientated Architecture)

The recent emergence of Service Orientated Architecture or "SOA" (web services) as a way of quickly reducing costs for business to business interactions is driving the need for authentication as well as assuring the information being sent back and forth is secure, confidential and non-reputable are all critical concerns.  The use of digital certificates as part of the web service is critical.

Document Management Services

Finally, document management services are now being integrated with digital rights management.  This means that documents are part of web service and other enterprise business processes and are assigned rights as to who can create, modify, approve and view documents.  Authentication of documents means that stronger methods need to be used than the id and password.  Digital certificates are now being used to help with document authentication as well as provide for document confidentiality and non-repudiation services.

Enterprise Security

Modern enterprise security uses a layered identity approach for users physically accessing a site, facility, building and room as well as for digital access of networks, systems, application and information.  The application of this requires ensuring the authentication of the identity for different levels of identity risk.  PKI plays a role in this.

For example, let's say that Guy is walking into a building.  He may be required to use his security badge to open a door to gain entrance to the building.  As Guy tries to access a computer in the building he may be asked for his username and password, then be required to swipe his security badge into a reader.  The security badge is a smart card that likely contains a digital certificate issued to Guy by the enterprise.

Meanwhile, the enterprise's inventory system is being accessed by one of the enterprise's vendor's applications.  The vendor's application will automatically check the inventory level for widgets and determine if it should be shipping more widgets to the enterprise.  The vendor's application is stopped at the firewall entrance to the enterprise.  There the security polices are checked to determine if the application can be allowed in and what the authorization is for the application.  

To meet this requirement, the application automatically provides a digital certificate issued by the enterprise to the vendor.  The certificate is validated and the authentication of the application is approved.  The vendor's application is granted access to the inventory information.  

When the inventory information is extracted and on its way out of the enterprise to the vendor's application, the reverse occurs.  The enterprise's web services policies require the encryption of the data by the use of a enterprise digital certificate.  The information is encrypted and sent out via the internet to the vendor.

Meanwhile, in another part of the enterprise, the Purchasing Manager is being required to approve a large PO for $50 million.  The purchasing manager will digitally sign the document with their digital signature and the enterprise will also digitally sign the document with the enterprise digital signature.  The document will then be encrypted and sent.  

All of the above requires the implementation of a PKI infrastructure to support the identity authentication, document management, legal approval and web service interactions within the enterprise.

Don't Use Only PKI For Authentication

The use of a digital certificate for authentication on it's own is not recommended.  Why?

A digital certificate is issued to the user by the Certificate Authority (CA).  The digital certificate then resides on the user's computer or wireless device.  The presence of the digital certificate does not tie the physical user the certificate was issued to, to the computer.  Therefore, it is possible that someone other than the user, who is using the computer, will be successfully authenticated if only PKI is used for authentication.

Normally, PKI is used in multi-factor authentication.  This reduces the risk that the identity wanting to authenticate themselves is not the real identity.

More Here