Health checks are critical to maintaining Public Key Infrastructures (PKI) and a strong overall security posture, but they’re overlooked too often.
Public Key Infrastructure (PKI) is Not a “Set and Forget” Scenario
It’s common knowledge among security experts that a strong PKI is a critical aspect of cybersecurity programs. Many security organizations tend to put a great deal of resources toward planning and implementation, but neglect its care and feeding, which is just as detrimental as improperly setting up a PKI.
Public key infrastructure is not a “set and forget” kind of security tool. It may be tempting to leave it alone once it’s up and running, but this is a grave mistake—continual monitoring and management are critical to ensuring the highest possible levels of security.
Beyond achieving steady state operations of a company PKI, verifying that all of its components are properly operationalized is critical. When a PKI becomes part of a corporate infrastructure and there’s no longer a project team, making sure care and feeding takes place is key—otherwise, there are many dangerous tripping points for security teams who were focused on simply implementing the PKI, but not its ongoing operations. This is where the importance of regular PKI health checks comes in.
When Should You Perform a PKI Health Check?
If your CA(s) haven’t been reviewed in more than one year (or at all), this is a good indication that your business is due. Most certificate policies (CPs) will stipulate that the compliance of a CA should be verified through audit on a periodic basis, not to exceed one year (two at the very most).
What Does a PKI Health Check Involve?
First, determine whether you’re able to perform your PKI health check internally. You’ll need expert staff who has the specific PKI expertise necessary to sustain a PKI on an ongoing basis. As recommended by Microsoft, your security team will need specialists with the ability to:
- Issue and revoke certificates.
- Carry out server administration duties: hardware, applying patches, and backups.
- Publish Certificate Revocation Lists and manage the CA itself.
Unfortunately, the field of experts with adequate knowledge for maintaining the health of a PKI is limited. If you don’t already have internal PKI expertise, you may want to consider reaching out to a cybersecurity partner for help.
Whether you choose to tackle your PKI health check internally or through a partner, the process should include a complete architecture and security model review of your PKI. Each of the following steps are critical in determining the health level and potential concerns of your infrastructure:
- Complete review of the initial PKI implementation
- Scalability assessment of existing PKI against future needs of the business units
- Recommendations for an appropriate design and methodology
- Proper implementation of necessary changes, leading to ongoing reliable, secure authentication
Do not overlook any aspect of your PKI:
- Architecture
- System Configuration
- Security Model
- Policy Review
- Enrollment Models
- Revocation
- Audit
- Disaster Recovery and Business Continuity
- Current State Recommendations
- Future State Recommendations
How Will a Health Check Benefit Business?
Beyond ensuring a strong overall organizational security posture, PKI health checks review your infrastructure for many signs of effectiveness. Ultimately, this allows your security team to trust in continuous high availability and fault tolerance, as well as agility as business expands. Further, properly conducted health checks will verify secure certificate issuance and revocation policies and strong cryptographic processes.
- Reduced risk
- Reduced cost
- Increased uptime
- Compliance
- Reduced attack vectors
- Predictable operational cycles
Satisfactory Level of Assurance from Day 1
The goal of a well-managed PKI is to maintain assurance from implementation to the natural end of the infrastructure, with its components operating in a consistent manner that allows for proper reporting, compliance, and audit standards at every juncture. Regular PKI health checks are a critical component of achieving this objective.
CSS can assist you with determining whether your business is due for a PKI health check and successfully executing regular operations. Ensuring that your organization is empowered to manage a secure, healthy PKI is our mission.
If your security team is interested in learning more about PKI health checks, or exploring working with CSS to review your PKI, our experts are here to answer your questions. Contact us to talk about your PKI needs.
