Demystify PKI - ActivIdentity Blog

ActivIdentity Blog

« Back to Blog Homepage

Demystify PKI - ActivIdentity Blog

Jul 5, 2011 10:51am by Chris Harget | 0 Comment
Bookmark and Share
In the early days of the Internet, Public Key Infrastructure (PKI) was touted as the most secure way to authenticate users, devices, and documents. Excitement built, IT decisions makers began to investigate, and many articles were written. Then, quite suddenly, there was a large media backlash against PKI. It was a sledge hammer used to kill a fly. It was arbitrarily complex and required labor-intensive key ceremonies with other organizations to deliver some features such as encrypted or digitally-signed email. It was overly complex for mere mortal IT professionals, and surely there were simpler methods of authentication such as OTP that enterprises could use. PKI became almost an IT boogie man.

Then a funny thing happened. Two, actually. First, PKI was adopted by governments and powerful credential management software (CMS) was created to automate much of the credential issuance, update and revocation process. Ecosystem vendors such as Microsoft, Juniper, and Cisco built PKI support into their offerings. CMS software eventually made its way into appliances that could provide a much simpler “sweet spot” PKI solution for “closed-loop” PKI (Issuer and Authenticator are part of the same organization hence greatly reducing the number of parts in the system). Second, security threats began to attack aspects of the most common OTP (e.g., the industry breaches and subsequent Lockheed Martin attack), causing enterprises to wonder what better authentication methods are out there.

Today, PKI is getting a second look. Many people still have a knee-jerk suspicion that PKI was designed to make them feel stupid, but modern closed-loop PKI managed by an appliance does just the opposite. New CMS appliances make it so IT doesn’t even have to understand PKI to deploy a military-grade smart card solution.

In retrospect, as an Internet Meme, PKI suffered from hype before the tools were in place to manage it, and from security experts getting over excited and describing the ultimate PKI solution possible, even though few Enterprise users needed some of the more esoteric, complex and labor-intensive features. When PKI vendors got carried away educating users about every possible use case, they turned potential users off of the most high-value, low-cost use cases. If I were to tell you I could give you a device that you just plugged into your PC, it worked like an ATM card and gave you secure access to PCs, networks, cloud applications, and VPNs, you would probably think, “Hey that sounds easier for users than clunky OTP tokens, how do I get that?.” This is not your father’s PKI.
Tags: PKI    OTP    Authentication    Advanced Persistent Threats

Post a Comment

All fields are required.

Name
Email
CAPTCHA Image
Please enter the text in the image above*

Legal Disclaimer
Some of the individuals posting to this blog website work for ActivIdentity Corporation ("ActivIdentity"). Opinions expressed in the blog postings and in any corresponding comments are the personal opinions of the original authors, not of ActivIdentity. The blog postings are provided for informational purposes only and are not meant to be an endorsement or representation by ActivIdentity or any other party. This blog website is available to the public. ActivIdentity moderates the comments and comments will not be posted until they are approved by the moderator. ActivIdentity does not guarantee that your comments will be posted to this blog website and ActivIdentity may refuse to post any comments in its sole discretion. No information you consider confidential should be posted to this blog website. By posting comments, you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to this blog website. You release ActivIdentity from any liability related to your use of this blog website and the content on this blog website. Your use of this blog website is also subject to the terms and conditions of the ActivIdentity Legal Notice available at http://www.actividentity.com/legal/ (the "Legal Notice"). The blog postings are "materials" and any comments that you post to this blog website are "feedback," each as defined in the Legal Notice.
Bookmark and Share
Alltop, all the top stories
 Subscribe to our RSS Feed

Search Blog

Category

Identity & Access Management

Recent Posts

Apr 10, 2012: Preventing Scalable MitB Attacks - ActivIdentity Blog
Mar 9, 2012: Charges Brought Against Anonymous Hackers and Top Risks of Mobile Banking – Industry News Wrap-Up – ActivIdentity Blog
Feb 24, 2012: Identity Fraud via Mobile Devices and Cybersecurity Legislation Concerns – Industry News Wrap-Up – ActivIdentity Blog
Feb 24, 2012: Risk-based Authentication – ActivIdentity Blog
Feb 17, 2012: Android Malware & Bipartisan Cyber Security Bill – Industry News Wrap-Up – ActivIdentity Blog
Feb 13, 2012: Mobile Banking vs. Online Banking – Industry News Wrap-Up – ActivIdentity Blog
Feb 6, 2012: Explaining OCSP through the DigiNotar Attack – ActivIdentity Blog
Feb 3, 2012: Top 10 Security Threats of 2012 – Industry News Wrap-Up – ActivIdentity Blog
Dec 19, 2011: Mobile Security & Identity Theft – Industry News Wrap Up - ActivIdentity Blog
Dec 9, 2011: 2011 Cyber Attacks – Security Industry News Wrap-up – ActivIdentity Blog

Recent Comments

Evelin: Yes beuscae it's a Yes beuscae it's a Security...
jaffa: Great thing.
Interior Savings Online Banking: Internal financial savings on the web consumer...
john : You are we need to try more tactics to protect...
Murugesan: It differ from bank to bank, meergr to meergr. For...

Blogroll

The Forrester Blog For Security & Risk Professionals
Computer Weekly: David Lacey's IT Security Blog
Infosecurity Magazine: Security Viewpoint
Pro Security Zone: Editor's Blog
IT Pro
Adventures in Security
ha.ckers.org
Information Security: Security Bytes
Krebs on Security
SC: Data Breach Blog
Schneier on Security
Securosis
GovInfoSecurity.com: The Security Scrutinizer
GCN Tech Blog
Cybersecurity
Gartner Blog Network
Cnet: Insecurity Complex
Computerworld: Security Impact Blog
Computerworld: Security is Sexy
eWeek Security Watch
InformationWeek Security Weblog
Network World: Security Strategies Alert
ZDNet.com: Zero Day
Bank Info Security: Industry Insights
Bank Technology News
CRN Community: Hot Topics
Threatpost: Digital Underground