The Role of PKI and Credential Management in Modern Authentication

RequestInformation
jmacinnis's picture

While we enjoy the business opportunities, productivity gains and user conveniences of our data-driven economy, we certainly do not enjoy the cost and devastation of having accounts hacked, clients’ data stolen or employees’ identities misused.

In the quest for data integrity and secure credential management, public-key infrastructure (PKI) has long proven its effectiveness as a key technology. Boiled down, PKI comprises the policies, roles and procedures essential to managing the lifecycle of digital certificates and public-key encryption. By binding identities with public key certificates, PKI sits at the core of IT security, especially for Wi-Fi authentication, web application authentication, email security, domain logon and VPN. PKI enables encryption, confidentiality and non-repudiation through trusted digital document signing.

The Drivers and Challenges of PKI for Credential Management

You're probably thinking at this point, "But isn't PKI that old technology that is difficult to deploy and maintain?" Well, yes and no. Yes, PKI is a stable and mature technology and is in wide use today providing identity assurance, secure transactions and non-repudiation across billions of people, places and things connected to the internet. And no, thanks to integrated solutions and modern credential management tools PKI can be surprisingly easy to manage. In fact, because of its high assurance and seamless administration, more and more organizations are turning to this technology. The global PKI market is predicted to grow at a CAGR of 22.7% from 2017 to 2023, reaching $1.99 billion by the end of 2023.

The exponential rise of complex cloud apps requiring strong authorization is one major catalyst. A second is the explosion of Internet of Things (IoT) devices, many with poorly enforced security standards. Last but not least is the regulatory environment. Healthcare (HIPAA), US Department of Defense (DFARS—Defense Federal Acquisition Regulation Supplement) and Payment Services Directive 2 (PSD2), General Data Protection Regulation (GDPR), and Financial Industry Regulatory Authority (FINRA) guidelines all require proof that every user and device is protected by public and private keys that encrypt and verify data.

There is a recognized need to manage PKI across a range of use cases. For example, organizations need to renew or revoke existing certificates, protecting users’ PKI credentials in authenticators like smart cards, smart USB keys and mobile devices. Across industries, enterprise-level organizations are deploying PKI and innovative credential management systems (CMS) new servers, new specialized equipment (such as hardware security modules), new licenses for databases, a certificate authority and more—gaining security, scalability and reduced operational costs. However, deployments have been mostly unfeasible for SMBs. For example, it would be prohibitive for a small medical billing service with 50 users to encrypt a hard-drive with PKI.

The challenges to on-premises PKI deployment are not insignificant. PKI adds load on the network and requires significant IT resources as well as a considerable investment in infrastructure, including hardware security module (HSM) and Certificate of Authority (CA) software. Also needed are sufficient IT resources, skills and training. There is also a potential skills gap. While the expertise may be in place to set up this complex architecture, the ongoing administration, fine-tuning and best-practices management among the IT staff can be significant. Without these elements, organizations face the risks of performance issues or a catastrophic event caused by improper issuance or misuse of certificates.

Access to Credential Management Services in the Cloud

Cloud-based credential management solutions, like other SaaS and Platform as a Service (PaaS) technologies, are ideal for non-enterprise companies seeking robust solutions. One such service is the HID Credential Management Service, which simplifies issuing and managing high assurance authenticators such as smart cards, smart USB tokens and mobile smart cards. Here are a few benefits:

  • Easy deployment in just a few hours with no need to purchase extra equipment or licenses
  • Lower costs and capital expenditures with flexible subscription licenses
  • Easy integration with Active Directory Federation Services (ADFS) user repository leveraging Security Assertion Markup Language (SAML) protocol
  • Trusted PKI with IdenTrust certificates for authentication, digital signatures, and encryption
  • Higher security with password-free management and risk-based authentication
  • Flexible authenticator choices with mix-and-match options for physical or virtual authenticators
  • Zero Trust security with verification required from everyone trying to access the network
  • Wide range of services with secure access to desktops (like Windows and Mac workstations), networks, VPNs and applications, email, document signatures and document encryption

While not the only tools in a complete advanced authentication solution, PKI and innovative CMS solutions offer high assurance security in the use cases that demand it. And now any company, regardless of size, can access these services on the Cloud through HID Global.

Find out more about how your company can achieve the right level of assurance in a flexible, as-a-service model. Check out our solutions.

Get the latest blogs on identity and access management delivered straight to your inbox.

John MacInnis, CISSP, is a Product Marketing Manager for Identity and Access Management (IAM) Solutions. A former SW engineer, he has a background in cybersecurity and has held product marketing, product management and technical marketing positions at Philips Healthcare, Cisco, Intel and Phoenix Technologies.