Demystifying PKI - Perspectives from ActivIdentity

charget's picture

In the early days of the Internet...

...Public Key Infrastructure (PKI) was touted as the most secure way to authenticate users, devices, and documents. Excitement built, IT decisions makers began to investigate, and many articles were written. Then, quite suddenly, there was a large media backlash against PKI. It was a sledge hammer used to kill a fly. It was arbitrarily complex and required labor-intensive key ceremonies with other organizations to deliver some features such as encrypted or digitally-signed email. It was overly complex for mere mortal IT professionals, and surely there were simpler methods of authentication such as OTP that enterprises could use. PKI became almost an IT boogie man.

Then a funny thing happened. Two things, actually. First, PKI was adopted by governments and powerful credential management software (CMS) was created to automate much of the credential issuance, update and revocation process. Ecosystem vendors such as Microsoft, Juniper, and Cisco built PKI support into their offerings. CMS software eventually made its way into appliances that could provide a much simpler "sweet spot" PKI solution for "closed-loop" PKI (Issuer and Authenticator are part of the same organization hence greatly reducing the number of parts in the system). Second, security threats began to attack aspects of the most common OTP (e.g., the RSA breach and subsequent Lockheed Martin attack), causing enterprises to wonder what better authentication methods are out there.

Today, PKI is getting a second look. Many people still have a knee-jerk suspicion that PKI was designed to make them feel stupid, but modern closed-loop PKI managed by an appliance does just the opposite. New CMS appliances make it so IT doesn't even have to understand PKI to deploy a military-grade smart card solution.

In retrospect, as an Internet Meme, PKI suffered from hype before the tools were in place to manage it, and from security experts getting over excited and describing the ultimate PKI solution possible, even though few Enterprise users needed some of the more esoteric, complex and labor-intensive features. When PKI vendors got carried away educating users about every possible use case, they turned potential users off of the most high-value, low-cost use cases. If I were to tell you I could give you a device that you just plugged into your PC, it worked like an ATM card and gave you secure access to PCs, networks, cloud applications, and VPNs, you would probably think, "Hey that sounds easier for users than clunky OTP tokens, how do I get that?." This is not your father's PKI.