Public Key Infrastructure

This paper regards an information security officers responsibilities within the implementation of a public key infrastructure (PKI). Presently, the organization uses a Microsoft Server 2008 Active Directory domain which is managed by few overloaded network administrators. The rest of the e

This paper regards an information security officers responsibilities within the implementation of a public key infrastructure (PKI). Presently, the organization uses a Microsoft Server 2008 Active Directory domain which is managed by few overloaded network administrators. The rest of the employees in the organization are software developers and some administrative personnel. The organization decides to employ a public key infrastructure (PKI) in order to create a framework that would result in nonrepudiation, authentication, integrity, and confidentiality. Domain controllers, virtual private network products, email clients, and web server components make use of digital certificates that are provided by the certificate authority (CA). Moreover, the organization develops software that is signed by digital certificates in order to guarantee software authenticity to clients. This paper also explains how the company applies cryptography in maintaining information security.

Public Key Infrastructure

A Public Key Infrastructure (PKI) is a framework for enabling cryptographic services integration. It ensures integrity, confidentiality, and accessibility of data for authorized users. Also, it guarantees authentication and nonrepudiation of data. A PKI manages digital certificates, which consist of two types of keys. These types are public and private ones. The keys are necessary for the users authentication and encryption of data (Preneel, 2012). There are different functional parts of a PKI.

A company with top-level information security uses all PKI functional parts. These are certification authority and digital certificates, certificate publication point and revocation list, as well as management tools and applications. The certification authority (CA) issues and manages certificates. The CA generates a key for a user. This ensures trustworthy and easy key management. A receiver decrypts data with a private key. Digital certificates serve for the authenticity verification of an individual, a system, or an organization. Furthermore, a PKI provides functionality for the secure exchange of public keys. Email clients, virtual private network products, web server components, and domain controllers utilize digital certificates, which are issued by the CA. Digital certificates guarantee the authenticity of an organizations software for the customer.

An organization has to choose the type of the CA. The options are either a public or a private CA (Srinivasan, 2008). Local registration authority replaces an internal CA. This handles the enrolment, authentication, and generation of key-pair for the outsourced CA component. The external CA gets a certificate request, issues, distributes, and stores the certificates. The in-house approach ensures the most secure control level. On the other hand, the software licenses, maintenance, and support are expensive. In case a company's employees can provide qualified maintenance and support, it becomes efficient to use the in-house approach. Another positive feature of the in-house approach is that a company gets control over sensitive data security. This sensitive data is financial and personal information and login and password details. If a PKI is implemented in order to ensure the security of the organizations internal data, there is no necessity for the in-house approach. All internal data is controlled by the information security officer based on the deployed PKI solution.

When it comes to the outsourcing approach, information security of a company's data is set by an outside organization with standardized maintenance and support services.

In general, an in-house CA anticipates (Walder, 2013):

� the maximum level of information security controland simplified certification authority

� expensiveness of software licenses and infrastructure maintenance

� the risk of breaching the certificate practices statement is low

� a company's online image is under control.

An outsourced CA anticipates that (Walder, 2013):

� the supplier has to be continuously and adequately insured

� the supplier must state clearly the liability of services

� the provided model may not be modified in accordance with the company's growing needs

� a company's online image and integrity are not under direct control.

It is very important to identify all risks which appear while choosing between the public or private CA. Information security officers have to evaluate the pros and cons of the decision in order to eliminate risks. Information security officers have to be sure that internal servers of a company are physically secure; they should know how to control the CA from the internal security side and what the budget for the PKI deployment and CA maintenance is. After that, informational security officers have to review the advantages of the private and public CA and make the choice.

Due to the fact that presently the organization use a Microsoft Server 2008 Active Directory domain managed by few network administrators, an information security officer chooses the public CA. A good reason for this choice is that the CA support and maintenance by an outsourced supplier can ensure a timely reaction to information security threats and risks, in case the network administrator has some urgent tasks to fulfill and cannot help to solve the security issues. The public CA ensures that internal information security processes are properly managed. An organization is able to use digital certificates to email clients, for virtual private network products, domain controllers, and web server components.

Cryptography is necessary in maintaining information security. Taking into account that cryptography is used to design efficient encryption methods, an organization has to set the process of encryption to protect data, messages, and information workflow and exchange. As an information security tool, encryption is used in order to send sensitive or confidential electronic data to another system or location.

Encryption is needed to keep information confidential.It protects an organizations data from all electronic sources and devices. The purpose of information encryption is to keep data safe until the moment when an authorized user is ready to decrypt it to view, read or modify. Encryption secures passwords, private information, documents, and financial transactions success. For example, an organization can use encryption for web browsers, emails, and the operating system protection. Encrypted data cannot be modified; therefore, it saves a lot of effort to people who use protected data for further analysis or exchange. Vulnerabilities and threats create the risk of a negative event or accident in an organization. Therefore, it is necessary to prevent these accidents and eliminate the risks immediately. An information security officer is responsible for the implementation of the security policy which describes all risk mitigation actions for an organization in detail.

Check on theplagiarism.

53 Lượt xem