PKI provides a flexible and scalable identity-first security solution that aligns with zero trust and secures a wide variety of enterprise use cases.
Public key infrastructure (PKI) is a powerful security solution for implementing identity-first security and a zero trust approach. PKI uses digital certificates and associated cryptographic keys working together to establish identities for resources on networks and authenticate them for secure access. The key pair corresponding to a digital certificate is used to create a secure encrypted channel for communication. The authentication and encryption combination ensures trusted network access and protects data in transit.
Even though PKI is not a new security strategy, many organizations still struggle to understand its potential to avert security breaches. Frequently, PKI is used only to secure internet-facing websites and applications. However, increased concern regarding organizational risk in today’s global cybersecurity landscape is driving organizations to see PKI in a new light and leverage it for more use cases.
PKI technology is used to securely enable and support a broad range of capabilities required for modern infrastructure and applications. Common use cases include:
PKI is the basis for digital certificates, including the secure sockets layer (SSL) and transport layer security (TLS) protocols that lay the foundation of HTTPS secure web browser connections. These digital certificates and associated keys encrypt HTTPS communications and establish trusted client-server connections. Without PKI certificates like SSL and TLS, threat actors could more easily exploit the internet and other IP networks to intercept messages and access their contents, including private card industry (PCI) data and personally identifiable information (PII).
PKI is also the basis for secure shell (SSH) keys. SSH keys are a type of X.509 certificate that provides secure access credentials used in the SSH protocol. SSH is widely used for communication in cloud services, network environments, file transfer tools, and configuration management tools to authenticate identity and safeguard those services from unintended use or malicious attacks. SSH keys also enable the automation of connected processes like single sign-on (SSO), as well as identity and access management at scale.
Modern security teams require the ability to establish and authenticate identities enterprise-wide regardless of whether those identities belong to humans, devices, data, or applications. Passwords offer a measure of security, but they are not as effective as they once were because bad actors have become increasingly capable at:
Compounding these issues is the human factor: people habitually reuse, share, and forget passwords for any number of reasons, including password overload due to the sheer number of systems they need to access.
An efficient passwordless authentication solution via PKI certificates with hardware tokens can help ensure that only legitimate users and employees gain access to sensitive information and corporate resources. Digital certificate-based authentication, which relies on PKI architecture, validates the identity of the users to the servers. With signed public-key certificates you can validate the identity of the key holder. Digital certificates, such as X.509 certificates, contain a public key and an identity, and are either signed by a trusted certificate authority (CA) or self-signed. Certificates issued by a CA can also be used to secure user interactions on websites and endpoints.
ACME (automated certificate management environment) is a protocol for automating the lifecycle management of certificates issued by a CA to clients such as company servers, devices, and more. Expanded use of certificates, including TLS, to secure applications, services, and databases increases the burden and operational risk associated with manual certificate management. The ACME protocol solves many of these risks by enabling security and platform teams to:
The primary rationale for DevOps teams to adopt ACME is the simplification and automation it provides to manage the complexities of modern certificate management. IT teams rely on ACME to help manage their certificate needs because:
Based on PKI technology, code signing is the process of digitally signing executable files and scripts using a signing tool and a digital certificate. Code signing protects your company, partners, and end users from software tampering when downloading executable program files — especially ones from unsecured channels like the open internet.
There are two main reasons to digitally sign code:
Best practices associated with code signing include:
Digitally signing code brings two additional benefits:
As noted above, a certificate authority (CA) is the trusted authority that ultimately verifies and confirms the identity of users, machines, or applications accessing an organization's IT infrastructure. Without the strong identity authentication PKI provides, threat actors could design an attack to compromise data, which can result in data loss, security breaches, and financial theft. Certificate authorities can be public or private. The primary rationale for leveraging a private CA are:
By leveraging a private CA, an organization can establish itself as the source of truth for its connected devices, employees, and processes inside its network.
The benefits of a private CA include:
Lower risk: By using a private CA an organization can significantly reduce the risk of unauthorized access to its data and systems because employees are generally restricted to specific servers, file directories, or devices in the organization.
Increased efficiency: Private CAs enable management of certificate provisioning, installation, and revocation of digital certificates by allowing network administrators to define and automate PKI standards and practices that meet their organization's specific requirements. This level of control is particularly useful for organizations, such as financial institutions, that need to comply with specific security requirements.
Faster speed: Finally, the control and agility provided by managing private CA certificates can reduce time to market, while automating administration of these internal certificates can free up employee time for more strategic tasks.
While connected internet of things (IoT) devices provide many business benefits, their environment is only as secure as its weakest link. Identities and credentials are often hardcoded into IoT devices or are left unmanaged, leaving networks susceptible to malicious distributed denial of service (DDoS) attacks. PKI makes it easier for organizations to ensure that only authorized IoT devices connect to their networks and can more easily manage identity security and standards across all their IoT devices.
PKI is a key component of a holistic approach to establishing and securing digital identity and staying ahead of threats. PKI has been available for decades and is considered a gold standard for authentication, encryption, and secured communications. PKI-enabled digital certificates are routinely used to authenticate, digitally sign, and encrypt credit cards, passports, e-commerce websites, connected devices, and much more, shielding them from compromise or breach.
The demand for protecting workloads, applications, services, and IoT-connected devices is driving rapid growth and demand for PKI services. These environments tend to be highly distributed — geographically as well as technologically — forcing IT teams to cope with multiple PKI automation platforms.
PKI is a critical pillar in HashiCorp Vault’s zero trust security architecture, where everything is authenticated, every action is authorized, and data is always protected.
Vault is a multi-cloud platform that automates and unifies certificate management with a single control plane. It supports automated provisioning, installation, revocation, and renewal of a wide array of X.509 certificates via industry standard PKI protocols, APIs, and more than 200 partner integrations.
Do cloud right with The Infrastructure Cloud from HashiCorp. Unlock developer potential while controlling cloud costs and risk.
HCP Vault Radar conducts ongoing reconnaissance of unsecured secrets stored as plain text in code repositories as well as configuration, DevOps, and collaboration tools.
Secrets sync is a new feature in HashiCorp Vault that facilitates centralized management, governance, and control of secrets for multiple external secret managers.