Addressing Security Tasks With Efficient PKI
Today digital signatures and digital certificates are widely used not only for meeting the internal needs of organizations, but also in interagency e-document flow, online banking, and e-tendering. In other words, proper, competent and secure use of digital signatures is critical for any organization.
PKI and asymmetric cryptography can help your company to address the following information security tasks:
- Replace outdated password authentication with strong two-factor authentication for access to operating systems and applications (VPN, VDI, etc.)
- Digitally sign and encrypt email
- Use a qualified electronic signature to comply with regulatory requirements, enable legally valid document flow, interact with online banking systems, and participate in tenders and procurement
- Encrypt files, disks, and other data
However, to properly support your PKI you have to address a number of new challenges:
- Consistently manage different models of your tokens, as well as certificates issued by various certificate authorities.
- Bring your certificates in line with user tasks, i.e. make sure that each smart card contains all the certificates required by the user without any redundant certificates.
- Centrally manage policies regarding user PIN codes for tokens, i.e. establish policies for PIN code complexity and PIN change frequency.
- Carefully monitor certificate validity and ensure their timely renewal.
- Keep track of your tokens and assign them to specific employees and workstations to control how PKI tokens are used in your company.
- Keep a log of cryptographic facilities.
- Unlock the tokens that get locked when users forget their PIN codes.
As cloud computing continues to evolve and remote work gets more popular, various new technologies that do not require a hardware token for storing key data are gaining traction, such as network and virtual smart cards and electronic signature in the cloud and smartphone.
Addressing the challenges related to the operation and management of your PKI infrastructure may require a lot of time and money, not to mention the related information security threats. The optimal solution for addressing this task would be to use a specialized PKI Management product designed for centralized monitoring and management of your PKI.
The primary function of such products is to serve as a “certificate manager”. These software suites can help you significantly improve the efficiency of your PKI management and enhance your information security.
Solving the Task with Certificate Manager
If you want to boost the efficiency of your PKI management, and to reduce the related costs, your best choice is to use a comprehensive solution, Indeed Certificate Manager. This product was designed to ensure centralization and increased efficiency of all operations related to digital certificates as well as PKI tokens.
Notably, Indeed CM is completely independent from the developers of certificate authorities and hardware tokens. This is why this solution works well for a variety of PKI products.
The Indeed CM platform offers the following functional features:
- Management policies (issue, renew, revoke) for all certificates used in your company
- Management policies for PKI tokens
- Integration with public key infrastructure components: certificate and registration authorities, smart card printers, etc.
- Integration with IT infrastructure components: directory services, certificate stores, mail services, etc.
- Integration with information security tools: authentication management systems, workstation protection tools
- Management services for PKI administrators and operators
- User self-service
- Summary of managed objects (users, tokens, digital certificates)
- APIs for integration with third-party systems
Indeed CM supports the following operations with electronic signature keys and certificates:
- Initiate key pair generation and send certificate request to the CA
- Issue and revoke public key certificates
- Ensure timely renewal of certificates
Indeed CM supports the following operations with PKI tokens:
- Initialize a token and assign it to the user
- Lock and unlock a token
- Set and change user and administrator PIN codes (password policies are supported)
In other words, PKI administrators and operators can use Indeed CM as a multi-purpose console for certificate and PKI token management.
All parameters in Indeed CM can be set up via relevant policies. A policy contains all the necessary data to connect to certificate authorities, a list of certificates to be issued, and additional certificate parameters (create keys backups, reuse keys when renewing expiring/expired certificates, etc.).
A policy can be applied to a specific unit in the organizational structure (for example, an OU in an Active Directory Domain), and the settings for all users located in this unit or its child objects will be aligned with the policy.
You can also define user groups to filter the policy scope. That is, you can assign several policies to a single object in your organization, and the relevant policies will be selected based on user groups.
Integration with Active Directory.
- Microsoft CA
- Cryptovision CAmelot
Types of operations with CAs:
- Obtain certificate templates
- Approve certificate requests
- Issue and reissue certificates
- Suspend and revoke certificates
- Check certificate status
- Create and update CA user data
- Removable hardware tokens
- Microsoft Windows Registry
- Trusted Platform Module (TPM)
- Microsoft Windows Hello for Business
- Indeed AirCard Enterprise
Removable hardware tokens: