Public Key Infrastructure in Information Security - Case Study Example

Public Key Infrastructure in Information Security Introduction Currently, most business and non-profit organizations have digitized their data and information records. For example, use of hard-copy files in keeping client information by financial institutions is no longer practical today. Most organizations keep their data and information files in online secured databases. In addition, access, utilization and sharing of the digitized information takes place through secure servers. Unfortunately, advancement in information technology systems invariably triggers a corresponding increase in crimes associated with digital information. The increase in information related crimes is responsible for presence of enhanced information security in organizations today (Lindsey, 2014). Technically, motivations for information related crimes are attributed to the economic importance of private information in technology platforms. For example, cyber attackers seek secret and valuable information either for economic benefits or for terrorism related causes. Whatever the motivating factors, organizations handling private information have a duty to protect and prevent valuable information from ending up into wrong hands. Consequently, organizations typically utilize information security systems like Microsoft Server Active Directory domains, and Public Key Infrastructure to foster information security. Public key Infrastructure: Features Undeniably, some information security systems are better than others. As the Information Security Director for a software company, I would prefer the use of Public Key Infrastructure to Microsoft Server domain in safeguarding vital information inside the organization. Technically, Public Key Infrastructure, commonly abbreviated as PKI, is a system of standardized policies and sequenced procedures meant to secure the sharing of information (Kim & Michael, 2014). In the past, hackers have successfully penetrated network infrastructures by employing tactics like sniffing, man-in-the-middle attack, and denial-of-service among others. These hacking tactics are usually easy to apply when attacking non encrypted networks. In this context, information security developers have learned the benefits of encryption, and distribution of authentication components through independent digital certificates. In essence, Public Key Infrastructure combines the concepts of digital certificates and key encryption in maintaining network security (Carlisle & Lloyd, 2013). Digital certificates are essentially digitized signatures of the certificate’s holder. In conventional platforms, digital certificates would be synonymous to passports. Every digital certificate contains the holder’s personal information, and guarantees a message’s receiver that a sent message is from a trusted source. All digital certificates are issued by a trusted agency, the Certification Authority commonly abbreviated as the CA. In Public Key Infrastructure, digital certificates are used in authenticating information sharing through Public Key Cryptography channels. Technically, Public Key Cryptography is an asymmetric key encryption technique which ensures that only the intended recipient accesses and reads the message sent through either secure or insecure channels (Lindsey, 2014). Therefore, a digital certificate is like a door key while Public Encryption Cryptography is like a corridor leading to a secure communication room. Inside the secure communication room, both public and private parties can share information without fear of data integrity and compromise on confidentiality. Admittedly, the discussed features of Public Key Infrastructure are reliable in ensuring data integrity and objective authentication. Digital certificates ensure that only a trusted sender and an authorized receiver engage in exchange of information. In addition, authentication of digital certificates is performed by a Public Key Cryptography serve. In this case, only the client and the serve have access to information contained within a digital certificate, thus the threats posed by third parties are eliminated (Kim & Michael, 2014). In addition, certificates used in Public Key Infrastructure contain standardized authentication details issued only by a single trusted agency, the Certificate Authority. As a result, clients inside the software organization will be assured that their certificate information is handled by a trusted and independent provider. In case of compromise on certificate details, certificate holders can easily approach the single provider, and get customized explanations and remedies in a timely manner (Lindsey, 2014). With respect to the technical advantages highlighted above, I would recommend utilization of PKI because it would not only foster information security within the responsible department, but also improve clients’ trust and reputation of the software company. PKI in Signing of Software Certificate In software development, signing of certificates involve the use of cryptographic codes that encrypts the identity of a certificate’s producer to the software. Whenever a customer opens software after purchase, a pop-up window opens and notify the user that the purchased software is legitimate and the identity of the producer have not been altered since the software was produced. Contrarily, illegitimate or altered software are followed by security warnings upon opening. In this context, Public Key Infrastructure can be primarily useful in the process of signing software produced by the company. As aforementioned, certificate verification and authentication is one of the essential features of Public Key Infrastructure (Carlisle & Lloyd, 2013). Technically, software is an example of a digital certificate. Therefore, PKI allows publication of software’s information on a reference directory through the Public Key Cryptography feature. Encryption of the software details through Public Key Cryptography ensures that the software’s validity, authenticity and trustworthiness can be verified by third-party authorities (Carlisle & Lloyd, 2013). Since PKI facilitates the process of certificate issuing and authentication, then customers will be attracted by the legitimate and validity aspects of software signed using Public Key Infrastructure security system. Public versus In-house CAs Typically, digital certificates are issued by either private certificate authorities or public certificate authorities. Each of these authorities has specific benefits and shortcomings. In most cases, directors of information security departments have to decide whether to obtain digital certificates from a public or an in-house CA. Acquisition of certificates from public or external CAs is usually costly, and some public CAs charge up to thousands of dollars to issue a digital certificate. Despite being costly, customers and clients usually trust certificates provided by public CAs compared to those issues by in-house agencies. Contrarily, in-house or internal CAs allows an organization to issue as many certificates as possible for free. Despite being less costly, in-house CAs provide limited PKI security and accountability. Consequently, third parties do not necessarily trust the reliability of certificates issued by internal authorities (Kim & Michael, 2014). Therefore, most customers would rather pay the high amount charged by public CAs and gain enhanced PKI accountability from the CA as opposed to getting a free certificate that offers limited PKI security and accountability. Personally, I would recommend the use of public CAs issued digital certificates within the software company as compared to internal production and issuance of the certificates. Undeniably, use of public CAs would cost the company a significant amount of operation expense. However, the cost aspect of acquiring certificates should not take precedence over other factors like certificates’ PKI security and accountability. Whenever the security of internally issued certificates are compromised, the entire organization can be sued and fined exorbitantly for failing to protect clients’ information (Kim & Michael, 2014). In this context, the cost of developing and maintaining security of internally issued certificates outweighs the cost of acquiring certificates from a public certificate authority. Therefore, use of public CAs is economically justifiable compared to the use of in-house CAs. References Carlisle, A. & Lloyd, S. (2013). Understanding PKI: Concepts, Standards, and Deployment Considerations. Pittsburg: Addison-Wesley Publishers. Kim, D. & Michael, S. (2014). Fundamentals of Information Systems Security. New York, NY: Jones & Bartlett Learning. Lindsey, J. (2014). Public Key Infrastructure: Building Trusted Applications and Web Services. Indianapolis: CRC Press. Read More