Beruflich Dokumente
Kultur Dokumente
Implementation Project
WHITE PAPER Management
Published by CSS Research | Q4 2016
Digital certificates issued from a Public Key Infrastructure (PKI) are undoubtedly
one of the most effective methods for securing and provisioning access to both
internally connected network enterprise resources and internet-connected
“things.” However, an effective PKI can be difficult to implement and manage
without knowledgeable and dedicated resources in-house.
CISO CIO
"It is critical that the –– Create and modify certificate templates as needed by ap-
team responsible for plication owners
your PKI project takes
a holistic approach to –– Manually issue and revoke certificates as well as understand
implementation. They must how to setup auto-enrollment
be in place and adhered
to from the first step of –– Carry out server administration duties: hardware, applying
implementation in order to patches, and creating meaningful backups
be able to sustain the PKI
with full assurance that it will –– Publish Certificate Revocation Lists and manage the CA itself²
not be compromised."
Unfortunately, the field of PKI experts with enough knowledge to
sustain the day to day operation of a PKI is waning. Finding a reliable
expert who can not only design and implement a “healthy” PKI, but
maintain its health on an ongoing basis is becoming harder; as a
result, talent is also becoming more expensive.
It is critical that the team responsible for your PKI project takes a
holistic approach to implementation. They must understand that
specific practices and policies must be in place and adhered to from
the first step of implementation in order to be able to sustain the
PKI with full assurance that it will not be compromised. If you do not
have full confidence in your PKI resources, it’s a good indication that
looking into outside help may be a more viable option.
Performing a Buildout
Whether you’re tackling PKI internally or with a partner, there are
many parties involved in its successful implementation. Therefore, it
is important to have a detailed implementation plan. The following
sample PKI implementation outline is a good starting point to illus-
trate how various project phases can be broken down and executed:
Phase 1
Week 1 • Project kick-off and design sessions
• First iteration of the design
Phase 2
• First iteration of the design
Week 2
• Create first iteration of the documented certificate policy (CP) and
certification practices statement (CPS)
Phase 3
• Review and sign-off of the design document (all security stakeholders)
Week 3
• Review and revise certificate policy (CP) and certificate practices statement
(CPS) documents
Phase 4
• Preparation for key signing ceremony and production rollout (i.e., complete
change management processes and assign roles for implementation)
Week 4
• Procure and install production hardware (HSMs and servers)
• Create a key signing document and prepare for the ceremony
Phase 5
• Complete root signing ceremony
• Create disaster recovery (DR) cryptography artifacts
Week 5 • Build and configure production of subordinate CAs
• Configure other ancillary PKI servers
• Validate the health of the new PKI
Phase 6
Week 6 • Validate migration strategy
• Begin issuing first set of production certificates
Phase 7
• Complete all documentation
Week
7-8 • Move PKI to steady state and assign ownership for ongoing tasks
• Project completion
Unless you have access to a seasoned PKI consultant, carrying out a PKI
implementation will be considerably difficult. A third-party expert will be
objective and ensure that that the full process is carried out – no security
consideration will fall to the wayside. If you’re not fully confident in your
internal resources, get in touch with a PKI partner.
Contact Us
css-security.com
877.715.5448
References
1. A Guide to the Internet of Things. (n.d.). Retrieved September 15,
2016 from http://www.intel.com/content/dam/www/public/us/
en/images/iot/guide-to-iot-infographic.png