Case Studies Reading Time: 2 minutes

How Encryption Consulting’s PKI Assessment and Deployment Helped the Retail Sector 

Company Overview 

This retail organization is a prominent player in the global market. It operates a vast network of stores that offer a wide range of consumer goods, from clothing and electronics to groceries and home essentials. With a significant online presence, the company has also built a reputation for convenience, customer service, and competitive pricing. It employs thousands worldwide and is committed to sustainable and ethical business practices. 

Despite its success and scale, the organization has encountered challenges in managing its Public Key Infrastructure (PKI), crucial for securing its extensive digital transactions and communications. The company struggled with assessing and deploying its PKI systems, which are vital for the encryption and digital signing of sensitive data. This shortfall has posed data integrity and security risks, potentially impacting customer trust and business operations. 

The issues primarily stemmed from outdated PKI technology that could not adequately support the scale of digital transactions processed daily. Additionally, the lack of skilled personnel familiar with modern PKI solutions hindered these systems’ effective upgrade and management.

The company recognized these vulnerabilities and has initiated efforts to overhaul its PKI framework. It aims to integrate advanced security measures, train staff on cutting-edge technologies, and establish a robust PKI system that aligns with current cybersecurity standards to protect customer data and maintain its market leadership. 

Challenges 

  1. Lack of planning and tracking

     Structured and well-considered planning is one of the best practices for PKI deployment. Well-defined planning will not only help an organization keep track of its certificates, but it will also decrease the security risks to the PKI.

    Once the system has been in place for a while, and if it has not been built in a structured manner, your organization can easily lose track of what certificates have been issued. Many organizations do not pay attention to or know the number of certificates they have, their expiry dates, where to find them, etc. The consequences of such mismanagement range from failed audits to certificate and key misuse that can ultimately compromise an organization’s systems.

  2. Not allocating skilled internal resources

     The most prevalent mistake when deploying PKI is underestimating the needed resources. Running an in-house PKI requires effort, time, and money. A dedicated team with skilled resources is required to run the show. The PKI team should have sufficient resources and skilled owners who can lead and respond effectively to an outage or security incident.

  3. Security of the Root CA

    The security of the Root CA must be well-considered. In PKI deployments, all trusts come from the Certificate authority (CA). The CA issues the Root Certificate, which ensures the cryptographic keys’ validity to verify the authentic identities. The root CA is the foundation of trust for every certificate issued across the organization’s environment. If you cannot trust your root CA, you cannot trust your PKI.

    As per security guidelines, specifying who can obtain the certificate and when the certificate will be revoked is crucial for establishing and maintaining trust in Certificate authorities and avoiding PKI deployment mistakes. A regular audit of relevant certificate authorities is required to ensure that the certificate practice statements (CPS) are implemented correctly and avoid any network risk.

  4. Bad Certificate Lifecycle Management

    Another PKI deployment mistake is a lack of forward planning for managing the entire certificate lifecycle. Poor handling of expired certificates may cause outages and significant expenses. Automating certificate renewals may help in this case. If the organization is making a manual effort, then monitoring the expiry of certificates is a must.

  5. Not storing certificates and keys Securely

     Hackers can use various techniques to analyze and detect keys while they are in use or transit. Ensuring the keys are stored securely under FIPS 140-2 level 3 systems is necessary.

Solutions 

  1. The current PKI infrastructure is assessed using the PKI Assessment. A new PKI service based on Microsoft ADCS 2016 R2 was also designed. This mitigated the issue of Root CA expiry and the deployment of root CA on ADCS 2008, which is nearing the end of its support.

  2. CP and CPS documents were created while consolidating issuing CAs from 9 to 4 ICAs. This mitigated the organization’s lack of CP/CPS policy and lack of documentation and procedures.

  3. Installation and configuration of HSM for storing CA and ICA keys, along with creating Key Ceremony procedures and defining roles and responsibilities for Key management, mitigated the issue of loss of HSM keys to the Root CA and lack of proper roles and responsibilities defined for PKI custodians.

  4. Implement PKI hierarchy with offline Root CA and 4 Issuing CA’s connected to four domain forests.

  5. Validate the existing Certificate templates and create new Certificate templates to meet existing and upcoming Digital certificate requirements. Use the existing HTTP server and LDAP for CDP (CRL Distribution Point).

Impact 

  1. It helped the organization by providing a well-defined PKI system.

  2. The PKI Assessment and deployment defined people, processes & technology to manage PKI infrastructure.

  3. It also led to consolidating and removing redundant ICA’s, thus reducing infrastructure and maintenance costs.

  4. The PKI Assessment and deployment even provided the required information to the auditors.

  5. This particular assessment and deployment of PKI enabled the support for new digital certificates demands such as MDM, VPN, and IoT requirements.

  6. It enabled the issuance of valid certificates for existing internal-facing web apps and a valid certificate chain.

Conclusion 

Implementing Encryption Consulting’s PKI Assessment and Deployment proved transformative for this retail organization, effectively addressing its previous challenges in managing its Public Key Infrastructure. The retail firm has significantly improved its data integrity and security measures by redesigning the PKI systems with a modernized structure and enhanced security protocols. This overhaul included consolidating issuing Certificate Authorities, implementing a new PKI service based on Microsoft ADCS 2016 R2, and establishing rigorous Key Ceremony procedures, which have streamlined the management of digital certificates and keys. 

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

About the Author

Anish Bhattacharya's profile picture

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo