10/08/2011

Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure Review

Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure
Average Reviews:

(More customer reviews)
I have found that an unscientific--albeit effective--way to gauge the success of an idea or technology is to do a search on the subject at Amazon.com and see how many returns you get. For diet, there are well over 15,000 titles. For PKI (public key infrastructure), there are exactly four.
While there are nearly 4,000 times as many books about dieting as there are books about PKI, the similarities between the two subjects are interesting. Both dieting and PKI are often difficult to do right, but when they are done correctly, the positive effects are immense.
In a nutshell, a PKI is a set of technologies that enables users of inherently insecure networks and software applications (i.e., the Internet and browsers) to exchange data and perform transactions securely and privately. In a PKI, each user has a set of cryptographic keys comprised of a public-key and a private-key. A PKI also enables the use of a digital certificate that can be used to identify items such as individual end users, host systems, organizations, and directory services. PKI is based on public key cryptography, which is the most common method used to authenticate the sender of a message, or to encrypt that message.
A PKI establishes digital trust and maintains that level of assurance. In the real world, trust is built through a complex web of social, legal, national, international, and business interactions that may take years or decades to develop. Unfortunately, that same level of trust is much harder to implement in the electronic world.
With that in mind, Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure provides a thorough technical introduction to the workings of PKI. Those wanting a less technical and more managerial approach should read PKI: Implementing & Managing E-Security by Andrew Nash.
The reason that PKI is so important is that information security is often the most fundamental need for today's businesses and e-commerce sites. There is hardly a Fortune 500 company without some type of external public connection, and given that more than 95% of the hosts on the Internet are running TCP/IP version 4 (with no inherent security), these systems are built and running on an insecure infrastructure. Such a reality is a scary thought.
The book is well organized into six sections. The first three chapters cover the basics and rudiments of security, cryptography, and PKI. Fortunately, the authors accomplish this by page 43. One of my personal gripes against many information security books is that they spend way too much time rehashing security basics, while not getting to the subject title until halfway through the book.
Section Two includes seven chapters detailing the different PKI components, protocols, architectures, and uses of digital certificates. Many of those considering PKI do not always realize that the "I" in PKI is infrastructure. Without a well-thought out and tested architecture and methodology, a PKI is nearly sure to fail. Getting the initial PKI software rolled out is often not an easy endeavor. Getting those pieces to work effectively in a distributed infrastructure takes an immense amount of planning and work. Section Two details ways to ensure that a PKI is well built, so that it does not collapse like a poorly designed building.
Chapter 12, "Policies, Procedures and PKI," is one of the most important chapters in the book, in that a PKI comprises much more than simply its underlying software. The book astutely notes that the technical mechanisms of a PKI are insufficient on their own, as they must be used in combination with a set of procedures to implement a particular corporate security policy.
The need for policy can't be over-emphasized, as it is a critical element in the effective and successful operation of a PKI. A PKI can't be effective unless it is deployed in the context of working policies that govern the use, administration, and management of certificates. In a similar vein, noted security guru Marcus Ranum defines a firewall as "the implementation of your Internet security policy. If you haven't got a security policy, you haven't got a firewall. Instead, you've got a thing that's sort of doing something, but you don't know what it's trying to do because no one has told you what it should do". So, too, with a PKI; if there are no policies to determine its appropriate use, inertia states that it will not be used properly.
Rather than being an abstract and dry guide, Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure concludes with some real-world examples of PKI rollouts. By learning how the three large PKI projects were implemented, readers can benefit from the lessons learned, so that they will not make the same (often common) mistakes.
Rather than being an abstract academic text, the authors, Russ Housley and Tim Polk, write from years of practical experience. Housley is the Chief Scientist for Spyrus, and Polk is the technical lead for PKI at NIST.
This review of mine originally appeared at ..../articles/2001/0104/0104m/0104m.htm
At a little over 300 pages, Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure is a valuable reference to the workings of PKI.

Click Here to see more reviews about: Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure



Buy NowGet 20% OFF

Click here for more information about Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure

No comments:

Post a Comment