PKI - Public Key Infrastructure; is a plan for setting up a security method management system that uses a public or private key to verify the identity of people and organizations for the purposes of secure exchange of electronic messages over the Internet. (Martz, n.d., p. 1) PKI supplies all of the essential workings for different types of users and entities to be able to be in touch securely and in a reliable method. A PKI consists of:
- Certificate authority (CA) - confirms users identities and creates an electronic document indicating that the users are who they say they are.
- Registration authority (RA) - verifies the certificate authority before a digital certificate is issued
- Certificate Repositories this is where certificates and their public keys are held
- A certificate management system
The use of in-house software developers offers the greatest level of control, but the cost of software licences, maintenance fees and the funds needed to purchase and set up the entire system can be high-priced. (Walder, 2003, p. 3) The technical portion if a company hosts its own certificate authority (CA) or use an outsourced service usually comes down to capability:
- Does the organisation have a round the clock support resources?
- Does the knowledge for security policy creation and management exist in-house?
- Are there internal IT staff who are skilled enough to run a CA?
- Are physical security measures sufficient?
- Can the security and integrity of the root signing keys be guaranteed?
The main benefit of in-house PKI is being totally in control over a very vulnerable area. If a PKI is only required to support services for the organisation's own employees, the concerns are less and there is no reason not to use the software developers the company already has. Having the operation in-house will make sure that the ability to exchange and use information are not a problem between the CA and the corporate applications and the Certificate Revocation List are cut down. There is also little risk of infringement on an outsourcer's certificate practices statement (CPS) either on purpose or not. However, if the organization can not guarantee the above mentioned security factors for the PKI, then it is necessary to seek an outside company.Outsourcing Liability
The outsourcing commercial approach is cheaper because suppliers have already made the necessary purchases in hardware, software and staff; the big issue of liability now comes into play. Will an outsourcing company be liable for failures? Geez, I hope so! But if the possible risk is too high, the outsourced company will definitely reduce their liability to an agreed monetary amount. The organization must now think about the cost of an in-house implementation against the less expensive outsourcing and make an educated decision based on possible losses against costs.Wireless network security
There are two primary security issues when dealing with wireless network security, Access and Privacy. As the information security officer, it is necessary to make sure only authorized people can use the wireless network. The IT department is implementing WPA (Wifi Protected Access) for access security and privacy. WPA uses a passphrase that the IT department creates, as well as shared keys, which change, making it much harder for someone to crack. The department has also turned off broadcasting the SSID, Service Set Identifier, which is a broadcast message notifying every device within range of your network's presence.
In conclusion, a commercial PKI (Public Key Infrastructure) is less costly, but also gives the organization very little control. An in-house PKI appears to be more costly, with purchasing equipment and licenses, but are the IT people in our company qualified to handle the situation? This remains to be seen. The wireless network is secure with WPA enabled which allows power to change the paraphrase every 15 days to avoid access and privacy issures.
- Conklin, W. A., White, G. B., Cothren, C., William, D., & Davis, R. L. (2004). Introduction and Security Trends. In C. C. Johnson, L. Stone, J. M. Smith, S. Bale, M. McGee, & S. Elkind (Eds.), Principles of Computer Security (pp. 1-18). Burr Ridge, IL: McGraw-Hill Technology Education.
- Martz, C. (n.d.). PKI - Public Key Infrastructure. Retrieved January 14, 2010, from http://www.birds-eye.net/definition/p/pki-public_key_infrastructure.shtml
- Walder, B. (2003). In-house or out: how to start building a PKI. Retrieved January 14,2010, from http://www.computerweekly.com/Articles/2003/07/30/196201/In-house-or-out-how-to-start-building-a-PKI.htm