PKI Governance

Although it’s perfectly possible for a strategic Public Key Infrastructure (PKI) to evolve successfully from a single tactical requirement - the need for a developer to sign code, would be one example or more commonly: a Microsoft Enterprise application like Exchange or Microsoft Lync that requires certificates, would be another.

What’s more likely, is that this tactical introduction of a PKI, is likely to need a major revision at a later date (especially if it needs to scale and be fully complaint) if it has been conceived without appropriate involvement of senior business staff. Tactical or ad hoc installations of certificate authorities rarely fulfill the strategic requirements of a growing business. In our experience, proper governance with well thought out business requirements that have been properly planned and sponsored are a prerequisite for strategic success.

This need for formal governance should ideally be reflected in a Policy Authority for the Public Key Infrastructure (PKI). This is usually derived from existing security policies and supported by the publishers of that policy. Additionally, a Certificate Policy and Certificate Practice Statement should be expected products of this policy.
Of course, this may be over kill for many organizations but the spirit and willingness of stakeholder involvement to underpin design and security decisions, needs to be sought by any external agency and it’s our responsibility to pursue this.

After all, any litigation that results from the erroneous or illicit use of organization certificates derived from an ill-conceived PKI, could find its way back to senior IT managers and stakeholders, regardless of whether they have underwritten the commission or not.