Most of the corporate IT departments we have been involved in (including major banks) have a fragmented approach to cryptography, certificate issuance and key management. This means - in most environments, the ownership and management of cryptographic controls and appliances is dispersed throughout the estate.

The middleware team look after their certificates, the networking team look after their certificates and desktop look after certificates and security as part of the desktop service etc. Usually, there is an overlap between services but the thrust of the point is that there is usually no central certificate policy authority (no centre of excellence) no overall responsibility. Each department, to some degree, dictates what they want from the corporate CA (PKI) for their particular subscriber device or user.

Our job in the corporate case is usually to try and elevate cryptography from the poor cousin to a status where it is equal with other IT services or ideally has an elevated status. After all, cryptography underpins almost all the major services in the corporate IT estate.

As most of our experience is derived from the corporate sphere, we are well equipped to develop more strategic and compliant PKI and certificate strategies that will evolve into a centrally managed service. Equally, we have been very much involved in corporate cryptography where it is part of compliance for: PCI DSS, Data Protection Act, Europay, MasterCard, and Visa (EMV), HIPAA etc.

Note: In the absence of a corporate directive, we embark on cryptographic projects normally using: The Open Group Architecture Framework (TOGAF) with a combination of Prince 2 project management methodology. This approach ensures the appropriate amount of corporate stakeholder involvement and governance; it further insures that cryptographic controls and policies are not developed in a vacuum (which is often the case in our experience).

Contact us to discuss corporate IT cryptographic requirements.