A Managed PKI is a vital part of any comprehensive network security strategy. It allows you to use digital certificates for authentication, a form of credential that’s much more secure and widely-applicable than passwords.
Certificates offer the following advantages:
- Certificates are like photo IDs. They are tied to the identity of a verified entity, usually a person or device, and can’t be removed or stolen. Unlike passwords, which can be “borrowed” or stolen, certificate-based authentication is always a positive identification of who is accessing the network or resources.
- Certificates save IT time and money. Whereas passwords have to be reset every 90 or so days to maintain security, certificates have a lifetime of up to 20 years. Eliminating password-reset policy disconnects and lost password support tickets significantly reduces the burden of IT, allowing them to focus on more important tasks.
- Certificates offer a better user experience. No need to remember credentials or passwords of any kind when using certificates. There’s also no need to come up with new passwords every few months. Certificates also interface with a wide variety of applications (including VPN, Wi-Fi, desktop logon, and web apps), so you can use the same certificate to authenticate to many services. No more creating and remembering passwords for every application.
The advantages of certificates over a traditional username and password are clear, so many companies have begun to switch over to a managed PKI service, like the one offered by SecureW2.
Here are some of the best uses for PKI that we see from our customers:
1. Managed PKI for Wi-Fi
Restricting access to Wi-Fi is one of the primary uses for certificates.
In a typical small business, they deploy a WPA-PSK network to allow both employees and guests to use their Wi-Fi. A single pre-shared key (password) is given to anyone who wants or needs Wi-Fi access.
On a WPA2-Enterprise network that uses PEAP-MSCHAPv2 or EAP-TTLS/PAP authentication, each user has a unique username and password they use to access the network. It’s slightly more secure than PSK, but if a single person’s credentials are compromised, the whole network is at stake.
WPA2-Enterprise equipped with a PKI can utilize the EAP-TLS authentication protocol which allows certificates to be used for Wi-Fi authentication, rather than passwords. . Our proprietary JoinNow software allows users to self-enroll for certificates that are then automatically distributed to their device – saving your IT department days’ worth of work.
A managed PKI used in this fashion greatly increases your Wi-Fi security. It doesn’t matter if certificates are removed from a device or intercepted in an over-the-air attack (such as the notorious man-in-the-middle attack) because they are built with asymmetric cryptography – any stolen key is only half of the private-public key pair and is worthless without the other half.
2. Managed PKI for VPN
A VPN is always a good idea, for both privacy and security. They are notoriously difficult to integrate into a thorough security infrastructure, however.
That’s where certificates come in handy.
Just like logging into any other service, VPNs require authentication before a user is granted access. Given the level of permissions and access a VPN provides, it’s more important than ever to make sure it’s secure – that’s why VPNs should always be authenticated using certificates.
A managed PKI makes it easier to integrate the VPN into your network too. A user can enroll for a certificate that authenticates to the VPN in the same way that they do for Wi-Fi. That certificate is authenticated by the RADIUS server after the VPN passes through the firewall.
3. Managed PKI for Web Applications
Using certificates to log into web applications, like an email client or CMS, is surprisingly handy. They have the same advantage over passwords in that you don’t need to remember passwords and there’s no need to reset them because they can’t be compromised.
But the most convincing reason to use a managed PKI with all your web apps is the greater connectivity and accessibility it enables. For example, if your organization uses a PIV-enabled smartcard, such as Yubikey or a photo ID with embedded smartcard, you can enroll it for a certificate that logs into an identity management software like Okta and grants access to everything else connected to Okta.
If you don’t use a service like Okta, a managed PKI allows you to enroll your certificates directly to your device’s native key store. From there, you can configure the browser to use the certificates to log into a variety of web apps.
4. Managed PKI for Desktop Logon
While it’s perhaps not the most compelling reason, at the end of the day, convenience is a big motivator for many people. That’s why you should be using a managed PKI to quickly and easily log on to your workstation every day.
Just as you use a certificate to log into an application, you can use a certificate to log into devices. Whether it’s loaded onto a PIV-enabled smartcard or on a physical security token like the Yubikey, you can log into your computer or other work device with ease. As an added benefit, it protects you from data theft if your device is stolen.
An important benefit of using certificates for desktop login is that it intrinsically identifies the user of the device. Since you can’t share certificates in the same way you do passwords, it creates accountability and precludes any plausible deniability.
Managed PKI Offers Best Security and User Experience
If the core offerings of a PKI (security, identity verification, and network access management) weren’t enough, the additional functions it can offer might compel you to make the leap. The convenience and security of having certificates for authentication instead of passwords cannot be understated.
Fortunately, deploying a PKI is easier than you might think. Managed PKI is just that – managed for you, so you can reap the benefits it provides without having to undertake the burden of maintaining the necessary infrastructure and staff.
SecureW2 has an industry-leading managed cloud PKI service that’s affordable for organizations of all sizes. Click here to see our pricing form.