COVID-19 has produced an ongoing global health crisis, a recession and drastic business shifts, yet encouragingly finance leaders remain committed to spend that supports digital transformation and security technology.

A recent survey by PwC surveyed hundreds of US-based finance leaders and found that many plan to invest in areas focused on business operations in a post-COVID world. According to the survey, areas of growth and spend include digital transformation, cybersecurity and privacy – all supporting permanent work from home infrastructure.

The nationwide shutdown had most businesses scrambling to ensure their IT infrastructure could support the unplanned move to remote work. Since the shift, leaders are realizing that remote work is efficient and sustainable. In fact, 54 percent of CFOs now view remote working as a permanent workplace option.

Digital identity protection paramount to remote workforce security

IT security is a challenge for businesses under normal circumstances. Pre-COVID, research found that leaders and IT professionals were concerned about managing risks related to digital transformation. Just under half of survey respondents said that authenticating and controlling IoT devices was a top strategic priority for their organization’s digital security while 60 percent were adding additional layers of encryption technologies to secure IoT devices.

Today, enterprises face new uncertainties. COVID-19 has rapidly expanded the footprint of mobile devices and remote workers, introducing complex security risks. Public Key Infrastructure (PKI) is a common enterprise IT tool used to secure digital identities across the workforce and all the applications and devices it uses. Every person, machine and application must have a trusted and verified identity; PKI and digital certificates secure connections to those identities behind and beyond the corporate firewall.

PKI deployments have evolved as a secure and cost-effective technology that protects business-critical infrastructure and enables new initiatives from the cloud to the IoT. As businesses pivot to a permanent remote workforce, IT and security leaders must make decisions on how to re-build or re-engineer disjointed and aging PKI environments, and the certificates those systems issue.

Build vs. Buy

When it comes to PKI, leaders have two options: build it or move it to the cloud. PKI as-a-Service (PKIaaS) platforms are becoming a popular investment choice that provide all the benefits of a privately rooted PKI, but without the cost and complexity of running it in-house. PKIaaS providers can deliver a much more effective, and ultimately more secure, PKI than most enterprises can achieve on their own.

Regardless of whether the choice is to build or buy, teams must consider six key requirements to ensure in-house or out-sourced PKI success – and digital identity security:

1. Understand your use cases. The process of architecting a PKI that fits your unique environment and business needs isn’t as easy as you’d think. Start by understanding and thoroughly documenting your intended PKI use cases. This baseline knowledge is key to every step, from architecting the PKI through to deployment.
2. Define policies and practices. Once you’ve documented your use cases, you’ll need to define your policies and practices, which will guide you through the process of implementing controls for your PKI. Creating these documents can be a daunting task, but it’s important to note that just copying another set of policy and practice documents verbatim will not suffice. These tools only have value if they truly represent your organization’s specific PKI requirements and operational processes. The NIST 7924 Draft CP/CPS can provide a solid starting point, but you’ll need to customize it to your organization.
3. Perform the root signing ceremony. The Root CA is a security measure that you have control over from the start. Building the root CA (i.e., the root signing ceremony) is akin to creating a “master key” to an organization’s network and should be treated with the same sensitivity. The building and configuration of the root CA should be well scripted in a controlled environment. Depending on the assurance level desired for the PKI, this ceremony will range from an informal execution of a scripting document (low assurance) to a formal recorded event in a pre-authorized location (high assurance).
4. Build and configure the infrastructure. Create a clear set of build documentation and configuration procedures to identify any gaps and ensure that infrastructure aligns with the policies and practices established earlier. Share and review the plan with other PKI-dependent teams to ensure that you have not missed anything. Before placing the PKI into production, make sure that you’re able to properly test all PKI components, as well as certificates across the various platforms and applications you intend to support.
5. Transition from test to production. A PKI requires a significant amount of care and feeding to remain functional. This stage can be a dangerous tripping point for security teams who were focused on simply implementing the PKI, but not its ongoing operations. A critical component to PKI operations involves how to incorporate, explain and document changes, also known as change control.
6. Plan to continuously review, test and audit. Once controls have been documented and operationalized, they must be reviewed and tested on a regular basis. This can be part of an internal audit and should include review and testing of everything listed in your policies and practices, business continuity and disaster recovery plans for all PKI components. Organizations that schedule and conduct their own internal audits regularly can easily identify issues, answer external auditor questions and provide proof of the required level of assurance.

As the permanent remote workforce becomes a reality and investments are reviewed, business continuity, digital transformation and security spending must prioritize digital identity protection. From a business operations perspective, we’re navigating uncharted territory and we need to continue to invest in the battle tested technology that will guide us through to the other side.