Organisations today are fully aware of the need to protect themselves against data breach, the increasing level of fines, reputational damage and disruption to ongoing operations makes increased cyber defence close to the top of any business agenda.
Many studies have shown the number one cause of data breach to be compromised user credentials, therefore increasing the strength of the credentials used to authenticate end users to networks and applications is the primary starting point for many organisations wishing to improve security.
With the increased level of remote working due to the pandemic, combined with digital transformation leading to increased use of a mix of on-premise, hybrid and SaaS solutions, it is even more important to know that people accessing systems from anywhere on any device are who they claim to be.
Digital identities and how to manage them
Multifactor authentication (MFA) combines at least two authentication factors to identify a user, such as ‘something I have’ (e.g. a smart card), ‘something I know’ (e.g. PIN) or ‘something I am’ (e.g. a fingerprint), this significantly reduces the ability for bad actors to compromise a user credential and assume somebody’s identity, this is why the use of ‘unphishable’ credentials bound to a proven identity are a cornerstone of zero-trust architectures.
Using PKI (Public Key Infrastructure) certificates on a secure device such as a smart card or USB token has long been seen as the ‘gold standard’ of security and forms the basis of many high security standards including eIDAS (Electronic IDentification And trust Services) and FIPS 201 – PIV (US government – Personal Identity Verification).
To deploy PKI credentials on secure devices requires specialist software that combines integrating technology with secure business processes to ensure credentials are issued to the right people in a secure manner with minimum impact on existing business processes.
These systems are called credential management systems or CMS for short.
Credential Management Systems
The basic task of the CMS is to allow the issuance of security devices (e.g. smart cards, USB tokens or virtual smart cards). This involves creating secure communication with the device, managing keys and data on the device, managing credential generation (e.g. certificates), and finally electronically (and optionally) graphically personalising the device itself. These technical goals have to be delivered within secure, trusted business processes.
A CMS plays a vital role in any identity management solution that utilises digital credentials stored on secure devices. Historically, this has meant the deployment of certificates onto smart cards, but this is rapidly expanding to encompass biometrics and other personal data on a broad range of devices such as USB tokens, contactless and hybrid cards, tablets and smartphones.
To provide a robust and scalable solution that can meet the requirements of enterprises a CMS must go much further than fulfilling the basic tasks. An effective CMS needs to provide the scalability and reliability to manage large, distributed populations. It must secure the issuance process from a technical standpoint and also support a centrally defined and enforced security policy. Full lifecycle management capabilities must be provided in a way that are easy to use and can be readily adapted to fit into the required business processes.
A CMS is inevitably part of a larger identity solution; as such it should provide ‘out of the box’ integration with the required third-party technologies (devices, certificate authority, directory, IDMS, biometrics, card printers etc.). An extensive range of APIs is also required to allow the CMS to be integrated into project specific infrastructures (e.g. identity management systems or physical access control systems).
For a CMS to deliver on all of these requirements it must be a robust and reliable solution that is proven in security-demanding environments. The remainder of this blog series will describe each key feature a CMS requires in order to enable organisations to replace passwords with more secure PKI credentials simply, securely and at scale.
How can MyID help?
MyID® secures millions of identities across the world, for large organisations, governments, enterprises, military and police forces, enabling citizens, personnel and employees secure, seamless access to business critical data, systems and networks.
Our credential management system enables organisations to interoperate across multiple software and hardware. Whether you are looking for issue and manage millions of smart cards or smart phones and the PKI technology in between.
MyID is flexible, easily integrated and works across multiple platforms and devices.
Complete the contact form below to request a demo.