PKI for Authenticating Remote Access VPNs: How Government Agencies Ensure Secure Communications

Friday, August 02, 2013

Patrick Oliver Graf

E595c1d49bf4a26f8e14ce59812af80e

With many documents critical to matters of national security being accessed on a daily basis, government agencies must ensure that all users trying to establish connections of any type to their networks are who they say they are, that they are authorized to access locations that they are connecting to and that all communications are encrypted. Public Key Infrastructure (PKI) compliance is the system that the public sector uses to verify a user’s information when attempting to establish a secure connection.

PKI compliance in the United States, for example, is administered and monitored by The Federal PKI Policy Authority, an interagency body that was setup under the CIO Council to enforce digital certificate standards for trusted identity authentication across federal agencies and between those agencies, universities, state and local governments, and commercial entities. PKI enables users on non-secured networks to transmit data securely and privately. It does so by using a pair of public and private cryptographic keys obtained and shared through a trusted Certificate Authority (CA). The PKI system ensures that the digital certificates generated to match an identity with their public keys are stored by the CA in a central repository and can be revoked if necessary.

The public key cryptography assumed by the PKI system is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditionally, cryptography has involved the creation and sharing of a secret key for the encryption and decryption of messages.

The most well-known uses are email and document encryption and authentication, but PKI is actually much broader than that. It can provide authentication for VPNs with a valid certificate, which is standard in both IPsec and SSL-based remote access solutions.

Essentially, once a product receives PKI certification, government agencies can use a VPN gateway to authenticate remote access to applications within their secure networks.

Government PKI requirements are typically very stringent, and it is difficult for organizations to obtain certification. This guarantees that governments are using the most secure encryption methods possible to safeguard sensitive information in transit.

Related ReadingAberdeen Research: Encryption, Without Tears

Related ReadingIs Your Enterprise Managing Certificates? Three Reasons It Should Be

Related ReadingCost of Failed Trust Report

11792
General Network->General Enterprise Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.