Suppose you are the Information Security Director at a small software company. The organization currently utilizes a Microsoft Server 2012 Active Directory domain administered by your information security team. Mostly software developers and a relatively small number of administrative personnel comprise the remainder of the organization. You have convinced business unit leaders that it would be in the best interest of the company to use a public key infrastructure (PKI) in order to provide a framework that fosters confidentiality, integrity, authentication, and nonrepudiation. Email clients, virtual private network (VPN) products, Web server components, and domain controllers would utilize digital certificates issued by the certificate authority (CA). Additionally, the company would use digital certificates to sign software developed by the company in order to demonstrate software authenticity to the customer.
- Analyze the fundamentals of PKI, and determine the primary ways in which its features and functions could benefit your organization and its information security department.
- Propose one (1) way in which the PKI could assist in the process of signing the company's software, and explain the main reason why a customer could then believe that software to be authentic.
- Compare and contrast public and in-house CAs. Include the positive and negative characteristics of each type of certificate authority, and provide a sound recommendation of and a justification for which you would consider implementing within your organization. Explain your rationale.