PKI Maturity Model Aims to Improve Crypto Infrastructure

Creating and deploying public key infrastructure is notoriously difficult. However, a group of encryption vendors, consultancies, and other experts aim to make a resilient approach to encryption more straightforward.

Last week the PKI Consortium — a group of nearly 70 encryption providers and consultancies — released the first draft of its PKI Maturity Model (PKIMM), which is intended to serve as both a guidebook of best practices and a playbook for assessments of PKI infrastructure. The initiative aims to be open to everyone, providing guidance on how to improve encryption infrastructure, says Roman Cinkais, CEO of data-security consultancy 3Key and chairman of the PKIMM Working Group at the PKI Consortium.

"We believe that we can bring to PKI something valuable that can be used to improve the security of the Internet overall," he says. "You can assess the overall market fit of your own implementation and get actionable guidance on how you can improve."

PKIMM is the latest maturity model released for some aspects of cybersecurity. More than a decade ago, security pros Gary McGraw and Brian Chess created the Building Security In Maturity Model (BSIMM), which gathers metrics on organizations' efforts to secure software. The OWASP Software Assurance Maturity Model (OSAMM) is another approach that offers companies guidance in software security.

The initiatives are inspired by the more general Capability Maturity Model Integration (CMMI), a framework of business best practices with provisions for benchmarking performance created by Carnegie Mellon University more than three decades ago. Using the model, companies aim to improve their business processes and spur innovation.

While organizations that improve their maturity, as measured by such models, can become risk-averse and less innovative, overall they manage risk better, Microsoft stated in an analysis of the CMMI.

"A high maturity, high capability organization can easily respond to unexpected, stressful events," the company stated. "A low maturity and lower capability organization tends to panic under stress, blindly follow obviated procedures, or throw out all process altogether and retrench back to chaos."

Tackling Inconsistent Cryptography Technologies

The primary target of the initial draft of PKIMM is vendors and service providers that want to establish a specific maturity and be able to measure their progress. The model measures organizations' progress in 15 different categories using a 5-level scale of maturity. The lowest level is "initial" progress — unpredictable and reactive with a lack of control — while the highest is "optimized," encompassing a proactive approach with continuous improvement.

Large enterprises — so-called relying parties — can also use the PKI Maturity Model to measure their capabilities and use maturity levels to determine what service providers meet their needs, the PKI Working Group's Cinkais says.

"You can look for someone who can provide you with a needed service at a specific maturity level," he says. "And, of course, it can give you guidance because the model is built not only to give you the assessment of your own implementation, but what you need to adopt to improve."

Companies might not need the highest maturity level, especially if they are using the PKI infrastructure internally, Cinkais adds. "You don't need to focus on every use case on the highest maturity level. It depends on your needs," he says.

Maturity Models Have Downsides Too

Whether PKIMM will be generally useful or just a way to direct the encryption and certificate industry toward common security goals remains to be seen. The best maturity models are not just prescriptive, but they also provide data on what companies are actually doing, says Gary McGraw, one of the creators of BSIMM, which releases an annual report with data on how companies are securing their software development.

"The best result of any maturity model is sparking an arms race for the common good where a 'race to improve' takes fire," he says, adding that he has no specific knowledge of PKIMM's approach.

The approach of creating maturity models for specific cybersecurity sectors seems to be a trend, he adds. "I think a rollup of maturity models would be great, but I see evidence of movement in the other direction toward more specific subfield maturity models actually happening."

With any maturity model, companies need to foster a culture of innovation and improvement, not merely compliance. Companies that focus on just meeting process milestones and not the overall goal can miss the forest for the trees, Microsoft said in its analysis of the more general CMMI. Maturity and reliability may improve, but rote adherence is not necessarily good.

"Perhaps the biggest failure mode is making achieving a level the goal and then creating processes and infrastructure simply to pass the appraisal," the company stated. "The goal of any process improvement activity should be measurable improvement, not a number."