A group of encryption vendors, consultancies, and experts have unveiled a new initiative aimed at simplifying the creation and deployment of public key infrastructure (PKI). The PKI Consortium, made up of nearly 70 encryption providers and consultancies, has released the first draft of its PKI Maturity Model (PKIMM), which serves as a guidebook and assessment tool for PKI infrastructure.
The primary goal of PKIMM is to make encryption more accessible and improve the overall security of the internet, according to Roman Cinkais, CEO of data-security consultancy 3Key and chairman of the PKIMM Working Group. The model is open to everyone and provides actionable guidance on how organizations can enhance their encryption infrastructure.
PKIMM is the latest addition to a series of maturity models developed for various aspects of cybersecurity. Over a decade ago, security professionals Gary McGraw and Brian Chess created the Building Security In Maturity Model (BSIMM), which assesses organizations’ efforts to secure software. Another example is the OWASP Software Assurance Maturity Model (OSAMM), which provides guidance in software security. These models are inspired by the Capability Maturity Model Integration (CMMI), a framework of best practices initially developed by Carnegie Mellon University.
Although improving maturity can potentially make organizations risk-averse and less innovative, it allows them to manage risks more effectively, as stated by Microsoft in their analysis of CMMI.
The initial draft of PKIMM primarily targets vendors and service providers who seek specific maturity levels and want to measure their progress. It measures progress in 15 different categories using a 5-level scale of maturity. The lowest level represents the “initial” progress, characterized by unpredictability and reactivity, while the highest level is “optimized,” denoting a proactive approach with continuous improvement.
Large enterprises, known as relying parties, can also benefit from the PKI Maturity Model by using it to assess their capabilities and select service providers that meet their needs. The PKIMM Working Group’s Cinkais explains that organizations can look for providers operating at a specific maturity level and use the model as a guide for improvement.
Cinkais emphasizes that not every use case requires the highest maturity level, especially for companies using PKI infrastructure internally. The model allows organizations to tailor their focus according to their specific needs.
While the PKIMM aims to improve encryption practices and establish common security goals, the actual usefulness of such maturity models remains to be seen. Gary McGraw, one of the creators of BSIMM, suggests that the best models are those that offer guidance based on real-world data and spark an “arms race for the common good.”
The trend of creating maturity models for specific cybersecurity sectors appears to be growing, but it is important for organizations to prioritize innovation and improvement rather than mere compliance. Microsoft warns against making achieving a level the sole objective, as the goal should be measurable improvement rather than reaching a specific number.
In conclusion, the PKI Consortium’s release of the PKI Maturity Model is a significant step towards simplifying the implementation of public key infrastructure. By providing guidance and assessment tools, the model aims to enhance encryption practices and improve overall internet security. However, the true impact and usefulness of maturity models like PKIMM will depend on their ability to facilitate measurable improvements and foster innovation within organizations.