Before jumping into best practices for EKCM and how to implement them, it helps to understand why they are important and how they apply in your organization.
Managing digital certificates and private keys can be complicated and error-prone—particularly when many people are involved in the management effort. Errors can have serious operational and security ramifications, such as system outages or security compromises. Fortunately, you can do much to eliminate management errors and ensure success.
Complying with government, industry, and organizational policies and regulations consumes ever more of security practitioners’ time, often at the expense of strategic business activities. To maintain compliance, organizations must set clear policies, educate all stakeholders on the policies’ practical implementations, and audit policy-related operations and compliance.
Fears about the punishing ramifications of security breaches and concern about new policies and regulations have driven organizations to broadly deploy encryption. But deploying encryption alone isn’t enough. Organizations must have a clear picture of proper encryption management. A critical starting point in any management strategy is to create a comprehensive inventory of all certificates and their locations, followed by a detailed analysis of the inventory and its compliance status.
Once organizations have compiled an inventory and identified the compliance gaps between their policies and current environment and processes, they must implement operational best practices.
It is critical to ensure you’re using effective processes that can be practically implemented and, where possible, automated—to reduce operational and security risk. Wherever possible, leverage management tools to improve security while reducing operational overhead.