Remediation

Implement best practices in terms of policy, process and practice close and correct glaring gaps identified in the assessment phases.

Remediation

Analyst Coverage

"Admittedly this is a complex topic, but the most important takeaway is this: the risk-based evaluation your company needs to make right now is not about your vulnerability to the Flame virus; it is about your vulnerability to MD5-signed certificates. If you are confident in knowing how many of these there are, and where they are, and what systems are potentially at risk as a result – well done." Full Report

"Organizations with roughly 200 or more documented X.509 certificates in use are high-risk candidates for unplanned expiry and having certificates that have been purchased but not deployed." Full Report

"To support the broader deployment of encryption, organizations with top performance have looked towards increased automation and centralized, heterogeneous approaches to key lifecycle management. Venafi is well-aligned with this Best-in-Class approach."

"Venafi's primary differentiator is its broad entity support for systems that utilize asymmetric keys and certificates. In addition, it implements flexible key lifecycle policies and administration functionality and automated discovery of keys and certificates in systems that support such activity."

"Venafi offers compelling advantages, such as being the early mover in this market, with proven deployments at marquee customers demonstrating its ability to scale and provide breadth of integration."

"When there are many hundreds of certificates from a variety of certificate authorities, the only ecumenical [universal], nonproprietary provider of a certificate management solution is Venafi. Other CA management systems are biased toward the particular CA by, for example, only supporting renewals from that specific CA." Full Report

"The emphasis on orchestration, in tandem with its scalability and interoperability, is tied to the evolution of Venafi's competitive landscape, and to the potential to frame its value in the context of risk management."

Managing Contacts/Ownership

Compile a list of responsible groups and/or individuals for each key and certificate in your inventory and develop a method for keeping the information current.

What is this?

Contact or ownership information is simply data about who is responsible for each key and certificate in your inventory so they can be contacted in case an issue arises. At a minimum, it should include an email address. Typically, it’s best to assign a group (such as an AD group or an email distribution list) as a contact instead of an individual because individuals are inevitably reassigned or leave an organization. By assigning a group, you are more likely to reach someone when you need to contact them.

Managing contacts ownership diagram

Why should I care?

The last thing you want as an organization is to be running around trying to figure out who is responsible for a key or certificate when an issue arises. Here are a few examples of nightmares: 1) an application can no longer access the keystore where a key is located so you need the responsible person to give you access to that keystore. 2) You know a certificate in your inventory is about to expire but you can’t find the person responsible for that certificate (and the systems where it is deployed) to get it renewed and installed on all of the necessary systems. 3) An auditor asks you for the maintenance records for a particular key and/or certificate that you’re not directly responsible for. Compiling and maintaining contact and ownership information for each key and certificate in your inventory is just common sense.

What should I do?

Maintaining contact information can be pretty challenging, both in developing an initial list and keeping it up to date over time (see Define Roles and Responsibilities for more on this). An important first step in identifying contacts is determining which system within the organization might currently have information that ties contacts to certificates or the systems they are deployed on. Some common sources for this information include certificate authorities, certificate tracking spreadsheets, and even CMDBs (systems that track who is responsible for each system in a corporation).

Depending on the certificate authority, it is likely that ownership information was collected when certificates were requested. This is typically a good starting point, although some of contact information can be stale. That is one of the drivers for performing the import from CAs first in the process of creating a Comprehensive Inventory. The sooner in the process you can get some level of contact information assigned to certificates, the less work you’ll have later on. The following is a basic methodology for building robust contact lists:

  1. Export certificates from CAs with contact information.
  2. Analyze the contacts (typically they are email addresses) to determine where groups exist. Groupings are critical because having a certificate assigned to a single individual is a recipe for disaster if the person gets reassigned. Here are two helpful steps to accomplish this:
    1. Sort all of the contact email addresses to determine where there are multiple occurrences of the same email address (Excel PivotTables are excellent for doing this). Multiple instances typically means a group with a bunch of certificates with a single person assigned.
    2. Track each email address back to their origin group. This can take time but it is well worth the effort.
  3. Assign the groups to their respective certificates as they go into the Certificate Inventory Database. Here are a couple of good options to accomplish this:
    1. Assign the certificates to Active Directory groups that correspond to the groups identified in step 2. This is the ideal method because then the AD groups will hopefully be maintained and up-to-date as people enter and leave the group. But this does assume that your monitoring system will be able to query AD for email addresses associated with the individuals in each group.
    2. Create email distribution lists for each group. This can also work well as long as somebody will be responsible for keeping those lists up to date as people come and go.

    You can also use a hybrid between the above methods.

  4. One last thing: You are invariably going to end up with several individuals who only are responsible for one or two certificates. It is important to develop a strategy for working with these people/groups and determine how to maintain business continuity.

Measurable Successful Results

Best Practices

Function

Problems