Venafi

Why Accurately Identifying Digital Certificates is Mission-Critical for Business

November 14th, 2011 - Posted by: Jeff Hudson

Former Defense Secretary Donald Rumsfeld famously said the following at a Pentagon news conference in 2002: “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.”

Rumsfeld was referring to military intelligence about Iraq, but he could have just as easily been talking about the number of digital certificates and encryption keys typical enterprises have deployed throughout their networks. These assets have become essential, even ubiquitous as part of the fabric of IT security and act to protect information and authenticate systems and applications. Identifying which of the thousands of these certificates are known knowns, known unknowns, and unknown unknowns is a complicated process, but it is critical to securing enterprises’ regulated and proprietary information.

The first step in this two-step identity management process is to track and create an accurate certificate population. While enterprises typically contract with one or more certificate authorities (CAs)—some internal and some external—the task of inventorying the spiraling certificate populations is not as simple as requesting a complete list of issued certificates from the CAs. Supposing that the enterprises even know which CAs to ask, such lists would inevitably be incomplete.

Likewise, digital certificates on enterprise networks are typically heterogeneous. A given CA’s inventory list could not account for certificates the CA didn’t issue, nor could it account for certificates deployed by rogue admins. The certificate authority is also unable to identify the location of the certificates or indicate whether they were active, properly installed and configured or within policy and best practice standards in terms of strength, validity period or signing algorithm. To supplement the inventories their CAs provide, companies must perform certificate-discovery searches on their networks — both network and agent-based — in order to identify all certificate and key instances on the network.

Considering the size of many enterprise networks, certificate asset inventory projects can be daunting. For example, at the RSA Conference 2011, which took place earlier this year in San Francisco, a well-known global Fortune 500 technology company presented a case study. This company operates in more than 75 countries, its network consists of 10,000 routers and 20,000 switches, and about 10 percent of its workforce is made up of telecommuters who work from home. Over the course of its history, the company has made more than 100 acquisitions. All of these factors made certificate inventory a complicated process. In fact, the company paraphrased Secretary Rumsfeld by saying, “We don’t know what we don’t know.” This company eventually created an internal portal through which it could discover, provision, and manage its certificate-related processes.

Network discovery processes can find certificates that are on listening ports, such as HTTPS ports. (The term HTTPS precedes IP addresses in URLs and identifies secure Web sites that are protected by private keys and their corresponding digital certificates.) The process involves gathering network address ranges and then collecting a list of ports to check — starting, but not ending with 443, the default port for HTTPS addresses. Digital certificates can be on many other ports.

However, many certificates are not discoverable through network ports and scans — including client-side certificates used for mutual authentication on secure sockets layer (SSL)-encrypted connections. Finding these certificates typically requires a third step: performing file system scans on servers and clients using locally-installed agents.

Finally, because technology alone can’t guarantee accurate inventories, enterprises must educate administrators to proactively report on all certificates about which they are aware and to make sure these certificates are included in the inventory.

The second step in the identification process is analyzing the certificate population. Enterprises must determine the certificate’s status (active or inactive) and whether the certificate was properly or improperly issued. It is particularly important during this step to identify their expiration dates. To prevent unplanned system outages, enterprises must know about — and initiate the replacement process for — certificates that are set to expire in less than 30 days. Expired certificates block access to the sites, files or databases they protect, causing network downtime, inconveniencing customers, and undermining employee productivity.

The analysis step should also identify certificates that have been active too long. According to industry-accepted best practices, businesses should replace certificates that have been valid for more than two years. It is also important to know which CA issued each certificate in case of CA compromise. A CA compromise, and there have been four CA compromised year to date, make the issued certificates insecure and in need of quick replacement to ensure against data breaches, system outages and audit failures.

Finally, the analysis must determine the lengths of the private keys associated with certificates. The current minimum recommended key length is 1024 bits, with 2048 being the best-practice recommendation from NIST. Keys with shorter lengths are known to be vulnerable to hacks and may not pass compliance audits. Compliance considerations aside, the longer the key, the harder it is for cyber attackers to crack the code and disable the security.

As challenging as the identification process may be, it’s vital for enterprises to learn as much as possible about the key and certificate assets running on their networks — to affirm the knowns and discover the unknowns. Without this information, it is impossible to keep valuable and sensitive information secure, meet compliance regulations, and keep networks running efficiently.

The biggest security struggle organizations face today is managing the unknown—the unquantified and unmanaged risks. Your best security assets can easily turn into liabilities if not managed properly. IT and security departments need increased visibility over all of their security and compliance activities, and take steps to better understand and manage them. After all, secure, compliant and efficient enterprises begin with what they know.