Skip to main content
banner image
venafi logo

Budget for Key and Certificate Security as a Critical Security Control

Budget for Key and Certificate Security as a Critical Security Control

October 7, 2014 | Christine Drake

In the recent blog post on Allocating 2015 Budget for Key and Certificate Security, by Tammy Moskites, the CISO and CIO of Venafi, she emphasizes how unsecure keys and certificates can undermine critical security controls. This is certainly true. A lack of key and certificate security undermines a minimum of 40% of the Critical Security Controls (CSCs) listed by the SANS Institute. But key and certificate security should also be considered a critical security control, in and of itself—not just a function that impacts them.

The latest version of The Critical Security Controls for Effective Cyber Defense by the SANS Institute now includes requirements for securing keys and certificates in Section 17 on Data Protection. These changes recognize that data protection must go beyond Data Loss Prevention (DLP) and Data Classification solutions, which cannot see encrypted traffic—creating a security gap (as mentioned in Tammy’s blog). But folding in these new key and certificate security requirements elevates key and certificate security to a Critical Security Control. Below are examples of the key and certificate security now listed under Data Protection.

New Key and Certificate Security in SANS20 CSC Version 5, Requirement 17: Data Protection
  • CSC 17-2: Verify that cryptographic devices and software are configured to use publicly-vetted algorithms.
  • CSC-17-3: Perform an assessment of data to identify sensitive information that requires the application of encryption and integrity controls.
  • CSC 17-10: Only allow approved Certificate Authorities (CAs) to issue certificates within the enterprise. Review and verify each CAs Certificate Practices Statement (CPS) and Certificate Policy (CP).
  • CSC 17-11: Perform an annual review of algorithms and key lengths in use for protection of sensitive data.
  • CSC 17-14: Define roles and responsibilities related to management of encryption keys within the enterprise; define processes for lifecycle.

An effective data protection framework must close gaps by securing cryptographic keys and digital certificates to protect the trust behind secure, authenticated, and encrypted communications.

Key and certificate security is explicitly mentioned under Data Protection, but also directly impacts many of the other SANS critical security controls that address authentication, access control, vulnerability assessment, and defense against trust-based attacks.

SANS 20 Critical Security Controls

Like Tammy, I also urge you to budget for key and certificate security in 2015, if not earlier with remaining 2014 funds. Tammy and others in Venafi have been working with many of the top global enterprises to help them plan key and certificate security, often folding this in with other important security and compliance projects. We’ve taken what we’ve learned from these successful engagements and captured them in a budget recommendation brief, as well as a more detailed white paper, Budgeting for Next Generation Trust Protection.

These materials emphasize why securing keys and certificates is critical when protecting against today’s threatscape, how this protection complements your planned security and compliance projects, and how to position and estimate budget. Of course, Tammy and the rest of us at Venafi are happy to help you customize your budget efforts.

Too often we take the trust established by keys and certificates for granted, but without key and certificate security we leave an open door to trust-based attacks, breach, and compromise.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Christine Drake
Christine Drake

Christine Drake writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more