There’s a lot riding on the trusted relationships you cultivate with your certificate authorities (CAs). Proactively managing these relationships is definitely time well spent. However, even with a strong network of CAs, you’ll still want to take steps to ensure that you remain in the driver’s seat. For that reason, you shouldn’t allow the trust model for your enterprise grow organically in response to the many forces that act on it. Instead, you’ll want to actively plan and control its development.
In my last blog on Certificate Authority (CA) agility, I outlined the reasons why you might want to switch CAs. Now, I’d like to focus on why you need to actively monitor every CA your organization is using.
Your organization depends on CAs to create certificates that will identify machines in your environment. And those machine identities help define the trust model for your organization. More specifically, every CA that issues certificate on your behalf adds another element to the trust model for your organization.
This trust model is critical because it not only defines trust for your organization, but also impacts the security of your customers, partners and other stake holders. Because maintaining high levels of trust is so important, you need to control factors that may degrade it. For example, CAs can be compromised or make innocent mistakes that have a direct impact on your business (and we’ve seen plenty of those recently). That’s why it’s important that you control your business relationship with CAs and how you manage them within your organization.
If you’re like most organizations, you may fall short of actively managing the introduction of CAs into your environment. As a result, you probably don’t know how many CAs you actually have or even notice when a new one shows up. While you have consciously chosen a select group of CAs that issue identities for the machines in your environment, additional CAs may have entered into your circle of trust without your knowledge.
It’s surprising how easy it is for CAs to proliferate in an organization. In fact, it is getting easier and easier for anyone in your organization to obtain certificates with the rapidly declining cost of certificates across the industry, or even free ones from CAs like Let’s Encrypt.
Why would your compatriots want to do this, you ask? Let’s say your marketing team wants to launch a new site. To improve traffic, they need to register the domain and obtain a certificate to help ensure higher SEO. Or developers might need to meet aggressive SLAs in DevOps projects. They’re likely to look for the easiest way to get their job done, and that requires rapid access to certificates.
In either case, these groups may turn to Let’s Encrypt so they can avoid a purchasing process, or they may even create their own untrusted CA so they can get ultra-fast certificate issuance. Taking a step like this may help your colleagues get their job done, but in the process, they will have (usually unknowingly) impacted the trust model for your whole organization and business partners, as previously mentioned.
When anyone in your organization can get certificates from any CA, you expand the risk that your trust model will be broken or compromised. The resulting CA sprawl not only increases security risks, but it especially increases the likelihood of service outages. To counter these risks, you need to be able to discover every certificate that your organization is using, anywhere on your network. If you aren’t able to manage all these certificates centrally, rogue certificates and CAs can pop up and undermine the foundations of trust that your organization depends on.
Of course, a critical element in controlling unauthorized CA sprawl is strong policies that govern the creation and use of certificates within your organization. But policies that control CA usage will only be as good as your ability to enforce them. You’ll improve your chances of policy compliance if you give users a fast and simple way to request certificates from a limited list of approved CAs. A self-service portal for obtaining fully compliant certificates will dramatically help the process, but you will also need rich APIs that allow DevOps processes to get fully compliant certificates in the way that best meets their needs.
Even with a certificate requesting service in place, you will still want to actively monitor your certificate inventory. You need to be prepared to quickly identify and respond to the introduction of any CA into your environment. Plus, you need to be able to identify all deployed certificates from a specific CA if something negative about the trustworthiness of that CA is discovered. With enterprise-wide visibility of your certificates, you can avoid or reduce the operational costs of certificate outages that result from CA errors and unplanned certificate expirations. In addition, you’ll reduce the risk of compromised certificates being used against your organization in cyber attacks.
Do you have the visibility you need to actively manage and control CAs in your organization?