Skip to main content
banner image
venafi logo

Key and Certificate Management vs. Key and Certificate Security—Time for a Change

Key and Certificate Management vs. Key and Certificate Security—Time for a Change

key and certificate management
October 12, 2018 | David Bisson

Even though your organization is spending millions in security technology to protect the business and stop adversaries, cybercriminals are still getting away with your data. There’s no better indication of this ongoing trend than the Breach Level Index’s findings for H1 2018. In just these six months, fewer than a thousand security incidents exposed more than 4.5 billion data file. That’s more than any other year on record.

It’s time to take a long hard look at your security strategy and ask yourself where all the gaps are. One area where most organizations fall short is key and certificate security. I’m not talking about key and certificate management. It doesn’t help mitigate or detect trust-based attacks. I’m talking about what analysts are now calling machine identity management.

Get analyst findings on securing the enterprise with machine identity management. See the study. 


The sad truth is that your organization has probably invested millions of dollars in security solutions but failed to secure keys and certificates. And as a result, the security solutions you have implemented wind-up having diminished effectiveness because you have a gaping hole in your security strategy in which adversaries are taking advantage. I’m talking about trust-based attacks.

In the last decade, attacks on keys and certificates have increased dramatically. Some of the most well-known ones like Snowden, Energetic Bear, Carreto and Heartbleed have shown just how ineffective the security investments your organization is making against trust-based attacks.

Time for a change

Whether you use a key lifecycle management solution or the good old spreadsheet, basic key management is not good enough. That’s especially true given organizations’ increasing use of keys and certificates as machine identities. In the wrong hands, bad actors can misuse machine identities to gain access to sensitive data by creating hidden communication channels within the network. Alternatively, they can trick enterprise network defenses into believing they are a legitimate machine that can safeguard sensitive information.

Bad actors realize the value of stealing, forging and using keys and certificates. They also know that many organizations are rapidly adding more machines to the cloud, IoT and mobile. Together, these developments make it even more important that they’ve managed and protected their machine identities so that they can guarantee the confidentiality of information exchanged between computing devices. But how can they do this?

A good way to start is to take a good long hard look at your security strategy and evaluate your organization is managing its keys and certificates.

Basic key management is not going to help you identify rogue usage of keys and certificates in the network. Neither is an IDS/IPS, NGFW, Sandboxing or even an SSL gateway scanning solution. The truth of the matter really is that keys and certificates are blindly trusted. Combatting threats that leverage these trusted assets requires a targeted solution designed to discover their misuse.

Revamping your security strategy

Don’t undermine the millions of dollars your organization has invested in security solutions with a gap in your key and certificate protection. Close this gap to make all of your security solutions more effective. Here are some recommendations on implementing key and certificate security:

  • Identify vulnerabilities related to keys and certificates and remediate by replacing vulnerable keys and certificates.
  • Establish a baseline norm of key and certificate usage. In doing so, you will quickly be able to identify any rogue usage of keys and certificates that trigger security events.
  • Define and enforce centralized policy for all keys and certificates—including SSH keys.
  • Automate the remediation of trust-based attacks to reduce the overall impact.

At the same, organizations need to achieve complete visibility of their machine identities’ behavior and status on their extended ecosystem. Things can change on a moment’s notice, so it’s important that enterprises have a way to automatically identify weaknesses and respond to potential security concerns.

Venafi helps organizations address key and certificate issues, manage their machine identities and block trust-based attacks with its Trust Protection Platform. To find your organization’s SSL vulnerabilities, register for a free risk assessment.

Originally published by Gavin Hill on August 21, 2014.

Learn more about machine identity management. Explore now.


Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more