Almost all organizations rely on cryptographic keys and digital certificates to keep communications between machines secure and private. Keys and certificates are designed to solve the original Internet security problem, how to accurately identify servers and browsers so they can safely communicate back and forth independently.
TLS certificates are the foundation of security, used to uniquely identify and create trusted relationships between devices and systems. They create private communication tunnels using encryption that keep digital communications across computer networks safe. Certificates and their corresponding keys control access to information in these private tunnels. The global digital economy relies on encrypted tunnels to keep digital communications and transactions secure and private.
Cybercriminals know most organizations have encryption tunnel blind spots, so they target certificates to use in their attacks. When cybercriminals gain access to stolen or forged certificates, they gain the universally trusted status these digital assets provide. This allows them to break into private, encrypted tunnels where they can eavesdrop on communications. In addition, cybercriminals can also use certificates to create their own encrypted tunnels in corporate networks to get malware in and sensitive data out. Without enterprise-wide visibility of all keys and certificates, dangerous private tunnels that contain malicious traffic can get lost among the numerous tunnels that contain the good traffic that support everyday business.
The following recommendations provide a framework for managing and effectively protecting TLS keys and certificates.">
First and foremost, you should consider gaining visibility into your entire machine identity lifecycle by creating a complete and accurate inventory of your enterprise keys and certificates. If you try to do this manually, you will soon realize that this is a never-ending task, inefficient, costly, and error-prone because the scope and number of machine identities in your environment is greater than you think. To create an accurate inventory, enterprises need an automated solution that rapidly scans the entire digital infrastructure in order to identify all your machine identities, including where they are installed, who owns them, and how they’re being used. This will help you locate every certificate that can impact the reliability and availability of your organization’s critical infrastructure. The prerequisite of an effective and automated machine identity protection program is a solid, continuous understanding of what you have and need to protect. If you don’t know what you’ve got, you won’t be able to protect it.
Each type of machine identity has its unique challenges and complexities. Once you are aware of the existence of a machine identity, you need to know if it conforms to your security policies: Is it from a known source? Are there dangers in the way it is set up? Could it expire and cause systems to fail? Is it being used in unexpected ways? Does it need to be replaced? These and many other attributes need to be constantly evaluated to properly protect machine identities. Organizations need increased threat intelligence to create a baseline that helps detect vulnerable keys and certificates, like those with weak encryption schemes or short key lengths. A baseline helps to identify applications served by vulnerable keys and certificates, as well as potentially compromised, unused, or expired certificates that should be revoked or retired. Threat intelligence is even more important if we take into account the increased need for business mobility where mobile endpoints require access to corporate resources to keep employees connected and productive.
Machine identity intelligence loses its value if it only represents a single point in time. Automating your intelligence gathering is the only way to continually monitor the security and health of your machine identities. Plus, when your intelligence is automatically updated, you can generate alerts when anomalies or vulnerabilities are detected. In particular, you’ll want to look for rapid change on cloud and virtual servers, software update failures, unauthorized CAs and insecure DevOps test certificates that are inadvertently rolled out to production.
Your security posture should include a strict and defined policy which should dictate what applications settings are required and how your certificates should be used. To keep your machine identities safe, you need to set up machine identity security policies and workflows. This helps you govern every aspect of machine identities—issuance, configuration, use, ownership, management, security, and decommission.
The only way to enforce these policies is to focus on supporting business goals and objectives and not hindering people. Making it easy to comply with policies makes it easier for everyone to be secure. If you can’t enforce policies, you don't have policies. You have recommendations. Enforcing policies also ensures that every machine identity your organization complies with relevant industry and government regulations. Automating the enforcement of machine identity policies ensures that you’re maximizing the security of every machine identity that your organization uses and ensures that you can produce audit-ready evidence whenever you need it.
Automation is a critical capability that will help you consistently enforce your organization's corporate machine identity policies and applicable regulatory requirements. For the best results, automated policy enforcement should drive every aspect of your machine identities, including configuration, issuance, use, ownership, management, security, and decommissioning. With these capabilities, you can automatically revoke and replace any machine identities that don't conform to appropriate policies. Plus, you'll have the flexibility to enforce machine identity policies in a variety of ways: globally, by logical group, or by individual identity.
Building policies into these automatic processes simplifies something people have to do anyway. It makes it easy for them. They don't have to do all these steps, they don't have to think about it, they don't even have to understand what they need to do. It's all automated for them. And your machine identities are automatically more secure as well. By enforcing policies and workflows, the baseline profile steadily improves and is maintained in a consistent state of security and operational readiness.
Strong security practices require that processes be implemented to quickly rotate any or all keys and certificates on a scheduled or as-needed basis. With an automated solution, what was once an enormous, error-prone manual task transforms into a routine part of overall security management.
Automation also gives you the agility to rapidly respond to critical security events such as a CA compromise or zero-day vulnerability in a cryptographic algorithm or library. For example, if a large-scale security event occurs, automation is the only way you can quickly make bulk changes to all affected certificates, private keys, and CA certificate chains. Automation is also the fastest way to remediate more focused security events, such as replacing a compromised certificate that's used across multiple machines. Once you’ve replaced the impacted certificates, you need to be able to validate that each machine identity that has been changed has also been installed properly and is working correctly.
Providing end-users with an easy, automated way to request machine identities allows you to quickly deliver secure machine identities to any business unit. Integrating self-service solutions with DevOps and cloud platforms allows your developers to seamlessly request and install certificates that meet your security requirements without incurring any delays. You can also improve the effectiveness of your overall network and security systems by making sure they have easy access to current keys and certificates.
Because machine identities include a complex set of variables, determining whether they're properly installed and configured is difficult if you're using manual installation. Validating the installation and proper use of machine identities is complicated because they're stored and used across a diverse range of devices, applications, and containers. But without access to this information, you won't be able to tell whether any configuration changes you make will impact the security and operation of your machine identities. Automation can also validate that every machine identity is installed properly and working correctly. Ongoing validation ensures that your machine identities continue to be effectively managed and secured.
Automated auditing and validation is a critical management capability that helps you with ongoing management and security, shows the progress of large-scale replacement events and demonstrates compliance. Administrators should have the ability to revoke certificates that have been superseded by new policy rules, and those formerly belonging to devices or applications that are no longer in use.
Audit findings open opportunities for organizations to reconsider how they enforce certificate issuance, renewal, replacement, and authorization. To ensure that audit remediation offers long-standing, repeatable security results is more than a paperwork exercise. It requires complete visibility and automated policy enforcement.
Audit capabilities should include automated reporting on all logged key and certificate events. Audit reports provide visibility into the status of controlled encryption assets. With complete, detailed audit reports, administrators can easily troubleshoot problems, perform operational reviews, verify compliance with corporate policies and regulations, and respond quickly to audit requests. Validating the installation and proper use of machine identities is critical because it provides information whether any configuration changes will impact the security and operation of your machine identities.
The ability to quickly respond to certificate-related incidents is essential to regain the trust your company, customers, and partners depend on. By automating the incidence response, companies can detect any security breaches faster, because the added visibility and intelligence provided by better machine identity protection can enable security teams to more quickly recognize and remediate machine identity threats.
Once breaches or other security events are detected, automation and escalation capabilities can quickly terminate access, revoke certificates, rotate keys, and seal off breaches to minimize data loss. Over the long term, companies can demonstrate improved machine identity protection delivering a measurable reduction in the total number of breaches. Being able to fix problems quickly is great but preventing problems before they happen is the ideal outcome. Not to mention that this level of machine identity intelligence will allow you to avoid much of the cost associated with managing the certificates in your machine landscape.
Evolution of the digital landscape is continuing to accelerate. This means that the number of machine identities on enterprise networks will continue to grow, while the number of humans on enterprise networks is expected to remain relatively constant. Companies can no longer be complacent about their machine identity protection efforts because the number and variety of machines identities will continue to climb. Security programs that only focus on protecting a subset of their machine identities will expose organizations to increasing security risks as new mobile, cloud, IoT, and containerized infrastructures expand and as new technologies, such as blockchain and AI, are used to support business functions.
Many companies are ill-equipped to address this dilemma because they rely on manual processes or machine identity protection tools functioning in silos that are not designed to address the complexities of machine identity protection. Without the right intelligence, driven by automation, firms will struggle to respond quickly to the increasing number of machine identity threats. To identify breaches more quickly, reduce the loss incurred by breaches, and ultimately, reduce the number of breaches, firms must institute effective, automated machine identity protections.
Therefore, the last recommendation is automate, automate, automate. TLS certificates need to be generated not only for your organization’s websites and web applications, but also for all of your organization’s internal and external entities which interface with public key infrastructures, such as email, internal documents, application authentication, Internet of Things devices, and network services of all kinds. You could be working with one certificate authority or a number of different certificate authorities. Certificates constantly expire, and new certificates constantly need to be generated. One little mistake made with any of them can have catastrophic consequences. Cyber attackers could access your sensitive data, interfere with your crucial business operations, or millions of customers could find that your services for them don’t work.
Finally, automation relieves human workers of the burden of having to conduct very tedious tasks. The human brain absolutely hates tedious tasks and boredom increases the risk of human error. Computerized automation systems conduct tedious tasks perfectly according to the instructions they have been given, and they are much less expensive than human labor hours. Save your labor costs for work which absolutely requires human beings.