Skip to main content
banner image
venafi logo

Turn Your 2015 New Year’s Compliance and Audit Resolutions into Revelations

Turn Your 2015 New Year’s Compliance and Audit Resolutions into Revelations

January 7, 2015 | Laurie Sanborn

Instead of making the general New Year’s Resolution to decrease the risk in your company’s information security, let’s apply what we learned in 2014 about today’s threatscape and develop New Year’s Revelations.

In the past year, lots of breaches have occurred that can be tied to the theft of private cryptographic keys. Some of the top threats of 2014, (e.g. Heartbleed, Shellshock, POODLE, and Gotofail) exposed private keys. Solutions using key and or certificates can no longer be blindly trusted. This affects solutions such as SSL, VPN, multi-factor authentication, privileged access (SSH), code signing, and mobile computing. Information Security experts are predicting that attacks and breaches using private keys will only continue to increase in 2015.

2015 New Year’s Compliance and Audit Resolutions

The use of digital certificates and cryptographic keys has skyrocketed. Every person in your organization uses one or more digital certificates and/or cryptographic keys, multiple times, daily—without even knowing it. Keys and certificates are meant to secure our communications and provide privacy, authentication, integrity, and non-repudiation. But when stolen, they can jeopardize the very things they are meant to protect. These “keys to the kingdom” give attackers the access they need to your sensitive information and allow their activities to go undetected. Therefore, it is necessary to consider what is fundamental to the confidentiality, integrity and availability of your companies’ sensitive data. How do you protect against inappropriate access, modification, and downtime through the use of stolen keys and certificates?

Let’s consider the threat in more detail. What are vulnerabilities that affect private keys? They include software bugs, the use of deprecated hashing or cryptographic algorithms, and long validity periods for certificates. Does the Information Security Policy in your organization include policies to protect against these vulnerabilities? Are your policies backed up by standards, guidelines, and solutions for implementing compliance to the policies? The clarity of having these in place, allows for efficient risk assessment and gap analysis. This ultimately feeds into the risk management process and audit and compliance quarterly and annual reporting. All of this reporting is based on the adherence to your Information Security Policy in your organization.

One important consideration is how your policies on securing your keys and certificates impact the rest of your Information Security practices. The ISO27002, section 10.1.2 states that, “A policy on the use, protection and lifetime of cryptographic keys should be developed and implemented through their whole lifecycle.” If there are gaps in protecting your keys anytime in their lifecycle, attackers can compromise those keys and bypass the other security controls used by your organization. This means this one ISO27002 statement is fundamental to ensuring that the rest of your security controls in place in your organization are performing the way they should. Broken key security undermines all of your other security technologies and access controls.

Stealing keys is a real threat and the proper people, processes, and technology must be put in place to ensure that cryptographic keys are managed through their entire lifecycle, including generating, storing, archiving, retrieving, distributing, retiring, and destroying keys. How do you think the current state of your certificate and key visibility and security increases the risk of these threats to your organization? How do you think your stockholders, board members, audit and compliance staff would feel if your certificates and keys were compromised and your organization breached? The revelation I hope you’re having for 2015 is that, if you’re not securing your private keys and certificates, then you are not secure.

So as we kick off 2015, does your Information Security Policy need to be updated to protect against today’s attacks that target keys and certificates? As you get started, realize that the problem begins with a lack of visibility. Most organizations lack a complete inventory of SSH keys, SSL keys, and other keys and certificates in their organizations. They are unaware of where their keys and certificates are across their network, how they are used, and who owns them.

You can get more visibility into the current state of your key and certificate vulnerabilities in your organization by running a report from the Venafi Cloud for your organization. With this report you can see what certificate vulnerabilities exist. Once armed with more insight, you can see what other revelations you can make for better key and certificate security in Information Security Self Assessments, Gap Analysis, Action Planning, Risk Management, Internal Audit, Material Audit, compliance initiatives, and more for 2015.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Laurie Sanborn
Laurie Sanborn
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more