The Bottom Line: Global 5000 organizations must know where all keys and certificates are used, who is responsible for them, and how to continuously protect them.
In February 2016, a U.S. court ordered Apple to use its code-signing key and certificate to authorize software that would circumvent iPhone native security self-defenses. Venafi, along with many others, believe that the required access and use of Apple’s key would pose a serious threat to Internet security.
Apple’s Tim Cook contends that government access to keys and certificates, and the power they enable in providing trust and privacy, is “asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals.” Or, as Time recently describes: “the software equivalent of the secret name of God.”
Venafi views this type of government action as ultimately hijacking the expectation of privacy that exists in a digital world – the privacy and trust that cryptographic keys and digital certificates enable. At Venafi, we are serious about protecting privacy. We disagree with the government and law enforcement’s action to require disclosure. Given access to the proper data – precise awareness of all keys and certificates - our customers can make informed decisions about their legal responsibilities as well as their responsibility to their customers, shareholders, and other stakeholders and should they decide to comply with a legal request, they will be able to do so.
Regardless of the outcome of the U.S. court deliberations of Apple vs. FBI, the issue of law enforcement requesting keys and certificates is a growing trend in many parts of the world. Whether your organization is a bank, a retailer, an insurer, or a telco, all organizations today are software businesses that rely on keys and certificates for secure communications, commerce, computing, and mobility. In that light, Apple vs. FBI and the impact of key and certificate disclosure is a topic that is very relevant to all global organizations.
One of the reasons this issue is so serious is that a compromised, stolen, or forged key and certificate can allow bad guys to impersonate, surveil, and monitor servers, clouds, and mobile devices — acting as trusted on the network.
Source: TechValidate. TVID: 363-53E-598
The reality is organizations not only need to protect keys and certificates from bad guys looking to misuse them, but they also need to be completely aware of the status of every key and certificate in order to property secure them and make informed decisions about meeting global government and law enforcement requirements.
With tens of thousands of keys and certificates used in businesses today, most of them unknown and unprotected, the issue of key and certificate disclosure presents a serious risk to the Global 5000 (see Figure 1). Concerns over liability will impact CEOs, boards of directors, general counsels, and CISOs across the board.
Apple vs. FBI is part of a global trend of law enforcement seeking access to and use of keys and certificates. The most relevant of the laws of this type are those in Europe:
If Apple were a French or U.K. business, would Tim Cook or a Board Member be serving jail time for failing to provide access to its code signing key and certificate? It seems likely. But the potential impact doesn’t stop there. Subsequent action in these countries could still affect Apple executives and board members travelling abroad.
Issues of key disclosure extend well beyond Apple. Because all businesses are essentially software companies, which use keys and certificates throughout, key disclosure can have a very real impact on productivity, success, and even liability. To minimize these risks, G5000 companies need to gain deeper knowledge of all aspects of protecting their keys and certificates.
Preparing for key disclosure requires a full understanding of the use and ownership of keys and certificates, especially those that IT security teams may not be aware of, including those used by marketing, engineering, and manufacturing teams. To learn what steps to take, download our Readiness Brief.
As the Immune System for the Internet™, Venafi protects the keys and certificates that establish trust, privacy, and confidence for your business. Venafi patrols across the network, on devices, behind the firewall, and throughout the internet to determine which SSL/TLS, SSH, WiFi, VPN, and mobile keys and certificates are trusted, protects those that should be trusted, and fixes or blocks those that are not. Venafi customers can download a summary on how to use their existing Venafi platform to their advantage in preparing for and dealing with disclosure-related issues.
As disclosure requirements and laws continue to evolve, having in-depth information about your keys and certificates will become a competitive advantage. Venafi gives you the information you need to help reduce risk and protect the trust and privacy that keys and certificates were designed to create.
Want to learn more? Let’s talk and see how Venafi can help your business.
Uodate March 28, 2016: FBI Drops Its Case Against Apple After Finding a Way Into the iPhone
The battle between the FBI and Apple might be on hold, but the wider war will continue to rage on. The FBI’s dropped case has by no means settled the wider issues around encryption, privacy and public safety. The fact remains that the US courts have been trying to push Apple to make a decision that could fundamentally undermine security and privacy for all. Not a good thing.
The recent and public battle was a deliberate ploy by the US government to get its hands on the most sacred and powerful mass weapon of our times: the cryptographic keys and digital certificates that provide the foundations of all cybersecurity and trust on the internet. As a result, keys and certificates have become the target of nation states and bad guys. Just like Apple, every enterprise uses and is dependent on keys and certificates for trust and privacy and therefore face many of the same issues.
We should also be concerned that now that an iPhone can be hacked, others will try. The iPhone has been seen as a tiny little Fort Knox that from the outside has shown how hard it is to crack and get into. Although someone helped the FBI break into the iPhone, probably in exchange for money, other people who stumble upon the same hacking technique could choose to sell to cyber criminals or other governments, which could sound the end to privacy as we know it.