Skip to main content
banner image
venafi logo

Why Automate the Deployment of Your Digital Certificates? [SolarWinds]

Why Automate the Deployment of Your Digital Certificates? [SolarWinds]

why-automate-deployment-of-digital-certificates-look-at-solarwinds-attack
April 22, 2021 | Anastasios Arampatzis

The on-going revelations about the SolarWinds attack made code-signing certificates known to the public. According to the analysis made by several security firms and SolarWinds itself, the code signing process seems to have failed, allowing adversaries to inject malware. However, code signing certificates were not the only machine identity misused in the attack. X.509 certificates were also compromised, permitting attackers to impersonate legitimate trusted users to move freely without being detected.

The attack was one more warning that strong, effective and efficient deployment and management of all your digital certificates is essential for securing yourself and your business against a variety of attacks. However, managing your certificates starts with knowing what each certificate does. Let us begin with the most popular ones, the TLS/SSL certificates.

TLS/SSL Certificates

The TLS/SSL certificates are used to encrypt data in transit and to authenticate the identity of websites. The certificates are based on public key encryption. When a browser or an IoT device wishes to connect over TLS protocol with a public facing server, it looks up to the corresponding certificate to obtain the server’s public key and validate its identity. The use of TLS machine identities prevents attacks that target the trust users place on legitimate sites and services.

There are three types of TLS/SSL certificates, namely Domain Validation (DV), Organizational Validation (OV) and Extended Validation (EV). The most prominent use of TLS/SSL certificates is found on HTTPS addresses, where the TCP layer is encrypted with the superposition of TLS encryption protocol layer. In addition, sites protected with these machine identities display a grey lock in the URL address bar.

Code-Signing Certificates

Code-signing certificates are used to validate the authenticity of software components used for application development. These certificates confirm the identity of the author of the code and prove that the code has not been altered or tampered with after it was signed. Code-signing certificates are the foundation of secure and trustworthy software supply chains that underpin today’s speedy DevOps pipelines.

Just like with TLS/SSL certificates, code-signing is based on public key encryption. The software developer signs the code with its private key, while anyone who wishes to include that software component into their development project can use the developer’s public key to verify that the software is coming from a trusted source. In addition, end users can ensure the integrity of the component. If the application is tampered with or altered after being digitally signed, the signature will appear invalid.

Client Certificates

While TLS/SSL certificates are used to validate servers, client certificates are used to authenticate people or devices requesting access to sensitive corporate data or services. These certificates are an effective authentication mechanism, removing the need to rely on insecure and vulnerable passwords. Although client certificates are used to authenticate individuals and connected devices, they do not encrypt data.

These certificates are gaining traction because traditional access security and authentication mechanisms based on passwords are not adequate enough to protect corporate data in the cloud. Passwords are famous for being easily compromised or stolen, allowing attackers to impersonate legitimate users and move undetected within corporate networks.

Client certificates benefit businesses by providing strong, effective, and efficient user authentication while enhancing user experience. Client certificates are installed on the users’ device and determine the privileges granted to that user to remotely access corporate data and services. If the users does not have the required permissions, they will not be granted access.

How to manage your digital certificates effectively

Now that you are aware of the various types of digital certificates, you need to establish industry best practices to manage them effectively and deploy them securely. The following tips will help your organization manage TLS/SSL certificates properly and avoid unexpected outages as well as security risks.

  1. Gain visibility. You should gain and maintain visibility of your digital certificates in your network infrastructure. Audit your certificates to know the endpoints on which they are installed. Also, keep an up-to-date list of CAs that have issued all your certificates.
     
  2. Identify blind spots. Once you have created an inventory of your certificates, make sure to find and close all security gaps in your machine identity ecosystem. These include weak cryptographic keys or hashes and crude implementation of wildcard certificates on your sub-domains. If you discover insecure or orphaned certificates, these should be your top priority to eliminate. Additionally, set early warning notifications to ensure the validity of your certificates and renew them before they expire.
     
  3. Establish a certificate management policy. Establish and enforce well-defined policies that delineate the roles and responsibilities of certificate owners, including system admins, public key infrastructure (PKI) admins, security teams, and DevOps staff. It’s also important to specify guidelines for requesting, renewing, and revoking certificates. Combined with expiration alert procedures, these mechanisms will help you stay clear of outages and security issues.
     
  4. Automate. Once you have all the basics in place, you’re prepared to automate deployment of your digital certificates. That’s great because manual certificate management is time-consuming and error prone. Because automation is both time-efficient and accurate, it can significantly facilitate the enrollment, installation, auditing, and renewal of certificates. Additionally, certificate management automation solutions can check your organization’s digital infrastructure for vulnerable or misconfigured machine identities and verify compliance with relevant policies.

The Venafi Trust Protection Platform powers enterprise solutions that give you the visibility, intelligence and automation to protect machine identities throughout your organization. Plus, you can extend your protection through an ecosystem of hundreds of out-of-the-box integrated third-party applications and certificate authorities. So you’ll never lose track of a digital certificate that could be misused in an attack like SolarWinds.

Ready to start automating? Contact us.

 

Related Posts

Like this blog? We think you will love this.
orchestration-and-automation-machine-identities
Featured Blog

Orchestration and Automation are Critical for Machine Identities

The challenges of identity-based zero trust security

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more