During my time at PGP which was run by some of the most passionate security trailblazer’s of their time, part of the fight was trying to teach the world that they should encrypt their data. Time and time again, I have heard people say that they have nothing to hide so they are not worried about privacy. I love Edward Snowden’s quote “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” His quote really brings it home for me.
Philip Zimmerman went to federal court and won the right to privacy for us. For me, this is up there with the right to vote. At PGP, we taught the need to encrypt and protect your data at rest and in transit. Here at Venafi, we teach that you need to protect your encryption assets—keys and certificates. Those are the new targets, because encryption is pretty good (PGP: Pretty Good Privacy), which makes our encryption keys a target of cybercriminals to break or leverage encryption in their attacks.
Sadly, they are apparently an easy target, because in most environments, digital certificates and keys are like the Wild West. Even with a software solution from a leading company like Venafi, if you don’t put the proper level of attention to managing and securing your certificates and keys, you will be vulnerable to exploitation from, at the very least, your lack of visibility.
Let’s face it; unless you have a solution in place and have dedicated the right resources, you don’t have the following:
You don’t know what CAs are in your environment (we have discovered rogue CAs issuing certificates in customer environments)
You don’t know where all of your wild card certificates live (we have found file shares with certificates and private keys)
You don’t have any control whatsoever over self-signed certificates that anyone can issue and use
You don’t know what data is being sent out of your organization to some outside entity (e.g., Edward Snowden)
You don’t have any guarantee that your production will not shutdown tomorrow due to a certificate-related outage
You don’t have any control over or visibility into your SSH inventory, which provides privileged access to your systems
You don’t have the ability to respond quickly to a problem with CAs, keys, or certificate-related outages
There are many more specific scenarios and examples I can share. The Wild West was a dangerous place. It eventually got better as communication and response times improved and society got together to solve the problem. In the Wild West days, physical banks and trains were the targets. Intercepting a train carrying a valuable payload was pretty easy because, by the time you knew you were robbed, it was too late. Today, it is digital keys and certificates. Welcome to the Wild West of encryption.