ZenDesk is a popular customer service platform. Over 145,000 organizations worldwide, in many different industries, rely on ZenDesk for handling customer inquires of many kinds. Your business may or may not use it. But even if your organization doesn’t use ZenDesk, there’s a lesson to learn from the recently discovered breach about why you need to protect machine identities, such as TLS certificates.
ZenDesk discovered the breach on September 24th, 2019. They’re still investigating the incident, but they’ve determined the breach to affect data prior to November 2016.
ZenDesk said “We recently were alerted by a third party regarding a security matter that may have affected the Zendesk Support and Chat products and customer accounts of those products activated prior to November of 2016. While our investigation is still ongoing, on September 24, 2019, we determined that information belonging to a small percentage of customers was accessed prior to November of 2016."
According to ZenDesk, the breached data includes:
And most importantly, here are their recommendations:
As of this writing, TLS certificates can have a lifespan of up to 27 months. That means extended validation certificates could be used for over two years. 27 months from November 1st, 2016 is February 1st, 2019.
Could clients really still be using TLS certificates that were issued on November 1st, 2016? Could some certificates be in use even though they’re supposed to have expired months ago? The information from ZenDesk also suggests that customers could be using the same API tokens for years.
This isn’t good. Whether your organization uses ZenDesk, or other platforms which use TLS certificates and API tokens, you’ll want your machine identities to have shorter lifespans and to be rotated more frequently.
Unfortunately, machine identities are sometimes compromised. If the timespan of the data that they access is briefer, then less data is at risk in the event of a breach.
And do you really want to be uploading and revoking certificates manually? Of course not. It’s inefficient. It’s a burden to your IT staff and it’s also associated with the risk of human error.
Proper machine identity management solutions are the key. Whether or not your organization uses ZenDesk, machine identity management can help you deploy certificates with shorter lifespans, and revoke or rotate them accordingly without direct human interaction. Imagine how much more secure and efficient your public key infrastructures and TLS certificates can be if management is automated. If implemented properly, machine identity management could protect your organization from breaches like the one ZenDesk is still investigating. Food for thought!