Validating Compliance in a Highly-Regulated Industry for a Fortune 100 Healthcare Company
Before Venafi: Highly regulated by HIPAA, HITRUST, PCI DSS, etc.; no visibility into SSL/TLS keys and certificates; no ability to remediate compliance findings.
After Venafi: 100% key and certificate visibility; centralized, encrypted repository; reports providing audit validation; compliant with risk and security audit teams’ requirements.
Healthcare organizations often struggle with meeting the strict data protection requirements in their highly-regulated industry. With HIPAA, HITRUST, PCI DSS, and more, effective data protection is critical to the viability of the business.
For this Fortune 100 healthcare company, the IT Shared Services team was using keys and certificates to secure data. The team was manually managing these certificates using SharePoint, and they were concerned with the risk that this management method was imposing on the business. Also, the team knew they were not managing all of the company’s keys and certificates—they did not have visibility into certificates generated outside of their team. And although they used SharePoint for central management, the keys and certificates themselves were not stored in a central and secure location.
They chose Venafi because it lets the IT Shared Services team to locate keys and certificates across the network, giving them 100% visibility. Venafi also creates a centralized, encrypted repository that keeps keys and certificates safe. With Venafi, the organization now has the visibility and policy enforcement capabilities to remain compliant. And with detailed reports showing audit validation they are able to demonstrate their compliance with the requirements of their risk and security audit teams.
As an international corporation that delivers technologies for computers and communications, this business signs code with secure certificates to validate the integrity of the code.
Attackers compromise code-signing certificates from legitimate organizations and use them to sign malicious code. By using a legitimate certificate, the malicious code does not trigger any warnings, and unsuspecting users will trust that the application is safe to install and use.
This company writes code in over 200 countries. The result—pockets of code-signing certificates across the globe and one-off certificate creations for particular projects.
The company knew it needed more centralized, secure code-signing practices—ones that provide visibility, centralized management, and policy enforcement that would avoid issues such as certificate reuse.
Venafi delivered a centralized system for management and distribution of code-signing certificates and secure processes to prevent use of certificates with malware. The company set up policies, workflows, and approvals to keep the process of certificate provisioning secure.
The company was able to manage certificate lifecycles, track certificate ownership, and streamline certificate provisioning—all of which protects the company’s code-signing certificates against misuse.
The company considered other solutions, but, with Venafi, the capabilities and agents the company needed were already there. By ensuring code-signing integrity, the company protects its business and brand.