8 Tips for SSL Encryption & Key Protection | Venafi Skip to main content


<---Back to Education Center

SSL






8 Steps for Protecting SSL

In the face of rapidly evolving threats, the increasing reach of regulations and fast-changing security standards, enterprises must proactively defend the trust their business depends on. The following recommendations can provide a framework for managing and protecting SSL/TLS keys and certificates.

1. Inventory Enterprise Keys and Certificates to Ensure Accountability

Using manual processes to inventory hundreds or thousands of keys is inefficient, costly, and error-prone. To create an accurate inventory, enterprises need an automated solution that rapidly scans the IT infrastructure to identify all keys and certificates issued from multiple CAs using a high-performance discovery engine. The discovery engine will answer the question, “What system does this certificate belong to and who is responsible for maintaining secure SSL access to it?”

2. Profile SSL/TLS Vulnerabilities to Create Baseline

Organizations need increased threat intelligence to create a baseline that helps detect vulnerable keys and certificates, like those with weak encryption schemes or short key lengths. A baseline helps to identify applications served by vulnerable keys and certificates, as well as potentially compromised, unused, or expired certificates that should be revoked or retired.

3. Enforce Policies and Workflows to Reduce Risk

Flexible policy criteria, such as certificate lifetime, authorized CA, ownership assignments, and more, should be enforced through established workflows to deliver and validate certificate issuance, installation, and renewals. With automated workflows, administrators can define certificate policies as mandatory (enforced) or suggested (changeable). They can also configure process parameters such as approved certificate authorities and templates, subject DN contents, certificate contacts and approvers, automatic renewal status, expiration period, and key strength.

In addition, certificates within the security infrastructure should be automatically maintained to conform to the appropriate hierarchical security policies. The solution should also generate reports to spot policy violations for existing certificates in their original states, as well as any newly imported certificates that do not comply. By enforcing policies and workflows, the baseline profile steadily improves and is maintained in a consistent state of security and operational readiness.

4. Automate Infrastructure Refresh to Streamline Security

Strong security practices require that processes be implemented to quickly rotate any or all keys and certificates on a scheduled or as-needed basis. With an automated solution, what was once an enormous, error-prone manual task transforms into a routine part of overall security management.

Although many firms fail to take this critical step, expired or compromised certificates must be explicitly revoked, since all certificates represent trust issued by an organization. An automated solution can revoke certificates individually, in batches, or all at once to remediate major vulnerabilities like Heartbleed on OpenSSL.

Administrators should also have the ability to revoke certificates that have been superseded by new policy rules, and those formerly belonging to devices or applications that are no longer in use. Revoking unneeded certificates limits the attack exposure

5. Automate Management and Security to Deliver Greater Efficiency

Automation is needed across the entire issuance and renewal process to avoid certificate expirations and outages. With automation, you can replace certificates in seconds, integrate with dozens of CAs, and remediate across thousands of certificates in just hours in the event of a CA compromise or new vulnerability such as Heartbleed. This automation should have built-in validation, showing certificates are installed, working, and current.

6. Audit Reporting Enhances Visibility, Verifies Compliance

Audit findings open opportunities for organizations to reconsider how they enforce certificate issuance, renewal, replacement, and authorization. To ensure that audit remediation offers long-standing, repeatable security results is more than a paperwork exercise. It requires complete visibility and automated policy enforcement.

Audit capabilities should include automated reporting on all logged key and certificate events. Audit reports provide visibility into the status of controlled encryption assets. With complete, detailed audit reports, administrators can easily troubleshoot problems, perform operational reviews, verify compliance with corporate policies and regulations, and respond quickly to audit requests.

7. Incident Response Returns Networks to Trusted State

Incident Response (IR) teams are often called on to determine the malware used in an attack—where it is, what data was stolen, and what parts of the network are infected. Ideally, the IR should bring the network back to a good, trusted state. But if the attack used SSL certificates, breaches will still occur until IR teams revoke and replace all keys and certificates.

The ability to quickly respond to certificate-related incidents is essential to regain the trust your company, customers, and partners depend on. By automating the replacement of all keys and certificates, you can mitigate backdoor, surveillance, and spoofing risks, close the window of vulnerability in hours, and ensure your network is secure.

8. Self-Service Portal Prevents Errors, Ensures Compliance

A secure, easy-to-use, web-based self-service portal enables end-users to quickly request certificates for Wi-Fi, VPN, email, browser, or other applications. User certificate issuance must ensure certificates comply with security policies, eliminate guesswork on the part of inexperienced users, and prevent errors.

Once the compliant user certificates are issued, the certificates should become available for manual or automatic download into the user’s environment.

Up to Top




Continue learning with the next suggested topic:

What is a Wildcard Certificate




Main Navigation

}
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat