People often opt for simplicity even at the cost of security
You should assume that your security credentials—passwords, private keys, etc.—aren’t safe with ANYONE
You can have your simplicity and security too with automated key and certificate management
I've had the pleasure of working with a lot of security professionals in my time with security software and there is a reoccurring trend: People have an inherent craving for simplicity and often give in to this craving in ways that are not in their best interests. I feel protective of our customers and want to help them avoid the security mistakes I see others make in their misguided efforts to simplify.
To put it bluntly, people, you shouldn't assume that just because you are dealing with security professionals from vendor companies that your passwords, private keys, and other sensitive information are safe with them. You shouldn't even assume this with your own company's security professionals. If you want to destroy any security solution, add people.
You have no idea how many passwords and plain-text encryption keys I've seen come across screens—or in the case of passwords, seen written on sticky notes and pasted in obvious locations. For example, a colleague and I were working onsite to help a customer resolve an issue. During this visit, a member of the customer's security team was having difficulty remembering a password he needed for access to something.
"Check the back of your keyboard," my colleague and I joked. But when he turned over his keyboard, there it was: the 1Password password that gave access to all of their “secured” passwords. When I see such things, I fear for our customers.
Admittedly, there's a tradeoff. In the fight for security and simplicity often the first thing to be compromised is security. Most people understand passwords and we still don’t take good care of them. Imagine a certificate and/or a key. Many people really don’t understand those and so we find those spread around on file servers with no password or silly passwords. Can you say “easy brute force target”?
Please properly vet your vendors and security team members: Do all you can to make sure their reputations are spotless and that they are security minded. 1Password has attempted to help corral the mess that we make with passwords and passphrases by making a central location with some level of control. Venafi is helping add security by doing the same for keys and certificates, including policies to enforce company regulations and automation for a complex process that most of our administrators don’t fully understand.
But what are the solutions? How can we take people—always the weakest link in the security chain—out of the picture, or at least limit their impact? Automated key and certificate management and security can be part of the answer.
Venafi can help—providing key and certificate management and security for SSL/TLS keys and certificates, SSH keys, and mobile and user certificates. With Venafi, the Immune System for the Internet™, you can have your simplicity and your security, obviating the need for password-protected private key files by automatically discovering certificates and keys, placing them securely under its protection and control, and managing them throughout their lifecycles. Managing your cryptographic assets can't be simpler—automating the process and taking out the risk of human error.
We know Superman is virtually unbeatable, just like so many security software solutions claim to be, but he has kryptonite as his weakness. Don’t let your craving for simplicity be your security kryptonite. Make sure you always have security-minded people as part of your team.
What is the worst IT security horror story you’ve heard? Any other suggestions on how to avoid security kryptonite?