Organizations of all sizes and industries maintain extensive financial, customer and mission-critical business data. However, when sensitive information is misused or compromised, organizations will often pay a heavy price. Recent high-profile security breaches have cost millions in revenue and lost opportunities. These fears, along with new security standards and regulations, have driven IT professionals to deploy encryption more broadly.
The problem is that, having done so, the encryption keys used to secure data become the figurative “keys to the kingdom.” The key (and not the data itself) becomes the entity that must be safeguarded. Efforts to manage these keys manually, however, represent a significant security risk and become operationally challenging, especially as encryption is deployed across disparate systems and applications.
Organizations are struggling to properly manage and control these rapidly multiplying certificates and keys to prevent security breaches, system downtime and other disasters. It’s a catch 22 situation - but it doesn’t have to be.
Before we can solve the problem of enterprise key and certificate management (EKCM), we must first fully understand the challenges faced:
The critical starting point in any certificate and private key management strategy is to create a comprehensive inventory of all certificates, their locations and responsible parties. This is not a trivial matter because certificates are deployed in a variety of locations by different individuals and teams – it’s simply not possible to rely on a list from a certificate authority. Taking a four step approach will ensure that no certificates are missed:
Gather what you already know about the certificates from existing certificate authorities. It is very dangerous to assume that an import from your known CAs will provide an accurate inventory of all certificates; it’s merely a starting point that must be augmented by discovery.
Perform a network discovery to find certificates that are present on a listening port such as HTTPS. Start by gathering your network address ranges and then collect a list of ports to check. You can initially check on port 443, but there are many ports on which certificates are commonly presented. To discover certificates on your network, you can also use Venafi as a Service.
Many certificates are not discoverable via network ports, such as client-side certificates used for mutual authentication on SSL. Finding these certificates typically involves performing file system scans on server and client systems with a locally-installed agent.
Network and agent-based discoveries can take time and it may not be possible to perform them in all corporate locations. That makes it critical to educate administrators and make sure they are proactively reporting any certificates they are aware of and adding them to the inventory.
Sounds simple! Just remember that performing an inventory is not a one-time event. You should repeat the steps above weekly to ensure the inventory is up to date.
As you’re developing your inventory, establish a correlation of who the contacts and owners are for certificates. Wherever possible assign groups as the contacts instead of individuals to avoid a single point of failure. Some helpful sources include certificate authorities, tracking spreadsheets, and even a CMDB. Define clear responsibilities for maintenance of certificate contact information.
An important method for preventing in-service expirations is to establish a central monitoring function that ensures certificates are replaced prior to expiration by automatically notifying responsible groups. Only when the new certificate has been installed and the application has been reset to use the new certificate prior to the time of expiration is the risk of downtime averted.
Expiration reports should be sent to certificate owners each month that show a list of all certificates expiring in the next 90 days. Individual expiration notifications should be sent if action has not been taken on an individual certificate within 30 days of expiration. If action has not been taken within 20 days prior to expiration, escalation to additional parties should be added. At 10 days from expiration, notifications should be sent to a NOC or other corporate group that is responsible to respond to the crisis until it is resolved.
Establish standard practices for enrollment and provisioning that maximize reliability and repeatability, ensure security and compliance to policy, and minimize load on your administrators. There are easily 20 or more steps involved in issuing or renewing a certificate. These steps must be standardized and implemented in compliance with policy every time.
Errors are inevitable when the steps outlined above are performed manually. In addition, confidently ensuring the security of the private key is very challenging when these operations are performed manually. Automated methods of certificate enrollment and provisioning exist and should be considered.
EKCM best practice is crucial to your organization if you’re to avoid the complications, embarrassment and expense of your security being compromised. Make sure you have a clear understanding what the risks that apply to your organization are. By prioritizing them, and clearly communicating the importance of addressing them in your organization, you can accelerate the implementation and adoption of best practices since all stakeholders will understand the implications of not doing so.