The new Payment Card Industry Data Security Standard (PCI DSS) v3 demands more visibility and security over keys and certificates than most organizations can deliver. But the Payment Card Industry Security Standards Council (PCI SSC) understands the importance of keys and certificates that establish the trust on which businesses depend—securing data, keeping communications safe and private, and establishing trust between communicating parties.
Why is securing keys and certificates so important now? As we rely more heavily on keys and certificates, cybercriminals have made them more of a target. They want to use keys and certificates to be authenticated and evade detection, bypassing other security controls and keeping their actions cloaked. And keys and certificates are especially attractive when they secure sensitive data such as payment card information. These threats range from exploits of accidental vulnerabilities, like Heartbleed, to advanced persistent threats designed to circumvent and misuse keys and certificates such as Mask, Crouching Yeti, and APT18—just to name a few. Organizations layer security controls to protect their business and meet PCI DSS compliance. But a lack of key and certificate security undermines a minimum of 40% of the Critical Security Controls (CSCs) listed by the SANS Institute.
Many are also turning to SSL/TLS for protection. According to Gartner, SSL/ TLS traffic comprises 15%-25% of total web traffic.3 For many businesses it is over 50%. But most security controls, like malware, boundary defenses, and data protection, do not decrypt data, but instead rely on keys and certificates to determine trust.
As organizations struggle to secure their keys and certificates against the latest trust-based attacks, the new version of the PCI DSS is mandating stronger security for cryptographic keys and digital certificates, including inventory capabilities, malware protection, authentication requirements, and more.
Many view keys and certificates as a management issue, but with all of the attacks on keys and certificates, organizations need Next Generation Trust Protection to ensure they stay secure. If only one critical key or certificate is compromised, the digital trust an organization has established is eliminated. Venafi Next Generation Trust Protection delivers key and certificate security, including automated and policy-based tools that help enterprises easily implement regulatory processes and demonstrate PCI DSS compliance. Most organizations rely on internal scripts or manual processes to manage their keys and certificates, and lack the security, automation, and scalability needed for ongoing PCI DSS audit success.
PCI DSS v3 introduces a few new provisions that stress visibility. One such provision is requirement 2.4 which requires organizations to maintain an inventory of all system components in scope of the standard. But most organizations lack the ability to discover all of the keys and certificates that are in their network and then accurately determine which are in scope of the PCI DSS. On average, there are almost 24,000 keys and certificates in an enterprise network, but 54% of organizations are unaware of how many certificates and keys are actively in use. And discovering these keys and certificates is usually a manual, labor-intensive exercise, conducted only periodically to achieve compliance. There is no ongoing monitoring to provide on demand access of this information.
New requirement 5.1.2 : Periodically review systems uncommonly affected by malware to determine if protection has become necessary With changes to Requirement 5, the PCI SSC wanted to stress that all systems should be protected from malware, and even systems uncommonly impacted by malware should be reviewed periodically to determine if malware protection has become necessary. Although keys and certificates may be viewed as a system uncommonly affected by malware, falling under the new requirement, in truth, today they should be considered commonly impacted targets of malware and protected. Attacks that target keys and certificates go back to at least as early as 2009 and have dramatically increased. For example, there has been a 700% growth in certificate enabled malware from 2012 to 2015, according to Intel Security. And in March 2014, the severity and scope of Heartbleed put a spotlight on this vulnerability that, for full remediation, requires companies to replace all keys and certificates. And experts believe that these attacks are only going to increase. Gartner predicts that “50% of network attacks will use SSL by 2017.” Cybercriminals leverage keys and certificates to create the illusion of trust and bypass traditional defense in-depth security, undermining critical security controls. These threats underscore the importance of strong security and remediation capabilities for keys and certificates.
When certificates are used for authentication, they must be assigned to an individual account and not shared In this latest PCI DSS version, certificates are specifically called out as a means of authentication. But, as stated in the new Requirement 8.6, when using certificates, organizations must be able to assign them to an individual account that prevents shared usage. This requires a certificate security solution that applies strict certificate usage policies while also enabling ease of distribution and maintenance.
The new version of the PCI DSS emphasizes that security controls implemented for compliance should be part of the organization’s business-as usual security strategy. This enables organizations to maintain compliance on an ongoing basis. To deliver business-as-usual security processes, Venafi provides fully automated key and certificate protection for end-to end provisioning of complex, load-balanced encryption environments. This automation eliminates the vulnerabilities that can arise from error-prone manual processes, rapidly scales new encryption-dependent applications, and provides automatic remediation so that errors, oversights, and attacks do not become breaches.
The PCI DSS is meant to serve as a minimum security standard. A company’s security program should meet and exceed the PCI DSS requirements, achieving compliance as a by-product of implementation. If organizations are not meeting the PCI DSS requirements, not only are they not compliant, they are not secure—providing opportunities for cybercriminals.
Cryptographic keys and digital certificates are the foundation for providing trust in data protection, authorization, and authentication of servers, devices, software, cloud, and privileged administrators and users. The PCI DSS recognizes the importance of securing keys and certificates and includes requirements for them throughout the standard. With Venafi, organizations can meet these PCI DSS v3 requirements—simplifying and ensuring repeated audit success while continually defending against trust-based attacks.