SANS 20 Critical Security Controls | Venafi Skip to main content


<---Back to Education Center

Certificates in Security Frameworks




SANS 20 CSC 17 Key and Certificate Controls



Here are the SANS 20 CSC 17: Data Protection Updates

• 17-2: Verify that cryptographic devices and software are configured to use publicly-vetted algorithms.
• 17-10: Only allow approved Certificate Authorities (CAs) to issue certificates within the enterprise.
• 17-11: Perform an annual review of algorithms and key lengths in use for protection of sensitive data.
• 17-14: Define roles, responsibilities, and lifecycle for encryption keys.

Reducing Risk with Quick Wins

Too often cyberattacks are successful because basic security controls are not present or not properly configured. The Critical Security Controls for Effective Cyber Defense, frequently referred to as SANS 20, brings the 80/20 to cybersecurity: a blueprint of prioritized guidance to reduce risk. As attacks on keys and certificates accelerate and vulnerabilities like Heartbleed are being discovered and exploited more frequently, Critical Security Control 17: Data Protection has been updated to include guidance on how to monitor, enforce policy, and prepare to respond to incidents involving keys and certificates.

Threatscape Drives Updates

Updates to the Data Protection security control come at a critical time in the evolution of PKI when we are establishing what is trusted or not in the digital world, as shown in these drivers that establish key and certificate security as a requirement in data protection:
• SSL/TLS attacks accelerating: Gartner expects 50% of attacks to use SSL/TLS by 2017.
• Rapid growth in certificates: The average Global 5000 organization has over 17,000 keys and certificates,1 and data protection and privacy as well as Google’s prioritization of HTTPS are driving an increase in SSL/TLS.
• Blind spot with keys and certificates: Over half of security teams admit they do not know where their keys and certificates are or how they are used.1
• A Top cybercriminal target: Intel believes the next wave of underground marketplaces will sell stolen certificates, which already sell for $1000 a piece.
• Shorter certificate lifetimes: Google and others are shortening certificate lifetimes to 3 months or less, reducing certificate risk exposure.
• New security standards: NIST and CAs are replacing SHA-1 with SHA-2. Experts believe SHA-1 attacks are now feasible4 and browsers will identify SHA-1 certificates as less trusted in 2015.
• New vulnerabilities: Research from Netcraft, Venafi, and others show that most have not fully remediated Heartbleed, which requires the replacement of all keys and certificates.

Scalable Controls Reduce Risk

To keep up with the growing use of keys and certificates, controls need automation, monitoring, reporting, policy enforcement for issuance and renewal, workflow, escalations, and remediation.

What capabilities do you need to Map your security to CSC 17?

Data Protection Updates

17-2 Use publicly-vetted algorithms, and 17-11 Perform an annual review of algorithms and key lengths.

• Scanning for all SSL/TLS, SSH, MDM/EMM, WiFi, and VPN use
• Continuous discovery of all certificates and trust stores
• Detailed reporting and escalation of violations, vulnerabilities, and risks

17-10 Only allow approved Certificate Authorities (CAs) to issue certificates.

• Continuous discovery of all certificates and trust stores
• Automated, policy-enforced certificate issuance from authorized CAs
• Policy-enforced, self-service portal for certificate issuance and renewal
• Detailed reporting and escalation of violations, vulnerabilities, and risks

17-14: Define roles, responsibilities, and lifecycle for encryption keys.

• Hierarchical policies integrated with enterprise identification systems
• Certificate ownership assigned to individuals or groups
• Customizable workflows
• Detailed reporting and escalation of violations, vulnerabilities, and risks

Up to Top




Continue learning with the next suggested topic:

What Causes Outages?




Main Navigation

}
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat