This is part three of a blog series on easy and intuitive PKI (Public Key Infrastructure) operation for non-security administrators. In part one, I explored the reasons why you should empower system admins to manage encryption for their own applications. Then in part two, I gave practical advice to systems admins on how to get started. And now I’m going to outline the easy steps system admins can take to keep keys and certificates secure and compliant for the systems and applications they manage.
As a system admin, you’re actively managing the environment for your application to meet your defined service levels. So, it just makes sense for you to manage the keys and certificates that protect them, as well. Once you get all these critical security assets under control and up to policy, you will need to start thinking about how you can keep them secure and operational over the long haul.
The next step you need to think about is what I call monitoring for assurance. But you shouldn’t have to manually review the list of keys and certificates every day to make sure they’re all safe and current. Instead, you want to be notified when an expiration date is approaching or something looks suspicious. This is easy if you have a solution that actively monitors your certificate environment for you and lets you know when you need to take action without the manual and tedious legwork.
Here’s what you’ll need to be on the lookout for: certificates that are out of date or out of compliance with security policy. You need advanced notice when certificates will be expiring so you can replace them before they cause an application outage, which can be both expensive and embarrassing.
You’ll also want to be immediately notified of any anomalies such as a mis-issued or rogue certificate that have found their way into your environment. These irregularities could indicate a certificate compromise that would allow cyber criminals to hide in encrypted traffic, spoof a website, deploy malware, and steal data. While these alerts may be the result of a simple mistake, not knowing about and fixing anomalies is likely to impact your application sooner or later.
In addition to automatically notifying you when your attention is needed, a good certificate management solution should also simplify management by automating routine actions. This would include the process of requesting, renewing, or revoking certificates for your applications.
Depending on your knowledge of PKI and your level of responsibility, your organization might elect to automate all or only some of these actions for you. The level of shared responsibility will be defined by the security or PKI teams: they create the policies and procedures at play between themselves and system administrators like yourself. It should be noted, however, that ultimate responsibility for enterprise encryption—and the keys and certificates that enable it—rests with the PKI team.
Ideally, you will now have control of your own certificate environment. After all, you’re in the best position to manage it wisely, since you have the largest stake in maximizing the uptime and security of your application. Does your organization give you access to a certificate management solution that puts you in the driver’s seat?