In recent years, malware designed to steal cryptographic keys and digital certificates has grown explosively. Two forces have driven this growth. Cyber-criminals have found that they can use keys and certificates to infiltrate networks far more effectively. The keys and certificates also make their unauthorized activities look normal, drastically decreasing the chance of detection. One in five organizations has already fallen prey to a key- or certificate-based attack in the last two years.
Venafi TrustAuthority, part of Venafi Trust Protection Platform, identifies SSL certificate vulnerabilities, enforces enterprise policies, provides a secure self-service portal, and detects certificate-based anomalies with ongoing monitoring. TrustAuthority performs network- and agent-based scanning to identify all SSL certificates, signed by multiple Certificate Authorities (CAs), across the enterprise network and out to the cloud. By deploying TrustAuthority, enterprises take the first step in securing and protecting digital certificates: establishing a well-regulated and visible state in which anomalies can be easily detected. TrustAuthority enables organizations to:
- Increase threat intelligence
- Reduce the attack surface
- Detect certificate-based anomalies and untrustworthy CAs
- Recover faster from compromise
What It Does
TrustAuthority identifies and fixes existing SSL certificate vulnerabilities, as well as detects certificate-based anomalies with continuous monitoring.
As a first step, TrustAuthority identifies certificates across the enterprise and in the cloud, discovering the configuration and location of each certificate. It completes this step by gathering data from CAs and by performing network- and agent-based scans.
Next, TrustAuthority enforces enterprise policies and fixes certificate vulnerabilities. It detects certificates that do not comply with enterprise policies for certificate attributes such as key length, hashing algorithm, validity periods, and authorized CAs. It replaces these vulnerable certificates with new, compliant certificates.
TrustAuthority enables organizations to establish a baseline of normal certificate usage. In addition, with TrustAuthority organizations can gain control of the certificate issuance process. TrustAuthority’s secure self-service portal with easy-to-use wizards enables administrators and application owners to request and receive certificates. The self-service portal aligns certificate request processes with enterprise policies, eliminating errors, oversights, and vulnerabilities. Granular control of certificates and policies considerably reduces your risk of data breaches, compliance audit failures, and system outages.
Discovery and CA Import
TrustAuthority maintains a complete inventory of all the keys and certificates in your organization. It performs network- and agent-based discovery and automatically imports server certificates from all CAs on a scheduled basis. With a complete and accurate certificate inventory, IT security teams can quickly identify and respond to targeted attacks and eliminate system outages. They gain visibility into certificates in use or near expiration and can discover mismanaged keys that are exposed to unauthorized access.
TrustAuthority applies secure key and certificate policies across the enterprise. In this way, it protects your network against attacks that exploit poorly configured keys and certificates or outdated cryptographic technologies. It provides a robust policy framework for workflow processes as well as for certificate attributes such as key length, validity period, and cryptographic hash type.
Notifications and Alerts
Proactive and timely notifications alert administrators to events such as the impending expiration of a certificate. TrustAuthority also validates that all monitored certificates are properly installed and configured.
Support for multiple CAs, Applications, and Platforms
TrustAuthority provides multi-vendor support that spans across the widest range of CAs, applications, hardware security modules (HSMs), and platforms. It integrates directly with leading industry applications and CAs, ensuring seamless certificate requests, installations, enrollments, renewals, and validations.
Security and Compliance Reports
With TrustAuthority, security teams can easily identify certificate-based anomalies and quickly remediate issues related to weak signing algorithms, weak key length, excessive validity period, impending expirations, and more. They gain visibility into the root certificates that are trustworthy or untrustworthy within your environment. By detecting root certificates that should not be trusted, organizations can prevent attacks that leverage root certificates.
Automated reporting on all logged key and certificate events provides visibility into the status of controlled encryption assets. Administrators can troubleshoot problems easily, perform operational reviews, verify compliance with corporate policies and regulations, and respond quickly to audit requests.
RESTful API Reference
Organizations can rapidly integrate TrustAuthority into third-party systems. A complete reference guide to its RESTful API helps organizations integrate TrustAuthority seamlessly into custom solutions.
Why It’s Important
TrustAuthority helps organizations secure their certificate inventory. By gaining insight into the certificate inventory and applying policies to certificates, organizations can reduce their risk exposure, both decreasing the chance of a data breach and decreasing the impact if a breach does occur.
Increase Threat Intelligence
TrustAuthority provides a complete inventory of all keys and certificates, enabling you to identify your organization’s security gaps and mitigate threats.
- Discover mismanaged and rogue keys that are exposed to unauthorized access
- Discover keys that use weak encryption, rendering them vulnerable to well-known exploits
Reduce Organizational Risk
You can reduce your organization’s attack surface and respond faster to attacks by rapidly replacing compromised certificates.
- Control the full certificate lifecycle
- Gain clear insight into any key and certificate within the datacenter, on desktops, or in the cloud
- Enforce robust policies and ensure administrators configure cryptographic keys and certificates according to secure standards
Compliance and Audit Success
TrustAuthority ensures certificates comply with standards such as the Payment Card Industry Data Security Standard (PCI-DSS). It also ensures that certificates follow National Institute of Standards and Technology (NIST) recommendations, such as the use of 2048-bit keys.
- Enforce policies that control approved CAs, key lengths, validity periods, cryptographic hash types, workflow processes, and much more
- Log all key and certificate events for auditing and reporting
How It Works
Administrators simply enter an IP address or range of IP addresses and define the relevant ports to inspect. The network discovery engine systematically and non-invasively queries each host for certificates from any CA (including Secure Sockets Layer [SSL], Extended Validation [EV] SSL, Transport Layer Security [TLS], Simple Mail Transfer Protocol [SMTP], and self-signed certificates). It collects information about the certificates and presents a status report. Administrators can then easily identify systems that are at risk or require attention, as well as place discovered certificates under control. They can also schedule ongoing surveys of the infrastructure, which alert them whenever anything new is found.
TrustAuthority includes a high-performance agent discovery system that enables administrators to schedule scans for certificates in designated local directories on servers and machines. TrustAuthority brings the discovered certificates under control. It enforces enterprise policies, establishes a baseline of normal certificate usage, and continuously monitors certificates that are already protected as well as new certificates that enter the system.
Automatic CA Import
TrustAuthority automatically imports SSL certificates from all CAs on a scheduled basis, keeping its certificate inventory up to date. TrustAuthority also updates certificates to the new versions when certificates are renewed at the CA.
TrustAuthority continuously monitors keys and certificates to improve an organization’s inventory, asset, and risk management processes. The flexible notification and escalation functionality allows administrators to send dynamically generated messages, and it automatically determines owners and escalation paths. You can also easily configure monitoring to validate the work of administrators, as well as to verify that systems are functioning properly, using the appropriate keys and certificates, and complying with policies.
Brokered CA Certificate Requests and CSR generation
With TrustAuthority your organization can control the entire renewal and rotation process for SSL certificates from multiple CAs. TrustAuthority provides full, end-to-end automation of the certificate lifecycle—from the CA all the way to the targeted application or platform. Administrators can automatically replace expired certificates and out-of-date keys on targeted platforms, eliminating formerly manual processes, including key and Certificate Signing Request (CSR) generation, CSR submission to CAs, CA approval, and issued certificate retrieval. Administrators can also easily migrate certificates from one CA to another; workflow approvals and reviews regulate the complete process. Centralized and automated lifecycle control not only helps reduce administrative costs, but also eliminates errors due to manual processes and ensures compliance with corporate policies and regulations.