Secure Critical Information

Protect critical information and assets against those ineffectively-managed encryption deployments that complicate and undermine security and compliance efforts.

Secure Critical Information

Analyst Coverage

“Cybercriminals are known to steal SSH keys or manipulate which keys are trusted to gain access to source code and other valuable intellectual property” Read More

“Advanced threat detection provides an important layer of protection but is not a substitute for securing keys and certificates that can provide an attacker trusted status that evades detection.” Read More

"Basically, the enterprise is a sitting duck."

"PKi is under attack...Advanced and persistent adversaries go for keys" Read More

"When there are many hundreds of certificates from a variety of certificate authorities, the only ecumenical [universal], nonproprietary provider of a certificate management solution is Venafi. Other CA management systems are biased toward the particular CA by, for example, only supporting renewals from that specific CA." Read More

"No CISO could consider having tens of thousands of unknown network ports open and have no way to control them. But that’s the alarming reality today with regards the trust established by keys and certificates..." Read More

"Organizations with roughly 200 or more documented X.509 certificates in use are high-risk candidates for unplanned expiry and having certificates that have been purchased but not deployed." Read More

"Technology critical to cloud computing is in clear and present danger...attacks on Secure Shell (SSH) keys present the most alarming threat arising from failure to control trust." Read More

“Certificates can no longer be blindly trusted” Read More

“Just because something is digitally signed doesn't mean it can be trusted.”

“Enterprise awareness of attacks on keys and certificates is in its infancy; most don’t understand how to detect or respond to an attack.” Read More

Inadequate key and certificate management invalidates encryption efforts

With sensitive data—and threats to that data—increasing exponentially, companies struggle to implement comprehensive encryption. Unfortunately, deploying increasingly expansive volumes of encryption without simultaneously increasing staff or resources to manage the impacted systems and assets exposes new security threats, all while increasing the risk of compromise and noncompliance the encryption deployments originally aimed to avoid. Because encryption means nothing unless keys remain secret, the data that companies believe is protected remains woefully exposed. Only best key and certificate management practices, made possible and painless by an automated solution, truly protects vital data.

Manual management processes expose keys to compromise

To protect encryption keys, administrators must follow clear, well-documented processes that minimize the keys’ exposure. Most company’s manual key management practices fail to measure up:

  • Keys have multiple access points
  • Keystores passwords are not changed regularly
  • The same password is used across multiple keystores
  • Private key(s) are manually shared between administrators and applications
  • Distribution policies are lax or unclear
  • Private keys and passwords are not changed when admins leave the organization
  • Expansive key and certificate volumes leave glaring gaps in coverage

With so many points of exposure, dozens of people can access thousands of keys. The typically high IT staff turnover magnifies the risk of a compromise.

Poorly managed encryption assets give rise to serious security issues

Consider the devastating consequences of a compromised key:

  • A compromised symmetric key exposes the company to data breaches
  • A compromised private key (associated with a server’s digital certificate) exposes the company to data breaches, phishing attacks and malware
  • A compromised SSH key exposes the company to data breaches and other attacks

The Immune System for the Internet