Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Certificate Authorities: A Means to Advanced Security, But Not the End

Certificate authorities (CAs) are critical links in the chain that ensures the quality and integrity of enterprise IT security, compliance and operations. CAs issue and ensure valuable third-party trust for human-to-machine and machine-to-machine communications and authentication. However, leveraging the security benefits of trust providers like CAs doesn’t relieve your organization of its management responsibilities.

Certificate authorities (CAs) are critical links in the chain that ensures the quality and integrity of enterprise IT security, compliance and operations. CAs issue and ensure valuable third-party trust for human-to-machine and machine-to-machine communications and authentication. However, leveraging the security benefits of trust providers like CAs doesn’t relieve your organization of its management responsibilities.

On the contrary, effective encryption key and certificate management processes based on best practices are as critical to your organization’s security profile as are certificates and keys themselves. To understand what your organization should seek in a management solution, it might be helpful to first understand the roles CAs and digital certificates play on the security-solutions stage.

Encryption 101

Digital Certificate ManagementCAs issue digital certificates to organizations or individuals after verifying their identities. Digital certificates go hand-in-hand with associated encryption keys. Together, the certificates and keys keep sensitive files, systems and servers secure, compliant and running. Today’s enterprises rely on thousands —and sometimes even tens of thousands—of certificates and keys to authenticate users, servers and applications. Much like IDs and passwords, applications use certificates and encryption keys to protect valuable data and authenticate systems.

With so many certificates and keys on the network, in cloud and virtual environments, and increasingly on mobile devices and tablets (to authenticate applications back to the network), enterprises face increased risks if they do not properly control and manage them. How effectively are organizations doing this? Recent research highlights alarming facts: Organizations have little idea how many of these critical security instruments they have in their inventories, where their encryption assets are deployed, who has access to them or how they are managed.

Organizations must regularly inventory certificates for a number of reasons. If a certificate were to expire suddenly and without warning, your organization’s employees, customers and partners could be blocked from accessing critical applications and systems. If a stolen certificate entered your organization’s network undetected, it could launch malware capable of siphoning valuable, regulated information or inflicting physical destruction (remember Stuxnet?). If your CA were compromised, your organization could end up being the conduit for a man-in-the-middle attack. Appropriate recovery and business continuation and continuity (BCC) plans require the ability to find, revoke and replace compromised certificates—within minutes or hours, not days, weeks or months.

CAs do a great job of issuing certificates, and some provide rudimentary management tools for their certificates. These tools, however, are not effective when organizations use certificates from multiple CAs (a best practice), especially when they have deployed hundreds or thousands of certificates from each CA. Again, the job of managing certificates and encryption keys lies with the entities using them—not with the issuers—which makes robust discovery, inventory, monitoring and management capabilities as indispensible as CAs and the certificates they issue.

Good management solutions, like good employees, can be hard to find

A critical starting point in any management strategy is to create a comprehensive inventory of certificates and keys, followed by a careful analysis of the inventory and its policy-compliance status. Without this data, it is difficult to ensure information is secure, keep networks up and humming along, and fulfill information-security regulations.

Advertisement. Scroll to continue reading.

The process of manually creating an accurate and exhaustive inventory of encryption certificate and key populations can be complicated enough to easily command an article of its own. The suggestions here just touch upon this complex process. First, remember that institutional memory plays a big role in manually creating inventories because in most organizations, a variety of administrators have deployed certificates in many locations over a period of years. Thus, it is best to take a multi-pronged approach that includes reaching out to individual administrators and business-service owners to ensure that you do not overlook any certificates.

During the inventory process and afterward, organizations might be tempted to increase their IT staffs to support their manual-management processes. But manual processes involve human error, which inherently increases the chance of introducing vulnerabilities. With manual processes, it is also more difficult to ensure that keys comply with regulations.

Instead, organizations should look for solutions that automate key and certificate management processes (a best practice). Automated approaches eliminate organizations’ encryption-compliance pain points and ensures that their encryption keys are distributed, deployed, and maintained according to industry standards and best practices, thus enabling them to pass compliance audits with flying colors.

Research assistance

Fortunately for organizations in search of automated management solutions, analyst firms such as Gartner are producing new and more frequent reports that outline which vendors are leading in the space. In one of Gartner’s more recent reports, X.509 Certificate Management: Avoiding Downtime and Brand Damage, Gartner analysts Eric Ouellet and Vic Wheatman write:

“Organizations are often not aware of the scope or the validity status of their X.509 certificate deployments until it is too late. Organizations need to establish formalized plans and, if necessary, leverage available tools to minimize impacts.”

To help organizations narrow their searches for these tools and cut through the fear, uncertainty, doubt (FUD) and vendor hype, the two analysts go on to name a number of vendors that can provide effective levels of management.

Gartner isn’t the only organization answering questions around effective management. Firms such as the 451 Group and Aberdeen have begun to research and report on the issue, and leading conferences such as RSA and Black Hat have hosted customer and vendor sessions on it.

If your organization is confused about what to seek in its automated certificate and key management solution, this new wealth of resources can help it determine what it needs, and which vendors can meet its needs. A bit of simple homework on your part can put your organization on the fast track to getting a management handle on all of your encryption instruments.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture