Security has its foundation in trust, but trust and control over the source of trust go hand in hand. What happens when a lack of control over the technologies on which trust is built means you can no longer trust them?
Take a look, for example, at our reliance on cryptographic keys and digital certificates—technologies that were once thought of as intrinsically trustworthy. Case after case has shown how easily malicious individuals can usurp control of those technologies. Keys can be stolen and certificates forged.
Consider the abundance of attacks over the last two years—leading up to the most recent, where criminals issued unauthorized, but completely legitimate, certificates for Google by compromising a Turkish certificate authority (CA) operation. CAs and certificates in the U.S. and Europe have been compromised in a similar fashion.
That said, keys and certificates remain an excellent solution for keeping data safe and systems locked down. The real issue is with their management—or more specifically the lack thereof.
People have handed over the responsibility for enforcing trust to automated processes by which millions of systems automatically trust certain keys or certificates signed by trusted issuers CAs. Cryptographic keys and certificates are involved in how data is stored and encrypted, how application servers talk to databases, how tablets connect to corporate networks, and how customers interact. Business and government operations hinge on just a few kilobytes of encryption data. The encryption is sound, but recent cloud service outages like Azure and new threats have dramatically highlighted the issues around key and certificate management.
Consider how your security is affected if a CA is compromised.
If you are using forged or broken certificates, doesn’t your whole security infrastructure come under suspicion? More importantly, how quickly can you remediate the problem, assuming that you can discover it? Would your systems automatically know not to trust compromised certificates? Would they automatically obtain trustworthy certificates to replace ones signed by the untrustworthy CA?
No. They need help from the IT team. But does the typical IT manager know if certificates from a given CA can no longer be trusted? Would this manager even know which certificates and which systems are affected? Only if the IT manager is aware not only of the compromise, but also of the enterprise’s own encryption assets, and that takes monitoring and management techniques, not reliance on the encryption technology itself to automate trust.
Thus a lack of awareness extending from the trust instruments to IT managers threatens enterprises with a complete breakdown of operations. The Dutch government, and thousands of enterprises, suffered through just such a crisis after the compromise of DigiNotar in 2011. The evidence is overwhelming that unmanaged keys and certificates represent a security risk, operational nightmare, and a looming threat of compliance failure for almost every business and government agency.
It’s important to note that the breakdown in trust is not only attributed to nefarious criminal activities that result in system compromises. McAfee recently accidentally revoked a certificate which resulted in a breakdown in trust. Mac users were no longer able to validate if an application could be trusted or not. Trust broke down due simply to human error.
So, how exactly does one protect against the breakdown of trust in a world in which electronically enforced trust is anything but trustworthy? You have to manage that trust, and management starts with understanding how trust is delegated, assigned and managed. IT professionals must find out how and where their organization’s keys and certificates are stored, who looks after them, and how they are currently managed. The answers to those questions will determine if key- and certificate-based trust is a liability for the enterprise or if the enterprise has deployed it in a well-thought-out fashion.
The U.S. National Institute of Standards and Technology (NIST) issued guidance recommending that all organizations develop a catalogue of every certificate in use. Further, NIST recommends organizations be prepared to respond to the almost certain inevitability that one or more CAs used will be compromised in the future.
Even if criminals were not wreaking havoc with keys and certificates, mistakes and ignorance surely would. For example, thousands of businesses and governments have found out the hard way that they’re not keeping up with digital certificate inventories, expirations and policies. The most common culprit has been the spreadsheet on which most enterprise IT managers rely to track certificates. Such a spreadsheet worked well when managers had to inventory just a handful of certificates, but now the lists have grown to thousands of encryption assets. Managers overlook certificates, little aware that they are about to expire. And, when certificates expire, systems stop working. For most enterprises, unplanned system downtime can be an extremely expensive and damaging experience.
The situation is all the more critical because certificates and keys are increasingly prevalent, thanks to cloud computing. Research firm Forrester is predicting 2014 public cloud spending will reach more than USD 75 billion globally, meaning that a great deal of enterprise data will be traversing the cloud and relying on secure systems to protect it. Add to that the growing Bring Your Own Device (BYOD) and mobile computing trends, causing organizations to no longer own and control the devices used to access sensitive data, and the security challenge compounds.
Auditors and regulators are catching on to the lack of control and are issuing guidance. For example, the UK Information Commissioner’s Office (ICO) in its Guidance on the use of cloud computing stated that “robust key management” is required to ensure privacy and UK Data Protection Act compliance. In the case of a data breach, data protection regulators will expect organizations to demonstrate control over keys and certificates, including auditable access controls and segregation of duties. And for keys used for purposes from SSH authentication to cloud encryption, auditors are also asking tough questions and returning failed audits.
Cryptographic keys and certificates are the one common trust element that connects every enterprise to the cloud and mobile devices. Control those keys and certificates, and you can regain control of security. It will take common sense policies to bring order to the technology and people involved with key and certificate management. Once you have identified the technology, people, and policies, you can automate key and certificate management—finally taking back control of the critical elements of trust, privacy, and continuity.
Related Reading: Is Your Enterprise Managing Certificates? Three Reasons It Should Be.
Related Reading: Cost of Failed Trust Report
