Technology
Published by Gbaf News
Posted on October 24, 2012
Editorial & Advertiser disclosure
Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.
By Calum MacLeod, EMEA Director at Venafi
Organisations of all sizes and industries maintain extensive financial, customer and mission-critical business data. However, when sensitive information is misused or compromised, organisations will often pay a heavy price. Recent high-profile security breaches have cost millions in revenue and lost opportunities. These fears, along with new security standards and regulations, have driven IT professionals to deploy encryption more broadly.
The problem is that, having done so, the encryption keys used to secure data become the figurative “keys to the kingdom.” The key (and not the data itself) becomes the entity that must be safeguarded. Efforts to manage these keys manually, however, represent a significant security risk and become operationally challenging, especially as encryption is deployed across disparate systems and applications.
Organisations are struggling to properly manage and control these rapidly multiplying certificates and keys to prevent security breaches, system downtime and other disasters. It’s a catch 22 situation – but it doesn’t have to be.
The EKCM Challenge
Before we can solve the problem of enterprise key and certificate management (EKCM), we must first fully understand the challenges faced:
Before we can solve the problem of enterprise key and certificate management (EKCM), we must first fully understand the challenges faced:
- Certificates that are not renewed and replaced before they expire can cause serious downtime and outages
- Regulations and requirements (like PCI-DSS) demand stringent security and management of cryptographic keys and auditors are increasingly reviewing the management controls and processes in use
- Private keys used with certificates must be kept secure or unauthorised individuals can intercept confidential communications or gain unauthorised access to critical systems. Failure to ensure proper segregation of duties means that admins who generate the encryption keys can use them to access sensitive, regulated data
- The average certificate and private key require four hours per year to manage, taking administrators away from more important tasks and costs hundreds of thousands of pounds per year for many organisations
- The rollout of new projects and business applications is hindered because of the inability to deploy and manage encryption to support the security requirements of those projects
- If a certificate authority is compromised or an encryption algorithm is broken, organisations must be prepared to replace all of their certificates and keys in a matter of hours
The simple fact is that certificates and private keys play a critical role in securing data and systems across all types of organisations. Having understood the risks of unmanaged encryption deployments, it is imperative to utilise EKCM best practices.
EKCM Best Practice
The effective management of certificates and private keys involves multiple individuals and groups. It is critical to establish clear and concise responsibilities for the various stakeholders. This helps ensure that nothing gets overlooked and multiple parties aren’t duplicating work to other projects.
The critical starting point in any certificate and private key management strategy is to create a comprehensive inventory of all certificates, their locations and responsible parties. This is not a trivial matter because certificates are deployed in a variety of locations by different individuals and teams – it’s simply not possible to rely on a list from a certificate authority. Adhering to the below practices will ensure that no certificates are missed:
Import from Certificate Authorities
Gather what you already know about the certificates from existing certificate authorities. It is very dangerous to assume that an import from your known CAs will provide an accurate inventory of all certificates; it’s merely a starting point that must be augmented by discovery.
Individual Import from Admins
Network and agent-based discoveries can take time and it may not be possible to perform them in all corporate locations. That makes it critical to educate administrators and make sure they are proactively reporting any certificates they are aware of and adding them to the inventory.
Perform Network Discovery
Perform a network discovery to find certificates that are present on a listening port such as HTTPS. Start by gathering your network address ranges and then collect a list of ports to check. You can initially check on port 443, but there are many ports on which certificates are commonly presented.
Agent-based Discovery
Many certificates are not discoverable via network ports, such as client-side certificates used for mutual authentication on SSL. Finding these certificates typically involves performing file system scans on server and client systems with a locally-installed agent.
Many certificates are not discoverable via network ports, such as client-side certificates used for mutual authentication on SSL. Finding these certificates typically involves performing file system scans on server and client systems with a locally-installed agent.
Sounds simple! Just remember that performing an inventory is not a one-time event. You should repeat the steps above weekly to ensure the inventory is up to date.
As you’re developing your inventory, establish a correlation of who the contacts and owners are for certificates. Wherever possible assign groups as the contacts instead of individuals to avoid a single point of failure. Some helpful sources include certificate authorities, tracking spreadsheets, and even a CMDB. Define clear responsibilities for maintenance of certificate contact information.
An important method for preventing in-service expirations is to establish a central monitoring function that ensures certificates are replaced prior to expiration by automatically notifying responsible groups. Only when the new certificate has been installed and the application has been reset to use the new certificate prior to the time of expiration is the risk of downtime averted.
Expiration reports should be sent to certificate owners each month that show a list of all certificates expiring in the next 90 days. Individual expiration notifications should be sent if action has not been taken on an individual certificate within 30 days of expiration. If action has not been taken within 20 days prior to expiration, escalation to additional parties should be added. At 10 days from expiration, notifications should be sent to a NOC or other corporate group that is responsible to respond to the crisis until it is resolved.
Establish standard practices for enrolment and provisioning that maximize reliability and repeatability, ensure security and compliance to policy, and minimize load on your administrators. There are easily 20 or more steps involved in issuing or renewing a certificate. These steps must be standardised and implemented in compliance with policy every time.
Errors are inevitable when the steps outlined above are performed manually. In addition, confidently ensuring the security of the private key is very challenging when these operations are performed manually. Automated methods of certificate enrolment and provisioning exist and should be considered.
EKCM best practice is vital if you’re to avoid the complications, embarrassment and expense of your organisation’s security being compromised. Make sure you have a clear understanding what the risks that apply to your organisation are. By prioritising them, and clearly communicating the importance of addressing them in your organisation, you can accelerate the implementation and adoption of best practices since all stakeholders will understand the implications of not doing so.