Certificate Management – Challenges and How to Manage Effectively
In the digital foundation era, organizations are more and more dependent on digital information and digital entities which are also becoming a greater target for cyber attackers. In order to protect digital identities from aggressive external attackers and from insider malicious behavior with the increased proliferation of IOT devices, cloud and applications; there is a strong need for enterprises to ensure a secure identity and robust authentication mechanism. One method to address this concern is the PKI (public key infrastructure) which provides strong digital user security and data. Unlike traditional usernames and passwords, PKI uses cryptography (X.509 standard) technologies such as digital certificates and digital signatures to provide authentication and create unique credentials.
What is X.509?
Cryptography defines X.509 as a standard to define the public key certificates and a basis for HTTPS and TLS/ SSL. Management by X.509 consists of a public key and an identity (username, host IP, an organization or individual), and is either self-signed or signed by certificate authority. PKI is commonly used to encrypt any traffic passed over the internet as without it, it is difficult to perform secure communications, transactions, etc. PKI validates the source as well as digitally signs the documents, transactions and encrypts the communication channel.
Challenges with Certificates
Interestingly, cryptography has been around for a while, but it has evolved over time especially as the landscape is changing from traditional data centers to sharp adoption of digital devices to cloud. PKI is dependent upon cryptography and in a recent industry survey, it was found that more than 80% of an organization’s traffic is encrypted, and is continuing to rise in the backdrop of a cloud centric approach and remote work policies adoption.
There are two kinds of threats that invariably ties to certificates if not managed properly – one is outage, and another is breach. The typical challenges with PKI arise as the number of connected devices and people within an organization increases. As a result, issuing, deploying and revoking certificates for each device and application becomes a challenge as well as ensuring that unauthorized users are not able to request certificates; managing the life cycle of certificates; and assuring certificates are not abused through any cyber-attacks.
We see that many organizations today still use reactive and homebrew tools such as power script shell commands or excel spreadsheets to manage and track certificates, which can cause serious damage to the organization and is error-prone making this an inefficient way to manage. As an analogy, if you forget to renew/update the certificate on one of the servers/applications, it can take down your entire network – so a small mistake could become the next big story headline. The recent example we have seen of the outage with Microsoft’s collaboration platform Teams, where Microsoft forgot to renew the certificates on one server and then the entire Teams platform shut down. Therefore, we see there is a strong need for certificate management or governance which can address various security and data concerns that starts at discovery to implement the certificate, revocation and assessing the protocols, and includes cryptography and automated renewal of the certificates.
The Need for a Mature Certificate Lifecycle Management Solution
A certificate lifecycle management (CLM) solution would be imperative for organizations to have complete visibility and prevent applications from any outages, and yields several benefits. Zensar’s Digital Foundation Services Enterprise Security team follows a 4 step mature and tested framework “Certsecure” to manage the certificate lifecycle: Discover, Implement, Manage and Automate.
Let’s explore the process that IT teams should be aware of when managing these digital certificates.
- Discover: If you don’t have the inventory, you wouldn’t be able to protect them. Generally, an organization’s certificates grow exponentially with the people, devices and change in IT landscape. So, the preamble is discovering the certificates across the cloud and non-cloud IT estate and creating a complete report showing variables such as compliant vs non-compliant; deprecated protocols; port; weak cryptography; certificate lifespan; short key; expiry; renew; internal certificates vs. external certificates; and many more.
- Implement: Once we have the complete report, the next step is implementing the rule to issue, renew, revoke and implement certificates for internal certificate authorities (CA), as well as external certificate authorities (CA). For external CA, we suggest REST-API based integration.
- Manage: The dashboard provides the single pane of glass view to the certificate’s chain either issued by internal CA’s or external CA’s, and usage on the certificate’s procurement and access to keys, etc.
- Automate: Zensar recommends integrating CLM logs with ITSM and SOC tools to automatically generate a ticket for the SOC to respond to the offense in real-time. In addition, automation is used to update, renew and issue certificates in real-time by leveraging built-in functionality to gain access to internal and external CA’s.
In summary, a mature certificate lifecycle management process provides organizations with a consistent and measurable method to assist with not only meeting the audit and compliance requirements, but also being able to enhance security measures and reduce the costly affair related to transport layer security (TLS) certificate management