At RSA 2016, Venafi made it real. Our gameshow - “Are You Smarter than a Bad Guy?” -  showed how your security foundation is built on a system of trust that relies on keys and certificates. Brick by security-enhanced brick, we built a wall of metaphorical security systems that rest on your keys and certificates. This wall of bricks illustrated how the smallest compromise of that foundation (a hijacked key or certificate) can cause the whole system to come tumbling down.

The rapid growth of keys and certificates is nearly unmanageable

Here’s why your security foundation is vulnerable. Global 5000 organizations deploy an average of 20,000+ digital keys and cryptographic certificates. That’s 20,000+ ways that cybercriminals can infiltrate your encrypted traffic every time you establish trusted connections, authenticate devices, secure applications, and authenticate code.

That’s a lot to manage, even if you are aware of all the keys and certificates that you are using. However, more than half of organizations (54%) don’t know exactly how many keys and certificates their systems use, where they are located, who owns them, who has access to them, or when they expire, On average, our customers have found more than 16K keys and certificates they didn’t know they had.

Bad guys know you are vulnerable

Even worse, your existing security systems are built on this very same foundation of trust. Because these systems trust keys and certificates they’re blind to many new threats. Even with thoughtfully layered security, you’re still exposed to man-in-the-middle attacks, spoofed websites, backdoor access, and code-signed malware attacks because they hide in encrypted traffic. And it’s only going to get worse.

Code-signed malware is growing at 75% CAGR. And cybercriminals are using SSL/TS against us, which allows the bad guys to look legitimate while they surveil networks, steal data, and stay undetected. Intel predicts the next big underground marketplace will be stolen certificates.

What you need is the ability to identify which keys and certificates are friend versus foe. You need to be able to determine the reputation (good or bad) of keys and certificates so that cybercriminals cannot use them anymore to bypass security solutions.

You can find and fix these vulnerabilities today

With Venafi, you get complete visibility and control. The Venafi Platform allows you to secure and protect all your keys and certificates while it shares a layer of services that make them work together—visibility, agents, policy, portals, workflow, reporting which integrates with hundreds of existing systems in your infrastructure.  We call ourselves the Immune System for the Internet™, because we let you know instantly which keys and certificates should be trusted and which shouldn’t, making security easy, fast and automated.

We hope you had a chance to visit us at RSA to see how your security foundation stacks up against cybercrime. If not, you can still talk to one of our experts to learn why hundreds of the world’s largest organizations use Venafi solutions to protect their foundation of trust.

DROWN lets an attacker perform MITM attacks on TLS connections in under 1 minute by sending probes to servers that support SSLv2. The vulnerability impacts roughly 33% of webservers worldwide. Even though this number is significant, it does not account for other services that allow SSLv2, including, email servers, embedded systems, web applications and software supporting SSL/TLS.

Some are calling this Heartbleed 2.0

Like Heartbleed, there are similarities in required remediation steps. Hopefully organizations will take heed and remediate faster (and more completely) than they did for Heartbleed. Last year, a full year after Heartbleed was discovered, most of the global 2000 organizations that Venafi surveyed had still not yet remediated Heartbleed. That’s why we recommend doing more to remediate (download our DROWN remediation plan).

Your keys and certificates are the foundation of trust

According to the Ponemon Institute, 100% of organizations have responded to an attack that misuses keys and certificates in the last two years. And an alarming 54% of them are unaware of where all of their keys and certificates are located. Not only are attacks that leverage keys and certificates increasing, their impact is as well. The organizations surveyed by the Ponemon Institute estimated the risk of an attack using keys and certificates at $53 million over the next two years—this considerable risk should be a wakeup call for all organizations.

DROWN points out the need to know what’s trusted and what’s not. That’s why we’re here to help. Download our DROWN Threat Brief and then let us know if we can be of assistance.

Controlling the use of keys and X.509 certificates in today’s highly dynamic world of compute, container, and micro services raises new challenges that require a new approach. In this new world which emphasizes fast delivery, security simply cannot be enforced using traditional slow IT policies and processes.

The speed of providing IT services has accelerated dramatically.

Business consumers and IT professionals are demanding new IT services and environments that are created at scale and speed. They demand Amazon AWS-'like' capabilities at similar speeds for 'internal' IT services. Gartner predicts that by 2017 three out of four enterprise organizations will be moving to a bi-modal IT structure with two stream/two speed IT: one that supports existing apps that require stability and another that delivers fast IT for innovation and business-impacting projects. To facilitate this demand many organizations are implementing processes and tooling that favor short-lived virtual machines, containers, and micro-services over the more traditional long-lived computing platforms. 

While these new tools and frameworks allow for speed and scalability they do not provide centralized security services. Thus, security often falls back to the traditional slow, manual, and error-prone way of doing things. Even worse, security policies and procedures are often ignored in-lieu of just getting the job done quickly.

However, keys and certificates are the foundation for securing modern SSL/TLS-based data communications. There is nothing to replace this foundational system of trust on which the Internet is based, nor will there be any time soon - which means keys and certificates are here to stay and will continually increase in numbers.

Figure 1. Automating key and certificate support for DevOps

Venafi’s industry-leading and proven Trust Protection Platform is already helping Global 5000 organizations fully encapsulate, secure, automate, and audit entire key and certificate lifecycles across their traditional IT services and infrastructures. Through the use of the Venafi API, all of these services can be made available to the new world of fast IT.

Going fast with keys and certificates.

For DevOps, the process for procuring correctly issued certificates often falls into the ‘SlowOps’ category of legacy IT, and significantly reduces velocity. DevOps teams are often found working outside of corporate security boundaries, policies, and guidelines. This isolation helps these teams get development and new innovation done faster, at the speed of business. But it also potentially introduces security risks and bad practices within the very environments that are being created - all in favor of speed.

Here are some examples of what DevOps teams may decide to do to get around the time it normally takes to procure certificates for their environments. Examples of shortcuts include:

• Don’t use TLS/SSL
• Create their own certificate authorities
• Create self-signed certificates
• Use unapproved certificate issuers
• Create certificates with weak signature algorithms
• Deploy certificates with long expiration periods
• Misinterpret or completely ignore security policies

The Venafi Platform can be configured to selectively expose some or all of its workflows and processes via easy-to-use REST APIs. These APIs can then be directly consumed by almost any DevOps, including continuous integration/delivery, automated build/deployment and container solutions such as Chef, Ansible, Puppet, SaltStack, Hashicorp, Docker, Kubernetes, UrbanCode to name a few.

Use Case - Venafi Platform integration with Chef

Figure 1 below provides an example of how the Venafi Platform easily integrates into a new or existing Chef framework. A simple sample cookbook can be used by DevOps teams as a way to get started when using Venafi’s key and certificate services.

Figure 1. - Example Venafi Trust Protection Platform integration with Chef Framework

Provide fast security with fast IT

The Venafi Platform lets organizations realize the benefits of Fast IT without compromising security. Security teams can now centrally define policy through the Venafi API and enable DevOps to properly comply with security policies and best practices. Venafi makes it easy for DevOps teams to correctly apply and build in security from the beginning.

Our platform provides the following benefits to DevOps teams:

• Unique keys and certificates are generated and issued on demand in seconds
• Uses the same platform for DevOps as that used by existing security teams and system administrators
• Single view of security posture and compliance with integration to Help Desk systems and SIM/SIEM environments. 
• Automated remediation and re-enrollment as standards and policies change 
• Automated alerts based on anomalies detected inside an organization and externally
• Virtually infinite scalability without additional administrative overhead

NOTE: The use case depicted in this article is intended to provide a very high level example of how Venafi APIs can be used by security teams to provide key and certificate services to DevOps teams. Since most of the components fall outside the Venafi domain the solution has not been subjected to any security validation, screening, or ratification by Venafi.

Apple’s Tim Cook contends that government access to keys and certificates, and the power they enable in providing trust and privacy, is “asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals.” Or, as Time recently describes: “the software equivalent of the secret name of God.”

Venafi views this type of government action as ultimately hijacking the expectation of privacy that exists in a digital world – the privacy and trust that cryptographic keys and digital certificates enable. At Venafi, we are serious about protecting privacy. We disagree with the government and law enforcement’s action to require disclosure. Given access to the proper data – precise awareness of all keys and certificates -  our customers can make informed decisions about their legal responsibilities as well as their responsibility to their customers, shareholders, and other stakeholders and should they decide to comply with a legal request, they will be able to do so.

Trending: Global laws are changing to bypass security and expose encrypted data

Regardless of the outcome of the U.S. court deliberations of Apple vs. FBI, the issue of law enforcement requesting keys and certificates is a growing trend in many parts of the world. Whether your organization is a bank, a retailer, an insurer, or a telco, all organizations today are software businesses that rely on keys and certificates for secure communications, commerce, computing, and mobility. In that light, Apple vs. FBI and the impact of key and certificate disclosure is a topic that is very relevant to all global organizations.

One of the reasons this issue is so serious is that a compromised, stolen, or forged key and certificate can allow bad guys to impersonate, surveil, and monitor servers, clouds, and mobile devices — acting as trusted on the network.

Source: TechValidate. TVID: 363-53E-598 

Keys and certificates have become high-value targets

The reality is organizations not only need to protect keys and certificates from bad guys looking to misuse them, but they also need to be completely aware of the status of every key and certificate in order to property secure them and make informed decisions about meeting global government and law enforcement requirements.

With tens of thousands of keys and certificates used in businesses today, most of them unknown and unprotected, the issue of key and certificate disclosure presents a serious risk to the Global 5000 (see Figure 1). Concerns over liability will impact CEOs, boards of directors, general counsels, and CISOs across the board.

Apple vs. FBI is part of a global trend of law enforcement seeking access to and use of keys and certificates. The most relevant of the laws of this type are those in Europe:

• United Kingdom: The Regulation of Investigatory Powers Act’s section 49 (RIPA) enables law enforcement to gain access to cryptographic keys. Failure to provide keys requests carries a mandatory jail sentences for those involved, including those representing a business such as a managing director or board.Deliberations are now underway on updates to RIPA that would allow law enforcement to require businesses to use surrendered keys and certificates to undermine security and introduce new vulnerabilities.
• France: Article 434-15-2 enables law enforcement to gain access to cryptographic keys and carries not only a criminal penalty of jail time of 3 years but also mandatory fine of €45,000 for each infraction. Fines increase to €65,000 and jail time to five years in cases where failure to provide the key could have prevented or limited the impact of a criminal act.

If Apple were a French or U.K. business, would Tim Cook or a Board Member be serving jail time for failing to provide access to its code signing key and certificate? It seems likely. But the potential impact doesn’t stop there. Subsequent action in these countries could still affect Apple executives and board members travelling abroad.

Action for all G5000: Detect and Protect all Keys and Certificates

Issues of key disclosure extend well beyond Apple. Because all businesses are essentially software companies, which use keys and certificates throughout, key disclosure can have a very real impact on productivity, success, and even liability. To minimize these risks, G5000 companies need to gain deeper knowledge of all aspects of protecting their keys and certificates.

Preparing for key disclosure requires a full understanding of the use and ownership of keys and certificates, especially those that IT security teams may not be aware of, including those used by marketing, engineering, and manufacturing teams. To learn what steps to take, download our Readiness Brief. 

How Venafi Helps You Manage Your Keys and Certificates

As the Immune System for the Internet™, Venafi protects the keys and certificates that establish trust, privacy, and confidence for your business. Venafi patrols across the network, on devices, behind the firewall, and throughout the internet to determine which SSL/TLS, SSH, WiFi, VPN, and mobile keys and certificates are trusted, protects those that should be trusted, and fixes or blocks those that are not. Venafi customers can download a summary on how to use their existing Venafi platform to their advantage in preparing for and dealing with disclosure-related issues.

As disclosure requirements and laws continue to evolve, having in-depth information about your keys and certificates will become a competitive advantage. Venafi gives you the information you need to help reduce risk and protect the trust and privacy that keys and certificates were designed to create.

Want to learn more? Let’s talk and see how Venafi can help your business.

Uodate March 28, 2016: FBI Drops Its Case Against Apple After Finding a Way Into the iPhone

The battle between the FBI and Apple might be on hold, but the wider war will continue to rage on. The FBI’s dropped case has by no means settled the wider issues around encryption, privacy and public safety. The fact remains that the US courts have been trying to push Apple to make a decision that could fundamentally undermine security and privacy for all. Not a good thing. 

The recent and public battle was a deliberate ploy by the US government to get its hands on the most sacred and powerful mass weapon of our times: the cryptographic keys and digital certificates that provide the foundations of all cybersecurity and trust on the internet.  As a result, keys and certificates have become the target of nation states and bad guys. Just like Apple, every enterprise uses and is dependent on keys and certificates for trust and privacy and therefore face many of the same issues.

We should also be concerned that now that an iPhone can be hacked, others will try. The iPhone has been seen as a tiny little Fort Knox that from the outside has shown how hard it is to crack and get into. Although someone helped the FBI break into the iPhone, probably in exchange for money, other people who stumble upon the same hacking technique could choose to sell to cyber criminals or other governments, which could sound the end to privacy as we know it.

So what’s at stake?

According to the Government Accountability Office, “If information security controls are ineffective, resources may be lost, information—including sensitive personal information—may be compromised, and the operations of government and critical infrastructure could be disrupted, with potentially catastrophic effects.” The office also highlighted several weaknesses in current Federal cybersecurity practices, including lack of risk-based cybersecurity programs and access control systems, while calling for improvements in contractor oversight, incident response, and security programs at small agencies. 

There’s commitment at the top, but the middle is where it matters

However unenforceable or underfunded, cybersecurity remains a top priority for President Obama. Outlined in a White House blog, the 2016 Federal Cybersecurity Research and Development Strategic Plan calls for “new forensic capacities that reliably identify the perpetrator quickly enough to take action, without compromising free speech, or anonymity for those who are doing nothing wrong.” Again, no one is arguing that Federal agencies will not need advances in cybersecurity to remain viable. But the real question is what can you do RIGHT NOW, given current funding and regulatory limitations.

In the wake of the massive data breach at the Office of Personnel Management, which exposed the records of nearly 22 million federal workers, Federal agencies are worried. But will legislators match that concern with the cash needed to implement the required cybersecurity? Time will tell. But in the meantime, the Office of Management and Budget recently upped the ante with the Cybersecurity Strategy Implementation Plan. The plan includes recommendations for basic security upgrades to prevent infiltration and breach. It’s a smart plan. And the goals are solid, but it’s the journey to those goals that remains uncertain.

What will it to take to evolve Federal cybersecurity?

The machine of bureaucratic change is admittedly cumbersome and slow moving. The U.S. Federal government is not run like a business. It is run like the slow-moving, unwieldy superpower that it is where change is slow and hard fought. Because the government is not profit driven, there may be little formal incentive to increase productivity or reduce costs. There are, however, informal incentives to allocate funds to penalty-driven programs, expend budgets, and maintain continuity. No agency wants to do anything that would disrupt service, as illustrated in the problems that plagued the launch of the Affordable Healthcare Act. So your upgrades get deferred. Then the budget disappears. And the problems remain. But you are back where you started. It’s very much a fix it now and catch up later mentality, according to an astute article in the Daily DOT.

First focus is to overcome the problem from within

In a survey commissioned by HP, the Ponemon Institute recently found that the Federal Government may be its own worst enemy when it comes to cybersecurity. 44 percent of federal workers who responded to the survey indicated that “the biggest threat to federal cybersecurity is ‘the negligent insider’ at an agency who fails to take enough precautions while using or protecting government networks.” By comparison, only 30 percent of respondents marked nation-state hackers as the primary threat.

Enforcement is everything. Employee compliance is critical. And support must trickle down from the top to the middle. The ultimate success of Federal cybersecurity relies on getting buy-in from cabinet secretaries and mid-level managers. It’s a change of mindset that may seem a bit unrealistic. But it’s the only way that the government can truly enact critical changes in cybersecurity. In the meantime, while new systems may be slow to implement due to concern over the continuity of large government programs, agencies must lock down the proper controls that will protect them throughout the process.

Making cybersecurity a priority

Agencies still need to overcome the burdens inherent in large government to enact the changes needed for effective, up-to-date cybersecurity. The good news is that you have backing from the highest levels, i.e. the oval office. But outlining and securing the necessary funding remains a challenge, as does staffing and implementation. To have any chance of bringing cybersecurity up to code, agency teams must identify, clarify, and justify the fastest, cheapest ways to mitigate the highest risks. Automating that security is one the best ways of enforcing compliance.

At Venafi, we believe that as the foundation of cybersecurity, keys and certificates are a good place to start. Without these forms of validation and authentication, we would simply not know which systems, applications, or users to trust. Control that system of trust (or mistrust) and you control access to your critical digital assets. Venafi can help automate the protection and management of your agency’s keys and certificates. Plus, it’s a smart place to invest, especially to prevent man-in-the-middle (MITM) attacks, spoofed websites, code-signed malware, and other threats that misuse keys and certificates to bypass even the most rigorous security controls.

Talk to us today to find out how Venafi can help you eliminate blind spots to protect your agency during the planned upgrades in your cybersecurity.