Security has its foundation in trust, but trust and control over the source of trust go hand in hand. What happens when a lack of control over the technologies on which trust is built means you can no longer trust them?

Take a look, for example, at our reliance on cryptographic keys and digital certificates—technologies that were once thought of as intrinsically trustworthy. Case after case has shown how easily malicious individuals can usurp control of those technologies. Keys can be stolen and certificates forged.

Learn More

Caesar, infrastructure, outsourcing and offshoring

I never wanted to spend my life in IT. I passed a programming exam at high school because I promised the teacher I would never return. It was the hardest 50% I ever had to work for! My passions were history and literature, and especially Latin, which I was actually quite good at. And little did I realise all these years later that the “dead” civilisation would come back to haunt me!

Learn More

The recent news about the looming generic top-level domain (gTLDs) names that the Internet Corporation for Assigned Names and Numbers (ICANN) is adding has sparked mixed emotions. Dot-anything domain extensions are already being auctioned off and should be seen as early as April 23, 2013. Despite growing contention from organizations such as the CA Security Council, it seems evident that gTLDs like “.local”, “.corp”, “.internal” to name a few will probably come to pass.

There are two areas of controversy related to the proposed gTLDs that directly impact each other. The first is the impact on security, while the second is the time organizations have to respond to the new gTLDs. Organizations face instrumental challenges nowadays to reduce their threat surface, and respond to targeted attacks related to the breakdown in trust asset management like keys and certificates. Sadly many are failing, the addition of gTLDs only helps them fail faster at poor key and certificate management.

Security – the Man-in-the-Middle:

One concern over the gTLDs is with regard to a domain like “.corp” or “.local” for example. Many organizations have used these domains for internal domains. It would be very easy for an attacker to spoof one of these internal domains for an internal company website, and redirecting employee traffic to a malicious website. On a public internet connection, instead of an employee going to intranet.corp, they could very easily be sending sensitive authentication information to unknown sources that have registered wildcard “.corp” TLDs.

Man-in-the-middle attacks are nothing new. It is fairly easy for an attacker to redirect traffic via DNS to a fake website with a fraudulent certificate. The big concern over gTLDs is based on the fact that a large percentage of organizations do use generic top-level domain names internally. By ICANN making these gTLDs available for purchase it causes a duplication issue. There will be collisions on the internet from conflicting certificates issued to the same gTLDs by certificate authorities (CAs) who have issued short name certificates to organizations using these generic domain names.

For a long time CAs have been issuing short name certificates to organizations for internal use for non-fully qualified domain names. The massive risk of the new gTLDs is that an attacker can apply for a certificate from a CA for a gTLD before it is approved by ICANN. Once ICANN approves the gTLD, the attacker has a legitimate certificate to go about performing man-in-the-middle attacks.

Time is not on your side:

ICANN already started accepting applications in 2012, and expects registry agreements as soon as April 23, 2013.

The implications of the new gTLDs results in organizations having to change their internal organizational structure where they no longer use non-fully qualified domain names like “intranet.corp” to fully qualified domain names like intranet.company.com. This is no small task and can take years to fully execute.

Short name certificates that have already been issued need to be deprecated. CAs have been requested to stop issuing such certificates by Nov 1, 2015. Organizations need to move quickly to plug the security gap before it becomes an issue. One of the fastest ways would be to block the names from resolving. However this will result in unexpected behavior on corporate networks, which in tail will result in increased costs and potential downtime.

The gTLD saga once again highlights the fact that a large percentage of organizations do not know how many certificates they have.

Confirmed by the Ponemon Institute, fifty one percent of global 2000 organizations do not know how many keys and certificates are in use within their organizations. When you take into account that organizations need to understand how many short name certificates are in use within the network to close the security gap of new gTLDs, time is very short indeed.

Organized criminals are using encryption keys and digital certificates against you on a daily basis. We’ve all come to trust that we securely communicate with websites as we go about our daily online transactions. The green address bar in our browsers gives us a sense of confidence that the transfer of information is secure. However, many times when our browsers popup with a warning that something is wrong with the website certificate, we ignore it and proceed anyway. Cryptographic keys and certificates are the core of trust in digital communication. But what happens when that trust is used for nefarious action against you?

For years now organized groups have been using encryption keys and digital certificates to steal information. Stuxnet and Flame are two commonly known examples of malware that took advantage of weaknesses in MD5 and were signed by forged certificates. Why do this? To make the malware appear as if it comes from a legitimate source. In doing so the operating system will allow the installation of the malware without any warning.

One does not even need to go to the extent to forge a certificate. It’s much easier to simply steal one to sign the malicious code. So far, for the month of April, the Common Computing Security Standards (CCSS) forum has logged sixteen legitimate digital certificates associated with malware. Doesn’t sound too bad compared to the number of nodes on the internet, right? Wrong, take into account that there is an average of 200,000 new malicious programs found every day, the problem is quite serious!

If forging or stealing a digital certificate sounds like too much work, why not setup a fake company, and deceive a public certificate authority (CA) into issuing you a legitimate certificate? That is exactly what the creators of Brazilian banking malware did. A fake company was setup to successfully dupe the CA DigiCert into issuing the nonexistent company Buster Paper Comercial Ltda with a legitimate certificate. ¹

The advent of new gTLDs makes obtaining a legitimate certificate all too easy for top level domain names. These new certificates can be used for man-in-the-middle attacks. Read more on gTLD security woes.

The Mandiant APT1 report released earlier this year showed that 100% of attacks identified were based on compromised credentials – from laptops to servers. Attackers are compromising and misusing keys and certificates used for authentication all the time. They are using keys and certificates to encrypt Command & Control traffic. It’s no surprise that every organization surveyed by the Ponemon Institute has had to respond to at least 1 attack on keys and certificates over the last 2 years.

What to do about it?

Despite the multi-layer defense in depth strategies deployed by organizations, we clearly see that targeted attacks are taking advantage of trust, breaking it down, and using it against us. We need new strategies to protect our data—the new currency.

In an effort to address the breakdown in trust, earlier this month the National Institute of Standards and Technology (NIST) released a baseline set of security controls and practices to support the secure issuance of certificates. This is specifically aimed at CAs as a result of analysis of the continuous security breaches showing “insufficient security controls being in place on the computer systems and networks at these CAs, and sometimes exacerbated by weak record keeping”².

One in five organizations expect to respond to an attack related to encryption keys and digital certificates in the next two years. Attackers are looking two things: 1) where there is little visibility of a vulnerability 2) there is little ability to respond. On average, enterprises have over 17,000 keys ³. Sixty percent of attendees at RSA2013 said it would take one or more days to respond to an attack that took advantage of encryption keys or certificates.

Trust can only be established and maintained if you have a clear understanding where your organization is vulnerable, and are able to respond to an attack—they are inevitable—with the least amount of damage. To do this you need to understand the source of the encryption keys and certificates, how they are being used, and managed.

With a clear understanding and control over your key and certificate inventory you can trust in the internet, and respond to the rise in malware that takes advantage of keys and certificates.

Mismanagement of millions of cryptographic keys and digital certificates threatens security and operations of UK businesses

London, UK – 23 Apr., 2013

Venafi, the inventor of and market leader in enterprise key and certificate management (EKCM) and the Ponemon Institute today reveal that every large UK businesses is open to £247 million in possible threat exposure due to a lack of control over cryptographic keys and certificates, the foundation of trust in the modern world of secure communications, smartphones, cloud computing and almost every digital and electronic asset.

Organisations face ever-increasing challenges with trust exploits. With advanced persistent threats (APTs), bad actors are taking advantage of every exploit and look for the weakest link in security systems. Common, well-known vulnerabilities like digitally signed malware, poor key and certificate management and weak cryptographic methods remain in many enterprises. Despite over half (51%) of UK organisations admitting that they know these to be major security issues, few are taking action. Failure to manage certificates and keys creates vulnerabilities that cybercriminals leverage to breach enterprise networks, steal data and IP and disrupt critical business operations. Every UK organisation in the survey had faced at least once of these attacks over the last 2 years.

“With every business and government department across the UK relying on cryptographic keys and certificates in order to operate, failure to manage just one can result in serious attacks or unplanned system outages, says Calum Macleod, Venafi EMEA Evangelist. “Criminals understand how difficult it is to control trust, and by failing to have the correct controls in place to manage or secure certificates and keys, businesses have opened themselves up to risk on a daily basis.”

Today the typical Global 20000 organisation has an average of 17,807 certificates and keys deployed across its infrastructure. Within the UK Fortune 500, there are likely five or six million keys and certificates in use at any one time, which creates a significant target for attack and renders manual management untenable.

The survey also highlights that 61% of UK respondents don’t know how many keys or certificates are currently in use across their infrastructure. This identifies a worrying trend that whilst half of respondents know the security impact of certificate mismanagement, the same amount (half) have no idea how many certificates are currently in action.

Macleod continues “It is extremely concerning to know that so many businesses are aware of the security impacts certificate and key oversight can have on a business, yet are still doing nothing to combat the problem. Unless organisations sit up and take notice of this growing problem the threat and the amount of money lost by organisations each year will only increase.”

Download the full Ponemon “2013 Cost of Failed Trust Report: Threats & Attacks.”

New Strategies to Gain Control over Trust

Venafi Director helps enterprises reduce the risk of malicious attacks on trust. With the full lifecycle management of keys and certificates, Director provides full visibility into key and certificate inventories and end-to-end automation of processes, drastically reducing enterprises risk and providing strategies not possible before to shrink the attack surface. One of the new strategies supported in the latest release of Director is the use of fully managed self-signed certificates. A compromise now only impacts a single key and certificate, not many – such as when a CA is compromised. In the past, maintaining thousands of self-signed certificates increased both risk and operational burden on an enterprise.

Certificates must be continuously monitored to ensure that only authorized certificates are being used and errors and oversights do not lead to unplanned outages form expiration or misconfiguration. For example, Mandiant reported in its APT1 Report that multiple self-signed certificates, some purporting to be from the world’s largest IT vendors, were in use. These could have been easily discovered but went undetected in many organizations. Director enables enterprises to automate continuous monitoring and if needed, replace keys and certificates in seconds anywhere across the enterprise and in the cloud. All of this increases the ability of enterprises to prevent attacks and respond faster if needed – continuing Venafi’s success in helping organisations reduce risk from alarming attacks on trust.

About Ponemon Institute

Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Together Venafi, Cisco, HP, HyTrust, Intel, McAfee, Microsoft, RSA, Splunk, Symantec and Vanguard Tackle Pressing Cybersecurity Issues

SALT LAKE CITY, UT – Apr. 25, 2013

Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) security solutions, today announced its partnership with the National Cybersecurity Center of Excellence (NCCoE). Created by the National Institute of Standards and Technology (NIST), NCCoE brings together Venafi and other leading security firms to address pressing threats to private-sector intellectual property and other valuable business and federal agency data. As part of the NCCoE, Venafi commits to sharing its cryptographic key and digital certificate management expertise as well as to contributing software and personnel, who will work side-by-side with federal staff and other NCCoE partners in the new center of excellence.

Every business and government agency confronts key and certificate management issues daily because every organization relies on certificates and keys to ensure that communications and transactions remain trusted, private and compliant with regulations. Failure to manage these encryption assets creates vulnerabilities that cybercriminals exploit to breach enterprise networks, steal data and disrupt critical business operations.

Venafi has spent years formulating best practices for managing keys and certificates, the critical foundation of trust in a globally interconnected, online world, and Venafi solutions help many of the world’s largest and most prestigious companies implement these practices. With Venafi, organizations can discover all their keys and certificates, tie the assets to people, generate compliance reports, and enforce automated policies that reduce risks of security breach, unplanned downtime and failed audits.

Click to Tweet: @Venafi joins the #NCCoE to help address national #Cybersecurity issues and help establish best practices #EKCM #NIST http://www.nist.gov/itl/csd/nccoe-041513.cfm

“Recent cyberattacks and a series of advanced persistent threats highlight how much help businesses and governments need in controlling trust,” said Jeff Hudson, Venafi CEO. “Leading security providers must work together to meet new cybersecurity challenges, as NIST has underscored by creating the NCCoE. We are honored to be part of this partnership and applaud NIST for bringing the world’s leading security providers together to address these and other critical security issues.”

“This consortium will focus on improving our current security practices,” said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher. “Cybersecurity is one of the toughest technical challenges facing the nation today. NIST looks forward to working with Venafi and our state and federal partners in the NCCoE to jumpstart protections of our vital IT infrastructure and business information. By combining efforts and expertise with industry leaders like Venafi, we hope to pave the way for national cybersecurity standards and to make a real difference for the organizations that rely on our guidance.”

The NCCoE deepens an ongoing partnership between NIST and Venafi. In July of last year, NIST and Venafi co-authored the NIST Information Technology Laboratory (ITL) bulletin, “Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance.” This bulletin alerts both government agencies and private-sector organizations to the risks of certification authority (CA) compromises. The bulletin also offers guidance on preparing for and responding to a CA compromise that results in fraudulently issued security certificates.

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Cyber Attacks On Trust Expose Companies To Millions in Losses

“’With every business and government department across the UK relying on cryptographic keys and certificates in order to operate, failure to manage just one can result in serious attacks or unplanned system outages,’ says Calum Macleod, Venafi EMEA Evangelist. ‘Criminals understand how difficult it is to control trust, and by failing to have the correct controls in place to manage or secure certificates and keys, businesses have opened themselves up to risk on a daily basis.’”

Read More

Cyber Attacks On Trust Expose UK Organizations To £247 Million in Losses Reveals Ponemon and Venafi Research

“’With every business and government department across the UK relying on cryptographic keys and certificates in order to operate, failure to manage just one can result in serious attacks or unplanned system outages, says Calum Macleod, Venafi EMEA Evangelist. ‘Criminals understand how difficult it is to control trust, and by failing to have the correct controls in place to manage or secure certificates and keys, businesses have opened themselves up to risk on a daily basis.’”

Read More

Venafi and NIST Join Forces in National Cybersecurity Center of Excellence

“Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) security solutions, today announced its partnership with the National Cybersecurity Center of Excellence (NCCoE). Created by the National Institute of Standards and Technology (NIST), NCCoE brings together Venafi and other leading security firms to address pressing threats to private-sector intellectual property and other valuable business and federal agency data. As part of the NCCoE, Venafi commits to sharing its cryptographic key and digital certificate management expertise as well as to contributing software and personnel, who will work side-by-side with federal staff and other NCCoE partners in the new center of excellence.”

Read More

VIEW NOW

Venafi and Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, present the “Cost of Failed Trust: Attacks of Failed Key & Certificate Management.”

At this live webinar, you will learn:

• How hackers are exploiting trusted certificates in attacks from Duqu to Buster
• How vulnerable most businesses and government agencies are—as quantified by Ponemon research
• How to implement better management practices to protect your organization
• How to obtain a free risk assessment from Venafi

VIEW NOW

Venafi and NIST Join Forces in National Cybersecurity Center of Excellence

“Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) security solutions, today announced its partnership with the National Cybersecurity Center of Excellence (NCCoE). Created by the National Institute of Standards and Technology (NIST), NCCoE brings together Venafi and other leading security firms to address pressing threats to private-sector intellectual property and other valuable business and federal agency data. As part of the NCCoE, Venafi commits to sharing its cryptographic key and digital certificate management expertise as well as to contributing software and personnel, who will work side-by-side with federal staff and other NCCoE partners in the new center of excellence.”

Read More

Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions, today announced that SC (Secure Computing) Magazine Europe has named Venafi Director as Best Encryption Solution in the SC Europe 2013 Awards. The awards recognise innovative security solutions worldwide, rewarding industry-leading security vendors and cutting-edge technologies. The Best Encryption Solution award acknowledges Venafi’s innovation and leadership in helping organisations regain control over trust. Learn More

Venafi recognised for security industry leadership and technology innovation in helping enterprises regain control over trust and targeted attacks

Bracknell, UK – 7th May 2013

Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions, today announced that SC (Secure Computing) Magazine Europe has named Venafi Director as Best Encryption Solution in the SC Europe 2013 Awards. The awards recognise innovative security solutions worldwide, rewarding industry-leading security vendors and cutting-edge technologies. The Best Encryption Solution award acknowledges Venafi’s innovation and leadership in helping organisations regain control over trust.

The honour comes at a time when many organisations have, unfortunately, lost that control. Targeted cyber-attacks are steadily increasing, and business executives face the costly consequences of exploits against cryptographic keys and digital certificates, the foundational technologies that establish trust. Through advanced, persistent attacks (APTs), bad actors will exploit any weakness in a security system to gain unauthorized access and steal data. Poor key and certificate management, coupled with weak, outdated cryptographic methods, leave organisations vulnerable to common, well-known exploits such as malware signed with stolen private keys or fraudulent certificates. As cloud computing increases and employee-owned devices are allowed on the network, the challenge of securing company data everywhere increases exponentially.

Hackers are targeting cryptographic keys and digital certificates due to the pivotal role these assets play in all enterprises, explained Kevin Bocek, Vice President of Product Marketing at Venafi. “In recent years, organisations have begun to realise their dependence on keys and certificates for almost every electronic service, from airline operations and online payments to cloud computing and secure communications. The importance of controlling trust and reducing exposure in this area simply cannot be overstated.”

Bocek expressed concern, however, that organisations’ management of their encryption assets does not match the assets’ importance. “Over half of all enterprises don’t know how many keys and certificates are in use, for instance. More than 60 percent of organisations would take a day or more to correct CA trust relationships if attacked by digitally signed malware. Organisations would respond just as slowly to a compromised SSH key—although these keys unlock all the resources in the cloud. Combine ignorance of how trust is established with the inability to quickly respond when trust breaks down, and you have the perfect vehicle for an APT and sophisticated attackers to launch their exploits.”

“That’s why,” continued Bocek, “we’re so thrilled that SC Magazine Europe recognized both the scope of the problem and how Venafi Director helps organisations to overcome it. We’re honoured to have won the Best Encryption Solution Award for the only solution in the industry that’s helping enterprises regain control of their most critical encryption resources.”

Venafi helps enterprises reduce the risk of malicious attacks on trust. With full lifecycle management of cryptographic keys and digital certificates, Venafi provides complete visibility into key and certificate inventories and end-to-end automation of processes. Venafi Director is the only enterprise platform that allows organisations to discover all their keys and certificates, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policies to reduce risk and errors, and automate all management operations to eliminate security threats, unplanned outages and compliance failures.

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Key and Certificate Challenges Could End Up Costing UK Businesses £247 Million

“Calum Macleod, EMEA evangelist at Venafi, said: ‘With every business and government department across the UK relying on cryptographic keys and certificates in order to operate, failure to manage just one can result in serious attacks or unplanned system outages. Criminals understand how difficult it is to control trust, and by failing to have the correct controls in place to manage or secure certificates and keys, businesses have opened themselves up to risk on a daily basis.’”

Read More

Last month I wrote about the use digital certificates and encryption keys used nefariously against organizations. In the time is takes you read this blog, 1388 new malicious programs would have been submitted to AV-Test for analysis. With a percentage of these malicious programs stealing private keys and digital certificates, it’s imperative that you understand where and how these assets are being used within your organizations. In one month of malware analysis Symantec found over 800 samples that had been designed to steal keys and certificates. The growth rate of malware using digital keys and certificates is staggering. Compared to the growth rate of apps submitted to Apple every day, digital certificates used in malware is 5 times that – in the last year by 600%.

The question that needs to be answered is, why would an attacker steal private keys and digital certificates? Simply put, to gain access to your data more easily. Signed malware with a stolen digital certificate, in many cases, will be executed without any error from operating systems. In the month that Symantec specifically tracked malware that steals encryption keys and digital certificates, the US alone accounted for more than half of all infections worldwide.

Attackers haven’t ignored Secure Shell (SSH) keys either. Stolen SSH keys are used to break into systems and expand within the network. As an organizations you should prioritize in understanding where SSH keys are being used, who has access to them or for what purpose in order to reduce your attack surface. Take for example the FreeBSD servers that were hacked late last year as a result of a stolen SSH key – which was being used by a developer. Had the SSH private key been assigned a password, the attack would probably not have been successful, or at least made more difficult.

Most organizations have been hacked at one time or another; according to FireEye, 95% are already breached. In fact, one in five global 2000 organizations expect to be compromised in the next two years due to weak or legacy cryptography. Organizations do not look at, or understand how many keys and certs—51% according to Ponemon—are in use that have access to their data. Compared to traditional network perimeter security, you would not expose external facing ports to internal only traffic with no monitoring. Why then allow keys and certificates to be used within the organization without appropriate control. The question that needs to be answered is, where are the security gaps that expose an organization to exploits which take advantage of keys and certificates?

The first thing you learn in any offensive strategy is to look for your opponents weak areas. It is no different for cyber-criminals. Organizations no longer deal with securing company data behind the proverbial four walls. With the cloud computing, employee owned device, and very soon the “internet of things“, the attack surface cyber-criminals can exploit has increased exponentially. To add to the problem, organizations need to maintain control over, and respond to attacks on a global basis as employees become more mobile.

Strategies to reduce your risk

Trust but verify: The average global 2000 organization has in excess of 17,000 encryption keys that they need to deal with – most of the time manually. The first step in self-defense is to know thy self. Your organization is inept to defend itself against trust exploits if there is not a clear understanding of the encryption key and certificate inventory. One of the concepts in the Forrester Zero Trust model is that all resources should be accessed securely regardless of location. Cybercriminals can easily collect unencrypted data within the network, therefore internal data should be protected in the same manner in which external data is—encrypted. And all the encryption keys lifecycle should be securely managed with an enterprise key and certificate management solution.

Control: Nearly 60 percent of RSA 2013 survey respondents stated that they were concerned about the issuance of certificates to mobile devices outside of IT control. The same percentage of respondents were also perturbed that system administrators, who are not security experts, were responsible for encryption keys and certificates, which can result in security breaches, unplanned outages, or audit and compliance failures. Only with well-defined policies can you mitigate against this risk. By enforcing long key lengths, strong algorithms, frequent rotation of keys, along with short validity periods for certificates, can you increase your ability to reduce the threat surface.

Automate: How long would it take you to respond to an attack related to SSH key or digital certificate theft? That is, the length of time it would take your organization to replace the keys and certificates to protect the data? Sixty percent of attendees at RSA2013 said it would take one or more days to respond to an attack that took advantage of encryption keys or certificates. Only through automated process can you respond fast enough to a compromise, and rotate out encryption keys and certs that have been compromised.

Venafi Director™ is a platform that provides Enterprise Key and Certificate Management enabling organizations to gain insight and control over their keys and certificates in the datacenter, on desktops and mobile devices, and in the cloud. Director is a vendor-agnostic platform that reduces organizations’ threat surface and response time to targeted attacks with full key and certificate lifecycle control spanning across the widest range of certificate authorities (CA). The Director platform enables organizations to rapidly develop an accurate key and certificate inventory to quickly identify security risks associated with trust exploits, operational and compliance risks. Enterprises can quickly establish consistent policies and automate operations across the organization and in to the cloud. As a result, organizations can successfully prevent security breaches, eliminate unplanned outages, and achieve audit success and compliance.

Date: June 5 – 6, 2013
Location: Portland, Oregon
Details: http://secureworldexpo.com/event/index.php/2013-portland-home

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Date: June 5 – 6, 2013
Location: OMNI Interlocken Resort, Denver Colorado
Details: http://www.ngsecuritysummitus.com/

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Date: June 5, 2013
Location: Paris, France
Details: http://www.e-crimecongress.org/france/en/website.asp?page=Home

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Date: June 11 – 12, 2013
Location: Toronto, Ontario
Details: http://congress.scmagazine.com/page.cfm/link=10

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Date: June 13, 2013
Location: Calgary, Alberta
Details: http://www.dataconnectors.com/events/2013/06Calgary/agenda.asp

About Venafi

Venafi is the inventor of and market leader in enterprise key and certificate management (EKCM). Venafi delivered the first enterprise-class solution to discover all digital certificates and cryptographic keys within an organization, connect these assets to the people responsible for them, report on and audit their use to prove compliance, enforce policy, and automate operations to eliminate security risks, unplanned outages and compliance failures. Designed specifically for the enterprise, Venafi Director helps organizations regain control over trust in the data center, on desktops and mobile devices, and in the cloud by managing Any Key. Any Certificate. Anywhere™. Venafi also publishes best practices for effective key and certificate management. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.