In the recent blog post on Allocating 2015 Budget for Key and Certificate Security, by Tammy Moskites, the CISO and CIO of Venafi, she emphasizes how unsecure keys and certificates can undermine critical security controls. This is certainly true. A lack of key and certificate security undermines a minimum of 40% of the Critical Security Controls (CSCs) listed by the SANS Institute. But key and certificate security should also be considered a critical security control, in and of itself—not just a function that impacts them.
The latest version of The Critical Security Controls for Effective Cyber Defense by the SANS Institute now includes requirements for securing keys and certificates in Section 17 on Data Protection. These changes recognize that data protection must go beyond Data Loss Prevention (DLP) and Data Classification solutions, which cannot see encrypted traffic—creating a security gap (as mentioned in Tammy’s blog). But folding in these new key and certificate security requirements elevates key and certificate security to a Critical Security Control. Below are examples of the key and certificate security now listed under Data Protection.
New Key and Certificate Security in SANS20 CSC Version 5, Requirement 17: Data Protection
- CSC 17-2: Verify that cryptographic devices and software are configured to use publicly-vetted algorithms.
- CSC-17-3: Perform an assessment of data to identify sensitive information that requires the application of encryption and integrity controls.
- CSC 17-10: Only allow approved Certificate Authorities (CAs) to issue certificates within the enterprise. Review and verify each CAs Certificate Practices Statement (CPS) and Certificate Policy (CP).
- CSC 17-11: Perform an annual review of algorithms and key lengths in use for protection of sensitive data.
- CSC 17-14: Define roles and responsibilities related to management of encryption keys within the enterprise; define processes for lifecycle.
An effective data protection framework must close gaps by securing cryptographic keys and digital certificates to protect the trust behind secure, authenticated, and encrypted communications.
Key and certificate security is explicitly mentioned under Data Protection, but also directly impacts many of the other SANS critical security controls that address authentication, access control, vulnerability assessment, and defense against trust-based attacks.
SANS 20 Critical Security Controls
Like Tammy, I also urge you to budget for key and certificate security in 2015, if not earlier with remaining 2014 funds. Tammy and others in Venafi have been working with many of the top global enterprises to help them plan key and certificate security, often folding this in with other important security and compliance projects. We’ve taken what we’ve learned from these successful engagements and captured them in a budget recommendation brief, as well as a more detailed white paper, Budgeting for Next Generation Trust Protection.
These materials emphasize why securing keys and certificates is critical when protecting against today’s threatscape, how this protection complements your planned security and compliance projects, and how to position and estimate budget. Of course, Tammy and the rest of us at Venafi are happy to help you customize your budget efforts.
Too often we take the trust established by keys and certificates for granted, but without key and certificate security we leave an open door to trust-based attacks, breach, and compromise.