Today, an increasing number of Identity and Access Management (IAM) strategies include the cryptographic keys and digital certificates for SSL/TLS, SSH, mobile WiFi, and VPN access that authenticate and authorize servers, devices, software, cloud, and privileged administrators and users.
This move to expand the enterprise security perimeter is laudatory because it closes the gap between the authentication and authorization established by keys and certificates and the protection provided for other credentials, such as usernames and passwords. But, without proper management and oversight, cryptographic keys and digital certificates could break that security perimeter wide open. For many companies, their IAM for keys and certificates may be missing in action (MIA).
Unlike passwords and user IDs, which are controlled with layers of automated monitoring policies, certificates and keys have been blindly trusted with inadequate, siloed processes. In many companies, there is no centralized visibility, policy enforcement, or incident tracking and remediation.
According to the 2015 Cost of Failed Trust Report, published this year by the Ponemon Institute and Venafi, an average enterprise has almost 24,000 keys and certificates in circulation. But 54 percent of corporate security professionals surveyed in the report admitted that they have no idea where all of their keys and certificates are located. As a result, thousands of certificates go missing in action every year, a recipe for disaster. Those certificates establish trusted access to critical servers, applications, mobile devices and cloud instances at the highest level of privilege, creating a situation ripe for exploitation.
Ask yourself these questions:
Would your organization tolerate a security situation where 24,000 passwords and user IDs were floating around the company without any awareness, policies, or control? Probably not. But your organization may be doing just that when it comes to keys and certificates. Just like passwords and user IDs, policies and automated controls need to be applied to keys and certificates such as rotation, validity periods, ownership, timely provisioning, and revocation. Instead, outdated approaches limit visibility and policy enforcement and increase the risk of misuse, exposing enterprises to compliance failures and costly data breaches.
So if you were an enterprise hacker, where would you focus your attack efforts? Cybercriminals have already answered this question for you. In the Ponemon research, security professionals estimated the total possible impact per organization for all attacks using keys and certificates to be almost $600 million and this is up 50% from 2013.
It’s time to apply the same diligence we devote to usernames and passwords to keys and certificates, by deploying enterprise-wide policies and automated controls. Try these best practices:
- Protect
- Create visibility by inventorying the certificates you have in use today and verifying their ownership
- Establish enterprise-wide use policies
- Detect
- Monitor and detect for anomalies
- Enforce policies and establish management control
- Respond
- Automate key and certificate issuance, renewal, and installation
- Replace keys and certificates based on a regularly scheduled inventory and review process
- Remediate by replacing keys and certificates in the event of a CA compromise or new vulnerability such as Heartbleed
The six steps should give you a good starting point, but there’s plenty more you can do. You can read the Venafi solution brief, Close the Gaps in Identity and Access Management, or drop me a line if you’d like to learn how.