In 2020 the SolarWinds Orion platform was compromised when hackers injected a malicious code, known as Sunburst, thus gaining unauthorized access to a plethora of sensitive information, belonging to US government agencies like the Treasury and Commerce Department. The culprit behind this major attack was compromised X.509 certificates (public key certificates) and public key infrastructure (PKI).
PKI lays the foundation of an effective strategy to secure communications between machines, networks, IoT devices, and virtual servers, both outside and within the firewall. With the escalation of connected devices, machines, and endpoints, it is critical to managing the exceeding number of digital certificates and cryptographic keys
What is PKI Management?
PKI management refers to a set of tasks and security protocols essential for coining a high-functioning and efficient public key infrastructure. The concept of PKI certificate management revolves around the encryption of public keys and their affiliated crypto mechanisms, authentication of public and private keys, digital certificates, Certificate Authority (CA), Registration Authority (RA), and managing certificate repository with LDAP (Lightweight Directory Access Protocol).
PKI is primarily responsible for establishing the identity of endpoints on a network and encrypting the flow of data via the network’s communication channel, thereby ensuring the security of online interactions. Private keys and public keys are used for encryption and decryption respectively, backed up digital certificates.
PKI is at the crux of almost every IT infrastructure, ensuring cyber defense for critical digital communications and distributed workloads across hybrid and multicloud environments. Amid the booming IoT and cloud-based services, the more digital certificates an organization needs to manage, the more crucial it becomes to manage PKI.
Best Practices for PKI Management
- Protect private keys: Storing private keys in the form of text documents or password-protected documents can be detrimental to PKI management. A compromised private key or root CA harms the entire network by opening the gateways to the malicious attackers.
Store private keys in an AES-256 bit encrypted software vault or a FIPS 140-2 certified hardware security module (HSM). Use a built-in or third-party password vault for protecting device credentials. HSMs must meet be compliant to store keys and secure vaults. Enable automated rotation of private keys within the HSM and provide hardware-rooted protection to your PKI.
- Perform key ceremony: In public-key cryptography, key ceremony refers to the process by which a unique pair of private and public keys are generated for the Root CA in the presence of legal representation, witnesses and ‘key holders’ in a secure location. An HSM device is designed to secure the private and public keys so that no one can use them and also to check if anyone else has accessed the keys or the system.
Periodic audits with key usage, serial numbers and logs will give you an idea about unauthorized access if any. The primary role of the ceremony is to conduct pre-checks on the HSMs, to prevent malware from attacking the machines and root CAs from getting compromised.
- CA policies: PKI is embedded with well-defined policies and practices in the form of Certificate Policy (CP) and Certificate Practice Statement (CPS). The CP defines the rules a CA needs to follow when issuing digital certificates, and CPS provides a more detailed description of these practices and procedures required to efficiently manage the certificates.
CA policies enforce standards for the operation of the CA and the certificates issued. Policies can be thought of as a set of rules that define how the CA will issue certificates and which parameters can be included in a request and which values are accepted. CAs are an integral part of any PKI and help in keeping the internet secure and transparent. CAs perform the domain control verification (DCV) process and verify that the public key, for which the certificate is issued, really belongs to the subject who requests it.
Root CAs, also known as “trust anchors”, must be configured in a well-controlled environment. It is pivotal that you use certificates issued by globally trusted CAs, and not self-signed certificates as they are mainly used for internal communications within the organization. Using self-signed certificates for external-facing applications exposes the network to security vulnerabilities.
- Conduct periodic audits: Conduct audits for all PKI components to check whether the protocols listed under CP and CPS are adhered to. Enterprises that conduct the internal audits periodically and diligently are more likely to avert any unfortunate occurrence, like exploitation or data misuse.
PKI administrators should gauge the organizational PKI protocols against the emerging norms including CA/Browser Forum and regulative authorities.
- Be cryptographically agile: Efficient PKI management strategies must include the ability to quickly rotate certificates, expedite the enrollment/renewal/revocation process with CAs, and rapidly upgrade outdated algorithms and protocols with new ones.
The concept behind being cryptographically agile is that the PKI admin should be able to identify and eradicate vulnerabilities in a crypto environment, without disrupting the entire network. The transition from SHA1 to SHA2 and the upgrading from older deprecated TLS versions to TLS 1.2 and 1.3 requires the businesses to be cryptographically agile.
- Hire skilled resources: PKI is the backbone of IT enterprises, and integration with IT applications is soaring in this hyper-connected world. As PKI is critical infrastructure, organizations must hire skilled resources who are well-versed with the nitty-gritty of the entire procedure.
Efficient PKI admins and expert team members must have knowledge related to implementation, maintenance and support of PKI solutions and the authentication infrastructure of the enterprises, which includes proper management of digital certificates, troubleshooting service issues and evaluating upgrades and changes in the PKI infrastructure. Many organizations are outsourcing PKI deployments to PKI experts for seamless operational procedures.
- Customized and detailed planning: Build custom, event-driven automation using pre-built tasks and workflows. The solution must integrate with IT Service Management (ITSM) tools for ticketing and governance or send emails and messages on other collaboration tools.
Expose a catalog of service requests to programmers and enable self-service with user-friendly forms. Use automated workflows for faster time-to-value and improved agility.
Poorly managed PKI often marks the entry point for a host of vulnerabilities with impacts ranging from lost time to lost revenue. Modernize your PKI with AppviewX CERT+. CERT+ helps with smart discovery, visibility into security standards, and centralized management of keys and certificates across hybrid and multi-cloud environments.