Bridgestone Americas tire manufacturing facilities across North and Latin America recently grappled with a cyberattack, which the USW 1155L workers union noted prompted the company to cancel shifts. Bridgestone disconnected many manufacturing and retreading facilities in Latin America and North America from their networks to contain and prevent any potential impact. As the company gets closer to getting back online, it drives home the point that hyperconnected reality has become incredibly ubiquitous, and security has become the top priority for enterprises riding the digital wave.
With the rising complexities of today’s IT infrastructure, the data center is no longer the hub of network activity. Majority of applications and workloads have moved to the cloud, and most of the work gets done outside the data centers. Organizations continue to add IoT devices, blockchain technology, and other cutting-edge innovations to their infrastructure, which is dramatically expanding the network. Further, large-scale remote work has led to employees accessing enterprise data and applications over the public internet on their devices. Such factors have opened up a huge attack surface and multiple opportunities for malicious actors to infiltrate corporate networks.
Public Key Infrastructure (PKI) stands as the first and most crucial layer of defense against such attacks. However, certificate-related issues still plague businesses, resulting in thousands of dollars worth of losses every single year. PKI setups have a long way to go before they are considered genuinely secure and effective. Security teams continue to leverage legacy techniques to manage certificates and keys, resulting in outages and security breaches hitting corporations harder than ever before.
Embracing the Zero Trust Model
Zero Trust Security is based on the concept of ‘Trust No One’- either outside or inside the organizational network. In this model, authentication is required from everyone trying to access the resources. Sternly, there is a need for strict identity verification for every person and device accessing the private network resource. The conventional security models assume that all devices inside the company’s network are implicitly trusted. The Zero Trust model assumes nothing like this.
Identity is the new network perimeter, and verification of digital identities on your network is central to a zero trust strategy. However, many organizations mistakenly assume that limiting verification to user identities is sufficient. True zero trust implementation relies upon certificates and key pairs to strengthen security and ensure device verification in addition to identity verification.
Companies adopting the zero trust model start with segmentation, implementing privilege access management (PAM), multi-factor authentication (MFA), vulnerability and patch management, and security analytics. But they miss out on one key area, which is about managing machine identities through digital certificates and keys. It ignores the risk with compromised encryption tunnels while focusing heavily on access controls.
The number of machines, cloud workloads, containers, IoT, and mobile devices that access resources is very high and is increasing at a rapid pace. At the same time, errors related to machine identity management such as expiry of certificates, weak cipher suites, compromised or fake certificates, and keys are causing significant risks for businesses across the world.
It’s clear that digital certificates contribute much to a zero trust architecture, but there’s a real need for a managed solution with automation of the certificate lifecycle at its core. Hence implementing a next-gen certificate lifecycle automation solution is a key initiative towards achieving a fully functional zero trust model.
Certificate Lifecycle Automation and Zero Trust
Automation plays a critical role in supporting zero trust. The sheer number of disparate devices and users requesting access to resources on the typical corporate network is too large to manage manually. It’s worth bearing in mind that any automation solution for improving zero trust architecture shouldn’t negatively impact user experience.
The need for automation becomes even more pressing in the context of digital certificates, which vary in type (SSL/TLS, S/MIME) and source (IoT devices, containers, workstations). Aside from the heavy workload and significant expertise needed for manual certificate management, the risks of mismanagement that can lead to security compromises are high.
Here are some recommended best practices for certificate lifecycle management (CLM):
Detect and maintain inventory
Gaining visibility into your network infrastructure is a critical necessity that aids in better management. Invest in a discovery tool that performs thorough scans across your networks, and multi-cloud environments to detect certificates issued by all certificate authorities (CA) across all endpoints. For best results, ensure that these results are documented in structured inventories, with pertinent information (such as expiration dates and certificate chains) added to them.
Enable dynamic monitoring
Use your certificate management tool to actively monitor the status of certificates and keys on your network. Create reports of key metrics (such as approaching renewals and expired certificates) that update in real-time to promote quicker response times. Run periodic scans across the network to ensure that your certificate inventory is always up-to-date.
Enforce ownership hierarchies
Do not allow multiple teams across geographies to add, modify, and remove certificates at random points in time. Create role-based hierarchies and approval processes that run every certificate signing request (CSR ) or issuance call through the designated authorities. This will prevent the presence of phantom, undocumented certificates, which could cause problems of going undetected in the event of expiry or compromise.
Create an audit trail
Ensure that every change made to the PKI environment is thoroughly documented. Automate this process to reduce human effort in this regard. With an audit trail in place, anomalies can easily be detected, isolated, and resolved, saving teams the effort of scanning the entire ecosystem for issues when a problem is detected.
Be proactive and prevent outages
A certificate lifecycle management solution integrates with your network to enable full-cycle automation. Minimizing the human effort expended on certificate operations will also reduce the risk of error that comes with it. Set up tasks that will automatically renew certificates when they near expiration or custom workflows that can revoke and reissue all the certificates issued by a particular CA.