Ecuador’s largest private bank Banco Pichincha recently suffered a cyberattack that disrupted operations and took the ATM and online banking portal offline. The bank had to shut down portions of their network to prevent the attack’s spread to other systems. The attack had a cascading effect with the shutdown of systems leading to non-functional ATMs, and the online banking portals displaying maintenance messages.
There has been a rapid increase in ransomware attacks over the past few years. According to Forbes, “Despite all the warnings and high-profile breaches, the state of readiness for most when it comes to cybersecurity is dismal. The need for better cyber-hygiene is evident from using stronger passwords, patching software, employing multi-factor authentication, and many other important security steps.”
The number of machines has surpassed the number of humans. With the growing number of machines talking to each other even on the go, the need for securing communication is paramount. Asymmetric key cryptography is a widely used practice for securing data in transit. Digital certificates are the way to establish and extend trust during communication. These certificates are used as identities for machines and are provided by certificate authorities (CAs).
As requirement for certificates grows – especially certificates that need to be trusted within the organization, enterprises have to set up their internal public key infrastructure (PKI) so that private CAs can be created internally.
Technically creating a CA and signing a certificate is very simple. If it is being done for local testing, anybody can sign the certificate without much effort. However, when the certificates provided by CA’s are used in production, there is more to it.
Digital certificates, which serve as virtual identities for both hardware and software entities connected to the internet, can make or break a network system simply by its virtue of rendering systems online and safe to other entities that wish to communicate with it.
PKI is a framework that enables the encryption of public keys and includes their affiliated crypto-mechanisms. The purpose of any PKI setup is to manage keys and certificates associated with it, thereby creating a highly secure network environment for use by applications and hardware.
X.509 certificates and public keys form the cornerstone of PKI, acting as the mechanism through which cryptography can be established for an endpoint. PKI may refer to any software, policy, process, or procedure employed while configuring and managing those certificates and keys.
Setting up and scaling enterprise PKI is costly because of the upfront requirement of compute resources and security experts and continuous tedious operations and upgrade needs.
Organizations need to invest in a PKI management system that simplifies CA infrastructure and infuses complete certificate lifecycle management (CLM) functionality with end-to-end automation. The solution should be highly scalable and easy to provision in the absence of complex hardware or software infrastructure to set up and maintain.
With robust support for multiple deployment environments, a highly secure PKI management system with advanced and secure storage devices will protect keys and certificates from getting compromised.
Establishing and managing an ideal PKI system would involve an impeccably managed infrastructure that includes certificates and keys, CAs, hardware security modules (HSM)s, associated DevOps, ITSM, identity and access management (IAM) tools, and a lot more. However, let’s look at some of the best practices for PKI management.
Maintain a certificate inventory – Ensure that every certificate – currently in use, discarded, or revoked is tracked in a centralized inventory system.
Protect private keys – Use HSM’s that meet compliance requirements (FIPS 140-2) to store keys and secure vaults to store passwords. Ensure automated rotation of private keys from within the HSM to prevent manual handling.
Use certificates issued by trusted CA – For external use, purchase certificates issued by globally trusted CA’s instead of self-signed certificates. Using such certificates on external-facing applications or endpoints makes these endpoints highly vulnerable to misuse.
Rotate keys – Rotate SSH keys frequently since they are password-based and can be compromised easily.
Establish policy – Create and enforce PKI management policies with regard to role-based access to crypto-assets, certificate renewal durations, and PKI audit trails. By creating transparency and clearly defined rules, the chances of mismanagement-induced vulnerabilities are lowered, and errors, if any, can be easily tracked and remediated.
Practice crypto-agility – Infuse PKI with a system of control that allows for accelerated manipulation of its constituent systems. This includes the ability to quickly rotate certificates, expedite the enrollment/renewal/revocation process with CAs, and rapidly switch out outdated algorithms and protocols with new ones.
Essentially, every PKI needs to be paired with a certificate management system, and this managed PKI system needs to be:
AppViewX’s certificate lifecycle automation is a one-stop solution for automated discovery, expiration alerting, renewal, secure provisioning, and revoking of SSL/TLS certificates with granular role-based access regulation across multi-vendor infrastructures. It arms security operations and PKI teams with the critical insights needed to avoid unwanted outages and other issues associated with non-compliant certificates.
Organizations adopt network automation for a variety of reasons. The advent of new technologies such…
It's Thanksgiving week, Turkey time... Black Friday marks the beginning of the holiday shopping season.…
Are you a victim of improper management of your digital identities? Know the core principles…
It looks like the onslaught of cyberattacks will never end. This time, we have the…
Are you caught up in the whole maze of Digital Transformation and Multi-cloud paradox? Are…
Over the last year COVID-19 has accelerated digital transformation for businesses. Needless to say that…