As more organizations drive digital transformation and gravitate towards multicloud and hybrid cloud models, establishing a mechanism for secure access has become an absolute necessity for data security. Given that the number of IT machines (applications, web servers, workloads) and OT machines (endpoints such as IoT, mobile, laptops, etc.) is growing astronomically, the only way to control and secure these machines is to have proper access controls in place.
Just as humans are authenticated before allowing access to applications, machines, too, need to be authenticated before allowing them to communicate with each other. Machine identities (digital certificates and cryptographic keys) serve this very purpose—validating and authenticating machines to secure network communications. Along with authentication, machine identities also help encrypt the traffic traversing over the internet for securing data in transit. Authentication combined with encryption makes for a powerful combination, and this is driving an increasing number of organizations to make machine identities an integral part of their enterprise security strategy.
Although there is an increased focus on machine identities, many organizations are yet to reach a point where they can use them to their advantage in cybersecurity. This is because of the lack of knowledge in managing machine identities the right way. Traditional methods of managing certificates and keys such as spreadsheets and legacy certificate authority (CA) tools are failing to cater to the demands of identity management in the digital era. Poor certificate management coupled with the growing volume has resulted in several operational and security problems, hampering business growth and putting enterprise security at risk.
Here is a strategic five-tier approach to help you overcome certificate management challenges and bolster your security posture. The approach is designed to address all facets of certificate management and help you simplify and streamline your certificate lifecycle management.
The Five-Tier Approach to Certificate Lifecycle Management (CLM)
1. Discovery and Visibility
- Discover certificates and keys across hybrid environments
Discovering certificates from various devices and applications across hybrid-cloud or multicloud environments is critical to achieving full visibility. Employ a CLM tool that integrates with your existing scanners and runs a top-down scan of your entire network for discovering certificates. These scans must be run at regular intervals for an up-to-date inventory free of undocumented certificates. All information such as locations, associated applications, expiry dates, signatures, etc., should be automatically captured and presented in a holistic view.
- Build centralized visibility of your certificate inventory
Consolidate all discovered certificates in a central database to draw meaningful insights. Ideally, the scanning tool should automatically create an inventory of its findings with complete details of every certificate discovered – name, expiration date, encryption strength, key strength, the endpoint’s network, location, and so on. Certificates must be grouped based on the CA or location to ease the process of renewals and revocations. Having single-pane-of-glass visibility of certificates helps monitor expiry status, get notifications, and renew expiring certificates on time. It also helps analyze crypto standards and upgrade the certificates to the latest standards to avoid security and non-compliance issues.
2. Certificate and Key Compliance
- Enforce a uniform public key infrastructure (PKI) policy
Standardize certificate processes by regulating and auditing access to certificates and keys. Define and enforce business-specific policies across the enterprise to control issuance, validity, trust levels, and access privileges, which eliminates the existence of rogue, unknown, and non-compliant certificates. Establish granular, role-based access control to avoid unwarranted access and enable secure provisioning. Create audit trails for each user and certificate or key-related activity, and share periodic reports on certificate and key compliance to keep up with industry compliance.
- Analyze and upgrade crypto-standards
Encryption standards determine the security of the infrastructure. As cybercriminals are always looking out for weak certificates, analyze certificates for crypto standards such as key size, cipher strength, and allowed protocol versions. Track certificates that use weak or deprecated crypto standards and upgrade them to the latest standards. Define and enforce policies for using and generating certificates and keys–such as recommended cryptographic techniques, hashing algorithms, key lengths, CAs, and workflows–consistently across the infrastructure to validate and eliminate non-compliant certificates.
3. Secure Key Management
- Automated key management
Group keys based on functionality, and map required policies appropriately (such as recommended cryptographic techniques and workflows) to simplify key management. Ensure that the necessary teams have a granular view of key groups as well as the ability to monitor policy violations and unauthorized key usage. Minimize human contact in the key generation process by autogenerating keys with best-in-class encryption algorithms and pushing them to the required hosts through automation workflows. This helps prevent key roaming and potential key compromises. Enable automatic rotation of SSH keys, which eliminates the security risks of unauthorized access to critical systems.
- Secure Storage of certificates and keys
To avoid private key theft, choose solutions that leverage a central key escrow like an encrypted software vault or a hardware security module (HSM) to ensure maximum protection. Use a built-in or third-party password vault for protecting device credentials.
4. Holistic Management
- Integrate CLM with Certificate Authorities (CAs)
Invest in a CLM automation solution that has API integrations with all major public and private certificate authority services. Extensive integration allows certificates to be seamlessly enrolled from these CA’s and used on any devices or applications being managed.
- Integrate CLM with other enterprise solutions
Invest in a solution that provides out-of-the-box integrations with third-party solutions used for authentication, authorization, monitoring, ITSM (IT Service Management), and SIEM (Security Information and Event Management) to handle certificate enrollment for all enterprise end points. This integration allows IT operations teams to access simple automation workflows from third-party systems for self-servicing certificate requests. Also choose a CLM solution that integrates with mobile device management (MDM) and enterprise mobility management (EMM) systems such as SOTI and MaaS360 that helps manage mobile devices efficiently.
- Use auto-enrollment protocol support to manage certificates for a large fleet of devices
For high-speed certificate enrollment, choose a CLM solution that provides support for auto enrollment protocols like ACME, EST, SCEP, NDES, CMP, etc. Based on pre-set policies, these protocols help provision certificates from any CA easily and quickly. This is very useful in IoT device manufacturing where a large volume of certificates is required at a high-rate.
5. Customized and Detailed Planning
- Build custom, event-driven automation
Invest in a CLM solution that provides a vast library of pre-built tasks and workflows that enables operations teams to quickly and easily translate complex business requirements into easy-to-use automation workflows. This helps orchestrate certificate lifecycle management processes across teams, saving significant time and effort.
- Enable self-service for automation workflows
Expose the automated workflows to programmers who can self-serve via REST APIs. Simplify self-service with user-friendly forms. Giving end-users the ability to launch automated workflows makes certificate lifecycle management faster and improves operational efficiency.
As you embark on your path towards digital transformation and cloud-first models, make sure you build a robust and efficient certificate management system to mitigate security risks and stay ahead of the game.