Welcome to the world of remote working. Once considered a modern luxury (remember stories of IBM installing “remote terminals” in their employees’ homes in 1980?), then denounced as a killer of creativity and teamwork, it has now settled over most of the world as the only way to work without exposing ourselves to the dangers of the COVID-19 pandemic and violating strict Shelter in Place orders.
In addition to the usual challenges, like not having enough bandwidth to go around the household, or having your meetings interrupted by kids and pets demanding attention, the new realities of remote working present an array of new security concerns. When employees need to access the company’s servers from home using their personal devices, it opens up multiple opportunities for malicious actors to infiltrate corporate networks.
To make remote work possible, DevSecOps teams need to review and revise their encryption and authentication policies and practices. PKI is a popular way to not only ensure that all communication is properly encrypted, but also authenticate the identity of all parties who are communicating or transacting. Public-key cryptography is employed to guarantee data integrity and to prevent hackers from illegally accessing data in-transit or at rest.
Here’s a quick summary of how PKI actually works. PKI rests on the concepts of certificates and keys. Digital certificates (or x.509 certificates) serve as proof of endpoint authenticity – these are documents assigned to any user or server that participates in encrypted communication. When you contact a website, a digital certificate ensures that the information displayed on your screen comes from a genuine, authentic site that you requested to access. This stamp of genuineness is what a digital certificate provides, and this is facilitated by Certificate Authorities (CAs). CAs, simply put, certify that the owner of a private key is indeed whom they claim to be.
Managing PKI Infrastructure in times of remote working
Every single modern enterprise today is leveraging digital certificates to ensure secure communication between itself and its users, which could be spread across a multitude of connected devices or endpoints. It typically falls to SecOps and NetOps teams to manage and maintain an ever-growing number of certificates, each with their own expiration dates, issued by multiple certificate authorities (CAs), and dealing with unique system vulnerabilities that need to be individually monitored and addressed.
Even in “normal” times, it’s not easy to manage an enterprise PKI infrastructure, especially given the fact that most teams lack specialized tools and have to rely on spreadsheets and manual processes. And all these challenges are greatly exacerbated by remote working arrangements: Not only do NetOps and security engineers try to perform their essential functions from home, it is now exponentially more important to ensure that all their certificates are up and running at all times to maintain communication security and ensure business continuity and integrity.
Why? With company resources being opened up to external access (the existence of VPNs notwithstanding), every single touch-point becomes a potential weak link. For instance, if the certificates associated with an application expired, not only would it result in downtime, it would also mean that consumers of the application might be sending and receiving information over an unencrypted line, making it almost elementary for a hacker to hijack or steal that data.
The bottom line is that certificates and keys should be constantly renewed and rotated, especially in remote working scenarios. But how can organizations hope to do that with hundreds or thousands of users and an equal number of certificates on file, if not more?
Why do you need a certificate management system?
Despite the growing reliance on digital certificates, most organizations don’t have specialized tools or definitive processes for monitoring and managing their certificate lifecycles. As the number of connected devices continues to grow, it is becoming virtually impossible to maintain control over the PKI infrastructure and prevent security breaches and system outages without a dedicated automated certificate management system.
Gartner X.509 Certificate Management report states that:
- Many debilitating and damaging outages in external- and internal-facing systems can be traced directly to unplanned X.509 certificate expiry issues.
- Most organizations continue to rely on spreadsheet-based tracking methods and manual processes to keep track of certificates, which can cause undocumented installations that increase exposure to risks.
- Unknown and unmanaged X.509 certificates pose a security risk because some may be based on deprecated cryptographic algorithms.
- New sources of X.509 certificates, such as free SSL/TLS certificates, make rogue certificate use by internal parties, such as developers and DevOps teams, more likely. This results in out-of-compliance PKI and creates potential attack vectors.
Gartner recommends that organizations use full lifecycle management to audit and manage their PKI infrastructure, and we couldn’t agree more! Especially when dealing with complex, multi-vendor, multi-cloud environments at the time when operational agility and efficiency can spell the difference between businesses surviving the rough times or buckling under the pressure of arduous circumstances. NetOps and DevOps teams need the right tools to gain complete visibility into their PKI infrastructure, locate vulnerable/expired certificates and unsecured keys, and set in motion the process to remedy any issues before hackers can take advantage of the holes in enterprise security.
AppViewX – certificate lifecycle automation for the enterprise
At AppViewX, we are all about automating the complete certificate lifecycle, not just discovery or audit. Our solutions focus on end-to-end automation of key and certificate functions across multi-cloud enterprise environments. By providing extensive visibility and control over certificate infrastructures, AppViewX helps prevent outages caused by expired or vulnerable certificates. It also protects keys, delivers compliance, and allows for role-based self-servicing of PKI.
Our platform is CA-agnostic and out-of-the-box, and works in synergy with major PKI, encryption, and security product vendors. AppViewX makes certificate management streamlined and efficient, allowing for endless upward scalability and cryptographic agility.
In times like these, many organizations are talking about putting off major decisions on upgrading their NetOps and SecOps processes and tools. But at AppViewX, we believe that now is actually an ideal time to explore a solution that could not only help you weather the current storm by protecting your networks and assets while your employees are working remotely, it might just be an opportunity to put in place new business practices that will continue to serve you in the future. The number of connected devices is only going to increase and having an end-to-end certificate management and automation platform could prove a worthwhile long-term investment.
Take a look at AppViewX CERT+ today, and contact us today for a demo.