Rabobank, a Dutch multinational banking and financial services company headquartered in Utrecht, Netherlands, deployed public key infrastructure (PKI) (PKI) in 2000. That was the first PKI deployment by the bank. Many manual checks were involved, which gave rise to innumerable challenges with PKI management. The growing inventory of certificates further added to the woes making the process time-consuming, resource-intensive, and prone to errors. Many vendors offered piecemeal solutions, whereas Rabobank needed someone to deliver PKI as an end-to-end solution.
Let’s look at some of the critical business challenges faced by the bank.
Undefined processes and lack of ownership: Because of the manual management of certificates, teams did not have well-defined processes for executing certificate tasks. All tasks were ad-hoc and spread across multiple IT departments. This sprawl of responsibilities would make troubleshooting and maintenance of public key infrastructure (PKI) a difficult task.
Cloud migration problems: With workloads migrating to the cloud and remote work gaining importance due to the pandemic, Rabobank needed robust security policies around encryption. Keeping PKI future proof was of utmost importance.
Lack of visibility: The growing inventory of certificates meant that the team never had a complete handle on all their certificates at any given time. This exposed them to the risk of having an undiscovered certificate expire and causing application downtime.
Lack of certificate monitoring: The absence of a real-time monitoring system to report on certificate validities and expiration dates meant that staff must constantly keep an eye on their list of certificates and remember to renew them when they were approaching expiry.
Disparate IT infrastructure: Rabobank had two PKI’s due to two different IT infrastructures. This was confusing for the users since there was no transparency. This was not user-friendly because there was no single portal for users to select their needed certificates.
The CISO’s Guide to Machine Identity Management.
Rabobank was convinced they needed an end-to-end certificate management solution to manage the growing inventory of certificates, reduce overhead costs, and enhance security. Rabobank decided to modernize its PKI to make it future-proof. They wanted to make the PKI front-end transparent for all users and update the backend. There were a lot of different applications, which were primarily graphical user interfaces (GUI). This meant there were inherent capabilities for API integrations.
Changing the entire PKI front-end was not an easy task. This was an enormous shift for the bank, and the team took one step at a time. They implemented a GUI, a new form ready for receiving certificate requests. Then they moved a step ahead and got revocation flows ready, followed by reporting and creation of API. This helped the team better support the automation of API.
Rabobank deployed AppViewX CERT+ and realized significant benefits from successfully managing the lifecycle of PKI certificates with end-to-end automation.
Results Achieved
Cost Savings: Significant cost savings were achieved due to:
- reduction in manual efforts needed to manage the growing certificate inventory
- reduction in FTE’s as a result of automation
- reduction in maintenance costs stemming from decommissioning of legacy applications
Transparency: Users have better awareness since over 90% of their certificates are revoked once they realize they are not used anymore. This has boosted security across the company.
Reduction in certificate-related incidents: Post-discovery, AppViewX automatically maintains an inventory of the discovered certificates and allows users to group them based on devices, certificate authorities (CA) and business units. It also generates certificate validity reports, and periodic expiry alerts are sent via email to the owner(s) of certificates.
Compliance and Audit: Rabobank issues over 1000 certificates monthly using the AppViewX CERT+ portal. Currently, there are over 100,000 valid certificates in the portal. Moreover, over a million certificates are issued in the inventory database, including valid, retired, and revoked certificates. With proper discovery and monitoring of all the certificates in the database, it is easy for Rabobank to meet all audit requirements while abiding by compliance standards.