The importance of effective PKI management
Public key infrastructure (PKI) is a framework of hardware and software services to create and manage public and private encryption keys and their associated digital certificates which provide authorized and non-reputable identification. PKI allows both users and networked devices and services to exchange data securely over the internet and corporate networks, while being able to verify and identify each communicating party effectively and efficiently. In addition, effective PKI prevents corporate data from being intercepted by adversaries.
In the modern digital business environment, digital certificates provide services such as secure online banking, encrypted email messages, authentication and non-repudiation of online transactions, and securing data migration in cloud platforms.
PKI also ensures regulatory compliance. Data protection and privacy regulations dictate the use of strong encryption and authentication mechanisms to secure sensitive, personal and regulated data that businesses process and store on their networks. PKI has proven to be a mature, effective means of defending data privacy.
The trustworthiness that an effective PKI brings to any organization depends on their ability to manage and maintain the security and integrity of cryptographic keys and associated certificates across their entire lifecycle. Poor key and certificate management is more than often the key cause for broken cryptographic processes.
Effective PKI management must consider all stages of certificate and key lifecycle ranging from issuance, use, protection, revocation, renewal, and decommissioning. Gaps in the lifecycle management can reduce the trustworthiness of the PKI and leave businesses vulnerable to costly outages.
Common PKI management mistakes
Use of outdated security protocols
Since the introduction of SSL protocol and the adoption of HTTPS, there have been a lot of changes to cryptography and researchers have discovered weaknesses and vulnerabilities. These vulnerabilities were leaving businesses open to exploits and data breaches. The latest version of the TLS security protocol is TLS 1.3 while all versions up to TLS 1.1 have been deprecated. In addition, many other security protocols used to secure HTTPS transmissions, like RC4 or SHA-1, have been broken and compromised. Using outdated protocols is like locking your front door and leaving the key in it. Businesses should strongly consider migrating to TLS 1.2 or (even better) TLS 1.3, AES or 3DES, and any variant of SHA-2 family.
Use of short keys
Keys are used to encrypt and decrypt information to prevent eavesdropping. These keys are mathematical algorithms, and their length determines their strength – the time required by an adversary to factor the algorithm. With an increasing computational power, more and more keys become weaker because it is more feasible for a bad actor to guess the private key. This threat necessitates the need for keys with bigger length – more bits to be stored.
A decade ago, 1024-bit RSA keys were the minimum for sufficient security. Today, 2048 bits is the standard, but with the advent of quantum security, this too will become obsolete. Businesses need to ensure that their keys are strong enough to meet the challenges of today and need to plan for future upgrades to maintain a robust PKI.
Use self-signed certificates
Keys and certificates are issued and obtained from trusted Certificate Authorities (or CA). However, sometimes organizations issue their own self-signed keys and certificates. The most common reason for doing this is for testing.
Software developers self-sign certificates for testing the application. This is a common practice that is safe as long as these self-signed certificates are not forgotten ending up in production. Once they go into the wild, they will become very dangerous, because these certificates are not robust, not stored securely and they are untracked. This is a deadly combination that can be exploited by any bad actor to impersonate, create rogue certificates and wreak havoc.
Poor key and certificate protection
Keys are strong only if they are stored securely. Many companies opt in for storing their keys in plain sight spreadsheets or USBs, instead of using fit-for-purpose Hardware Security Modules (HSMs) or software vaults/key stores. Failure to use a strong protection device will leave keys accessible to anyone to steal or duplicate them. If we combine that with a lack of access controls and least privilege policies to determine who can obtain these keys, we end up with a broken PKI leaving the company open to many a threat.
If a malicious actor gets access to encryption keys, they can easily steal or compromise sensitive information, code sign malicious code and trick people into downloading seemingly legitimate software into their systems. Weak key storage puts customers at risk and will cause severe reputational damage.
Infrequent key rotation
CAs have enforced shorter certificate lifespans to ensure the integrity of certificates and to minimize the impact of a compromised or rogue certificate. The current lifespan is set to 13 months, while it is good practice to rotate certificates in intervals of six months or sooner. Many companies are already electing certificate lifespans as short as a few days.
While we are all aware of the necessity and importance of rotating certificates, very few rotate the associated keys. Although keys do not have expiration dates, it is highly recommended that we also rotate them. Rotating keys can help businesses prevent criminals from using compromised keys to masquerade and impersonate legitimate websites, luring customers into trusting their credentials with a rogue entity. Rotating keys regularly can enhance businesses security, but unfortunately it is not a common practice.
Lack of automation
Automation improves efficiency and eliminates error-prone processes. PKI automation helps businesses streamline certificate and key management – gain visibility into how many certificates there are, who are their owners, renew and revoke certificates. The biggest advantage offered by an automated PKI is limiting human intervention and decreasing the chances of costly errors.
Despite the many benefits of PKI automation, businesses employ manual processes to manage their PKI structure. With certificates exploding in every organization, manual management leads to untracked, orphaned certificates that will eventually expire causing damaging outages. A manual PKI is an unreliable and untrusted PKI and should be always avoided.
The solution: centralized, automated PKI
Public key infrastructure must rely on solid foundations, otherwise it will collapse. Businesses need to adhere to industry best practices to make the structure secure, effective, and efficient. Corporate policies need to clearly define roles and responsibilities, establish management practices and procedures. In addition, these policies need to be adhered to and enforced.
A centralized and automated PKI management program is a must have for all enterprises, especially for large organizations who possess a huge number of certificates and keys to manage. It is the only way to achieve a robust framework to secure your certificates and your business. You don’t have to be knowledgeable on encryption algorithms to understand that the security gaps introduced by weak PKI management procedures turn a strength into a liability that most businesses cannot afford.
How AppViewX CERT+ helps you
AppViewX CERT+ helps organizations by automating every step in PKI management. It discovers, inventories, provisions, renews, and revokes certificates with minimal human investment, and makes certificate management incredibly easy by supporting ACME, SCEP, and EST protocols. It’s platform-agnostic and provides multi-vendor support, so you can manage all PKI-related activities from a single platform.