With the issuance of Binding Operation Directive 19-02 (BOD 19-02), the Department of Homeland Security is cracking down on digital vulnerabilities and security risks across internet-accessible systems tied to federal networks. The directive supersedes its predecessor, BOD 15-01, shortening the permitted time for federal agencies to remediate critical system vulnerabilities from 30 days to 15.
The Cybersecurity and Infrastructure Security Agency (CISA), the federal body that oversees the implementation of this directive, assists participating agencies in this regard by providing Cyber Hygiene scans. The automated service sweeps networks to identify potential threats and vulnerabilities, and presents the results in comprehensive reports, which security professionals can use to gauge and reinforce their security infrastructures. Here’s a sample screenshot from a Cyber Hygiene report:
Figure 1 lists detected vulnerabilities in the order of highest occurrence and SSL certificate-related issues are exposed as the top offender. SSL/TLS certificates form the core of any organization’s security setup. They secure channels of communication and virtual identities of hardware and software across the entire digital environment, and cumulatively make up the Public Key Infrastructure (PKI) of a network ecosystem. Given that a weak link in a large organization’s PKI could result in anything from nationwide application downtime to theft of the personal information of millions of citizens, it is imperative for such organizations to carefully monitor their certificate infrastructures and ensure resilience towards potential mishaps.
The DHS’s recognition of certificate-related mishaps as threats to national information security is a huge wake-up call for the community to take notice of them, and work towards rendering their organizations free of such incidents.
The Problem: An abundance of certificate-related vulnerabilities
Digital certificates serve to authenticate web-based devices and applications, and encrypt traffic between endpoints. Being tied to browsers, firewalls, and hardware across multiple cloud-based environments, any averagely-sized setup is bound to have upwards of ten thousand certificates in its inventory. These certificates also have several variables they’re subject to:
- They have varying expiration dates
- They’re deployed across multiple environments
- They’re documented by different departments
- They’re issued by several different Certificate Authorities (CAs)
Considering the above factors, manually managing SSL/TLS certificates can get out of hand. Fast. And
when a certificate in an intricate hierarchy undergoes a quiet expiry, it could set off a chain reaction of
outage events that could lead to the organization’s web-based services being rendered useless until
the appropriate renewal is in effect. The loss of business during the outage notwithstanding, the
incurred costs are bolstered by non-compliance fines and a loss of trust in the application.
Certificate-related issues are costly affairs indeed.
The AppViewX solution
Certificate Lifecycle Management (CLM) solutions are comprehensive, end-to-end tools that work with your network architecture to monitor and manage the certificates tied to them.
AppViewX CERT+ is a Gartner-recognized PKI management tool which ups the ante by providing not only a certificate management platform, but also an automation engine that allows in-house network security and PKI teams to set up workflows that periodically renew and provision certificates in their environments and devices, thereby significantly reducing the manpower and margin of error involved.
With CERT+ managing your certificates, you’ll have no pesky certificate-related issues plaguing your Cyber Hygiene reports. As is apparent from the figure, these issues take up a major section of the report at any given time, taking an average of 158 days to resolve.
At federal bodies, this tool can free up engineers’ timesheets, permitting them more time to work towards BOD 19-02. And for large private enterprises, the tool works wonders in bringing PKI management under a single roof, serving the dual purpose of saving valuable time, and also reinforcing organization-wide security infrastructures.
Discovery and Monitoring
Simply put, all your digital certificates do not exist in one location. They’re spread across multiple endpoints, which can include physical devices, firewalls, servers, and cloud-based platforms. What’s more, certificates may also have dependencies based on their chains of trust, which adds another layer of complexity to a certificate infrastructure. Now, with certificates being so vital to the secure operation of a web-based system, they’re incessantly deployed–which could result in a lot of unintentionally undocumented certificates, owing to human error.
Undiscovered certificates are huge potential security risks, given their unmanaged status. A pending renewal could go unnoticed, eventually leading to an application outage when it does expire. Post-expiry, locating the certificate in order to remedy it could also take longer than necessary.
AppViewX CERT+ has a discovery engine which scans your environments to locate and catalogue all the X.509 certificates scattered across your network. Once located, they are mapped in an all-inclusive inventory, along with the details bound to them. With a bird’s-eye view of your certificate roster, quickly identifying renewals due or insecurities becomes a linear activity.
Key Management and Protection
Private keys are integral components of digital certificates. Acting as the decrypting twin in the public-private key hierarchy, a compromised private key could allow attackers to impersonate legitimate endpoints, and steal valuable information in phishing or man-in-the-middle attacks. And manual key management employs weak key-storage mechanisms, which enables attackers to simply gain access to the low-security storage device and retrieve the key.
With AppViewX CERT+, every private key tied to a certificate is automatically stored in an AES-256 encrypted database. While minimizing human contact with the key, this method is also highly resistant to cyber attacks. Alternatively, users may choose to store keys on FIPS-compliant HSMs, adding another layer of security between potential hackers and their valuable private keys.
Certificate Lifecycle Management and Automation
Certificate lifecycle management encompasses a broad, cyclic range of activities that include renewal, pushing, provisioning, validation, revocation, and occasionally, creation. Manually handling them is not only time-consuming and impractical (given the variables involved with individual certificates), but also highly error-prone; After all, there are only so many details a spreadsheet can viably keep track of without being rendered indecipherably cluttered.
AppViewX CERT+ automates the entire process, with almost a zero-touch approach to managing the entire lifecycle. Our Holistic View takes a panoramic, GUI-based approach to displaying your certificate infrastructure, allowing users to carry out the above operations involving certificates with a single click. Our pre-installed application connectors and Certificate Authority integrations allow users to seamlessly renew a certificate or push it to a device at the press of a button. What’s more, our user-configurable automation workflows eliminate the need for constant monitoring and action, delegating human effort to the machine. You can also set up reminders for, say, an upcoming expiry, in the event that a manual renewal is necessary.
Reporting, Audit Trails, and Role-based Access
A well-rounded security setup tracks every change administered to it, and allows only sufficiently authorized users to do so. This is an extremely crucial formality that has to be adhered to, since unauthorized access to critical components can result in widespread confusion during maintenance, at least, and security compromises, at most. Not keeping track of changes to infrastructure can have a similar compounding effect in the long run.
AppViewX CERT+ features a systematic audit trail function, preserving every action carried out in relation with any given certificate. In addition to enhancing troubleshooting capabilities, it is also handy in locating events and occurrences.
It also boasts of granular role-based access control, which allows users to define roles, delegate access to workflow components, and restrict visibility to simplify certificate provisioning activities. CERT+ can give users device-level visibility into certificate-related tasks–handy for when one needs to view certificates but does not possess clearance to modify them. Lastly, CERT+ has provisions for request/approve functionality bundled with the workflow builder, supplementing network-wide transparency and process visibility.
To top off the security suite, CERT+ features graphical reports–both pre-assembled and customizable ones–that give administrators a single-pane-of-glass to proactively monitor their network infrastructures for certificate-related issues, and quickly remedy them. With dynamic reports ranging from expiry events to compliance, CERT+ ensures that organizations will never be caught unawares by a looming episode due to a lack of visibility.
With the Department of Homeland Security officially designating certificate-related threats as priority risks that need to be remediated ASAP, it’s every organization’s duty to ensure that their certificate infrastructure is as secure as possible. With a tool like AppViewX CERT+ in your arsenal, you can delegate the entire certificate management lifecycle to us, giving you ample time to focus on other external-facing components in your security setup.