Businesses are going increasingly digital. According to forecasts from IDC, the worldwide spending on digital transformation has increased by 17% since 2017, and is expected to reach $1.3 trillion this year. 1 As a result, there are a growing number of web-facing applications that are making access to information and services easier for customers, while also opening doors for cybercriminals. But, why has access to privileged information become easier for cybercriminals?
The SSL/TLS certificate – the most common application of the X.509 public key infrastructure specification – uses a public key (certificate) and private key pair to authenticate the identity of the application owner as well as secure communications between the application and the end-user. This process makes SSL/TLS certificates the foundation of trust on the internet. Thanks to the explosion of digital businesses and increased efforts by web-browsers to secure the internet, the number of SSL/TLS certificates has grown by 37% and is well on its way to making up 80% of all web applications (loaded using Google Chrome), by the end of 2018. 2
This ubiquity and trust has also attracted the interests of cybercriminals. In fact, in the first half of 2018, zScaler saw a 30% increase in encrypted payloads that used fake certificates with valid digital signatures that imitated legitimate enterprises. 3 Most of which used private keys stolen from these unsuspecting enterprises or featured domain-validated certificates that closely resembled these enterprises. In fact, there is a thriving dark web market selling valid certificates for only two hundred dollars. 4 This makes obtaining access to a fake digital certificate, and in turn, access to privileged information, easier than ever.
And when even Gartner believes that by 2020, 70% of network attacks against enterprises will hide in encrypted traffic, how do we tackle this imminent threat?
The 5 Pillars of Certificate Protection Anywhere
Gone are the days when enterprises exclusively guarded their data-centers on-premises. With the introduction of cloud and its various benefits, enterprises have increasingly adopted a hybrid approach to hosting their applications. In fact, over 96% of enterprises today use a hybrid strategy for their data centers, with an average of three or more different clouds driving various applications in their infrastructures. And, herein lies the problem.
Each of these different applications distributed across various on-premises and cloud servers require a SSL/TLS certificate to establish trust online. Thus, enterprises end up managing hundreds or even thousands of certificates and their private keys in their hybrid network infrastructures. And, when this is mostly done using traditional management techniques like spreadsheets, certificate protection, not just management, gets complicated. Spreadsheets are an inefficient means of managing critical certificates as they don’t support the following 5 pillars key to certificate protection, leaving enterprises susceptible to a variety of certificate-related issues.
Visibility is the cornerstone of any protection mechanism. Yet, most enterprises still have little to no visibility into their certificate infrastructure. Most of the information that ensures full visibility (such as the number of certificates in use, their locations, their expiration dates, and their ownership details) are either improperly documented or not documented at all when managed manually in spreadsheets. Even when they are documented, the high risk of human error impacts the accuracy of the inventory. And, to make things worse, there are now free certificates that make it too easy for individuals to acquire a trusted certificate making it nearly impossible for enterprises to identify rogue certificates.
Regardless of any certificate-related issue, poor visibility can often lead to poor management as it is very difficult to manage the unknown. This poor management leads to security events that become difficult to remediate without a clear line of sight into the infrastructure. Thus, an up-to-date certificate inventory is crucial – for which you must have periodical discovery mechanisms in place, made possible with tools such as AppViewX’s Certificate Lifecycle Automation solution, that continuously updates the status of your certificates.
Once you have all the necessary information on the various certificates and their keys, protecting them in both storage and transmission is critical. Most enterprises resort to storing private keys in shared folders and on multiple unauthorized devices and sending them insecurely via email and chat platforms. With multiple unsecured touch points, it becomes easier for cybercriminals to steal private keys and access privileged information. So, how do you secure private keys?
There are ways to guarantee the safety of your private key inventory in an administrator’s system, even when they must be sent to an end device. One way to protect them is by limiting the storage of private keys to only a few or just the end device with restricted access, dictated by your directory system. Or, administrators can also encrypt the private keys and store them in a password-protected folder. This leaves the hacker to first brute-force the password and then decrypt the private keys. Another alternative is to store the private keys in a secured location like a HSM (hardware security module) – a device that safeguards and manages valuable data in an infrastructure either by encrypting it or making it impossible to be retrieved.
Now that, you have established complete visibility and protected your certificates using the various techniques outlined above, what next?
You must restrict access to these certificates and their private keys. Traditionally, enterprises use their directory systems to dictate the various levels of access restrictions. But these directories are only designed to control access to devices that host the application and can’t control actions on certificates and their private keys. This makes it impossible to establish read-only access to simply monitor critical certificates. And, when you add the complexity of implementing Requestor/Approver workflows, traditional management methods fall short.
There is no better option when it comes to providing granular, multi-layer access control to your certificates than a dedicated certificate management tool. With traditional, manual management methods, it will always be a see-everything, do-everything approach (possibilities of unauthorized access) and never a see-everything, do-nothing approach – in case you need your team to just monitor these certificates and flag issues.
Compliance is just one part of the larger problem solved with the use of a comprehensive auditing mechanism. Auditing also helps you identify and remediate unauthorized access and actions performed on certificates and their private keys. While proper access control can help you limit unauthorized access, traditional management methods lack this capability. With old, manual management methods, you’re forced to rely on device logs to identify malicious activity. In such cases, there is no single source of truth as you must scour through multi-vendor device logs to identify any relatively important information. And, to make matters worse, not all devices have that capability, making it extremely difficult for enterprises to quickly identify and remediate threats before it’s too late. That’s why it’s imperative to quickly establish a comprehensive auditing mechanism – to establish a single source of truth which collates information from all device logs and updates them regularly.
Reports play a critical role in any management activity. They provide crucial information that help you
make the right decisions at the right time, especially during large projects, like a PKI deprecation,
where all certificates of a particular characteristic (i.e.SHA-1) must be migrated to a more secure PKI.
However, a report is only as good as the information it’s fed. When you use traditional management methods, the certificate information maintained on a spreadsheet is often inaccurate. This, in turn, makes the ensuing reports useless. To improve the credibility of your reports, you must work on establishing proper visibility by employing tools to discover and update the certificate inventory on a regular basis. Once the underlying data becomes error-free, you can extract reports on certificate expiration by month, non-compliant certificates, or certificates belonging to a certain category, which makes certificate management and protection easier
Certificate Management Made Easy With AppViewX
AppViewX’s Certificate Lifecycle Automation is a one-stop solution for the automated discovery, expiration alerting, renewal, secure provisioning and revoking of SSL/TLS certificates with granular role-based access regulation across multi-vendor infrastructures. It arms Security Operations and Public Key Infrastructure (PKI) teams with the critical insights needed to avoid unwanted outages and other issues associated with non-compliant certificates. The AppViewX Platform integrates with major Certificate Authorities such as GeoTrust, Comodo, GoDaddy, DigiCert, Microsoft CA and Entrust.
While rogue, unknown and unmanaged certificates often lead to unplanned application outages, they also serve as easy targets for hackers. The Certificate Lifecycle Automation solution enables on-demand discovery of certificates from servers, clients, and ADC devices across hybrid infrastructures through a variety of modes, such as IPs, subnets, URLs and managed device logins. The discovered certificates are then automatically converted into an inventory with the required information attached. Users can schedule these discoveries at their convenience or choose a midnight sync option to keep their inventory updated every day. Users can then choose between a FIPS-compliant, AES 256 encrypted key-store or an industry-standard HSM for the storage of private keys. Properly documenting every certificate is the first step to preventing certificate vulnerabilities, and the AppViewX Platform’s auto-discovery helps you do just that.
Role-Based Access Control
When multiple stakeholders are involved, lackluster collaboration and improper ownership mapping can spoil any attempt to prevent unplanned outages. The threat of expiring certificates aside, weak certificates and unregulated access can also compromise the security of your application infrastructure. AppViewX’s Certificate Lifecycle Automation solution helps you administer policies – such as recommended cryptographic techniques, CAs, and workflows – to validate and eliminate rogue certificates. Users can also delegate access with Requester/Approver workflows and apply granular visibility to individual certificates or certificate groups to enable efficient provisioning. The AppViewX Platform integration with external directory systems like AD, LDAP, and RADIUS makes it easier to assign access the appropriate stakeholders, improving operational efficiency and cross-team collaboration.
Auditing and Reporting
Unauthorized actions on critical certificates can expose your enterprise to security vulnerabilities. AppViewX’s Certificate Lifecycle Automation solution helps you track and audit every single event related to a certificate’s management in its audit logs, irrespective of the Certificate Authority and end-device, to prevent unauthorized actions. And to enhance reporting capabilities, the centralized dashboard helps you gain necessary insights such as Certificate Expiry by Month, Certificate Expiry by Certificate Authority, Certificate Compliance, etc. to manage your certificate infrastructure efficiently. This dashboard is dynamic and can be customized based on the data most important to you. The information on the dashboard can also easily be converted into shareable reports that can be sent as frequently as you choose, automatically.
Given PKI technology is secure, the need for digital certificates in secure communications and authentications is only going to increase. As a result, enterprises will need more certificates in more formats from multiple certificate authorities to push to multiple devices distributed across hybrid infrastructures with varying functionalities. To put it quite simply, using manual methods will not get the job done. Users must adopt specialized tools that check all the right boxes to help manage and automate the entire certificate lifecycle, extinguishing certificate-related threats before it’s too late.
The right automation tool can help you achieve unlimited possibilities in your digital transformation journey with limited resources. To learn more about our solutions, please visit https://www.appviewx.com/solutions/certificate-lifecycle-automation/.