CSS Presents PKI Promises for the Security of Next Year
Making 2017 Your Business’ Most Secure Year
2016 was an eventful year for cyber security, from beginning to end. While longstanding security problems remained challenging, many new methods of executing cybercrime emerged and affected businesses throughout all industries, and a number of high-impact attacks glared among headlines throughout the year.
Unfortunately, there’s no way to know for sure what will happen in 2017—but we can guarantee that the cyber security environment is not going to get any less dangerous. Being prepared and having a proactive cyber security strategy will help security organizations protect their businesses, which is why CSS has put together a quick list of 5 PKI New Year’s Resolutions for 2017.
5 PKI New Year’s Resolutions for 2017
1. I will execute proper reporting for PKI usage.
The most common misstep among public key infrastructure (PKI) administrators is proper reporting and getting a handle on who is actually using your enterprise PKI. Unfortunately, the toolsets that are available to most PKI administrators in nearly any size organization are deficient, and require relying on intricate scripting, as opposed to a packaged solution like CMS.
Make sure that you’re executing proper PKI reporting and digital certificate management in order to have real-time visibility into issued certificates and trends. Implementing automated expiration alerts will prevent the difficult business impacts that recur when a critical certificate expiration goes unnoticed.
2. I will reestablish the business use case of each published certificate type.
Now is the time to verify that the initial intentions, business reasons, and subscribers stated still apply for each certificate template. How long has it been since the purpose and settings of each published certificate type have been thoroughly scrutinized?
3. I will identify all applications on my network that are still using self-sign certificates and ensure they can be enrolled in our PKI.
An application that operates using a self-signed certificate means a certificate is likely being used that has not met the basis of trust established in the enterprise PKI. Unfortunately, self-signed, untrusted certificates are often found on corporate networks.
Choosing a solid certificate management tool, such as CMS, with the capability to selectively crawl your entire network to discover all certificates in use will help to eliminate this problem. As a PKI admin, it is critical to discover all self-signed certificates on your network and identify whether they have a valid business purpose. If they do, replace them with real certificates issued by your PKI, if they don’t, get rid of them.
4. I will ensure that the registration authorities and other applications are issuing certificates securely.
When acting as a SCEP proxy, MDM applications should verify all of the subscriber data during mobile device certificate enrollment, but with alarming frequency, this is not always the case.
In other cases, if self-signed certificate are used, devices will trust a certificate that does not support revocation. Make sure the CRL can be verified, and that registration authorities and applications are using certificates that can be revoked.
5. I will seek help with PKI.
It’s not uncommon for IT employees to be tasked with PKI administration as an ancillary job function, or without necessarily having the training and resources to properly execute management. At CSS, we often see PKIs running on autopilot long after it’s been implemented.
Seeking the right training, resources, and expertise for delegating PKI activities is absolutely critical to the overall security posture of your business. PKI is not a security platform that you can afford to get wrong. If your security organization is not in a position to be able to devote the necessary time and attention to your PKI, it’s time to seek a reputable source for accurate PKI expertise and certificate management experience.
Gearing Up for 2017
If your security organization has experienced some missteps in 2016, there’s still time to create a better plan for next year. PKI administration is a critical role, and implementing the right strategy, policies, and procedures will go a long way in enhancing the security posture of your business.
If your security team is interested in taking a closer look at your cyber security strategy for 2017, or has questions about PKI design and deployment, or management, we welcome you to connect with CSS.
Our CSS Research, professional services, and development teams feature experts in the field of digital identity. For over a decade, we’ve been trusted security advisors to more than half of the Fortune 500.