Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

  • Home
  • Blog
  • How To Securely Automate PKI with Keyfactor & PAM

How To Securely Automate PKI with Keyfactor & PAM

PKI

Privilege, in the IT world, carries a lot of weight and an equally heavy risk. IT and security teams are responsible for keeping the business moving and secure – but to do this, they need access to critical systems and processes. Most enterprise users have a limited set of privileges, such as Internet browsing and using certain applications (i.e. Office 365, Salesforce, etc.), but it is often the powerful few, privileged accounts and users, that can cause the most damage.

Privileged users and accounts have access to business-critical systems and processes. For instance, think about all of your local admin, domain or AD admin, and application accounts. Misuse, abuse, or compromise of these privileged account credentials can have disastrous consequences. Enterprise users can have far more privileges than they require, creating an unintended large attack surface. Shared accounts and passwords also present a serious risk, especially amongst IT and security teams.

According to a 2019 Ponemon Report, 69% of enterprise respondents “admit to sharing passwords with their colleagues in the workplace to access accounts, and more than half of respondents (51 percent) reuse an average of five passwords across their business and/or personal accounts.”

This isn’t the first study to show the same trend in security practices. In fact, we also know that most passwords composed by individuals can be cracked with sufficient time and resources, due to lack of complexity or limited length. Of course, this behavior inevitably leads to an increase in account compromises from hackers, simple user mistakes, even insiders gone rogue.

One method to resolve the issue is multi-factor (MFA) or two-factor authentication (2FA), but low adoption rates mean that credential sharing and weak passwords are still a widespread issue. One explanation is that 2FA doesn’t lend itself well to enterprise automation. Many workflows, such as standing up a new server, have become an automated process kicked off by a request or click of a button. This process simply isn’t effective if an administrator is required to participate in the two-factor authentication process at the time of the request.

Enter Privileged Access Management (PAM)

At a high level, a PAM solution helps organizations gain visibility and control over their privileged accounts and users. It allows them to securely manage and monitor privileged access to reduce the potential attack surface, prove compliance, and prevent known threats, including Unauthorized Privilege Escalations, Pass-the-Hash, and Pass-the-Ticket attacks. It’s also possible to achieve these goals without hindering automated workflows by integrating directly with applications to provide access to their required credentials, without the need to involve administrators.

It comes as no surprise that privileged access management topped the list of Gartner-recommended Top 10 IT Security Projects for the past two years in a row. But where does PAM fit into your public key infrastructure (PKI)? And how does Keyfactor enable secure automation? Let’s put the pieces together.

Where does PAM fit into PKI?

PKI, as the name implies, is more than just the digital certificates you use to secure your web and application servers (and things of the like) – it’s an ecosystem or “infrastructure” of certificate authorities (CAs), underlying hardware and software, people and policies, and of course, the devices, users, and applications that consume the certificates. If weak credentials or password sharing practices are used throughout any of these components, it’s entirely possible that your PKI infrastructure, and more specifically your private keys, are at risk.

Certificate renewal, replacement, and key rotation operations typically require privileged access to key and certificate stores across your infrastructure, such as F5 BIG-IP, Amazon Web Services (AWS), Azure KeyVault, and Java Key Stores (JKS). Storing or sharing these privileged credentials outside the enterprise password vault presents a security challenge, but involving administrators to manually retrieve these credentials is also risky and not at all automation-friendly.

Keyfactor PAM Integration

Keyfactor previously required direct access to privileged account credentials to perform key and lifecycle automation tasks. That’s all changed with Keyfactor 7. Keyfactor can now automatically retrieve credentials held by your PAM solution to enable secure automation of keys and certificates.

In other words, PKI admins don’t need to save privileged credentials for key and certificates stores into the Keyfactor Command or Keyfactor Control applications. Instead, they provide Keyfactor with the information necessary to access any vault, authorize the Keyfactor server to retrieve the required credentials, and use them to get your certificates where they need to go. That way, all certificate and key lifecycle operations are subject to the same policies and practices in place for all other privileged accounts in your infrastructure.

This enables true machine-to-machine communication by automating the retrieval of the password required to access the key or certificate store from your PAM solution, without any human involvement. Moreover, if you have a process in place to rotate the password of your stores after accessing them through your PAM solution, Keyfactor will automatically use the new password the next time access to the store is needed, without any update required from the PKI admin. This allows you to get the full benefit of an automated infrastructure and secure your key stores and private keys, all at once.

Want to learn more? Check out Keyfactor Command on the CyberArk Marketplace or watch a 15 minute presentation and demo.