Today, we’re introducing significant updates and improvements to Keyfactor Command. If you’re not familiar, Keyfactor Command is the world’s most complete and scalable cloud PKI as-a-service and certificate lifecycle automation platform, and it solves two of the biggest challenges facing most enterprises today:
(If you are familiar, skip ahead to Keyfactor 7 Updates)
1.) The PKI Problem
Public key infrastructure (PKI) has taken on an increasingly important role in securing applications and devices across the organization – from traditional use cases like TLS/SSL to new initiatives like Cloud, DevOps, and IoT devices. But PKI isn’t just software. Effective PKI requires highly secure facilities, specialized training and expertise, constant maintenance, and the right hardware and policies to run it effectively and keep it under control.
Keyfactor Command Cloud-Hosted PKIaaS provides all the benefits of PKI, without the cost and complexity of running it in house. Our team builds and runs your PKI for you, from a highly redundant, scalable and secure infrastructure, while you retain complete control of the root and key recovery materials.
2.) The Certificate Problem
Beyond the mechanics of PKI, every certificate across your enterprise must be effectively managed – whether issued from private or public CAs. We find that most organizations don’t even know how many certificates they have, much less where they live or when they expire. It takes just one expired certificate to cause a serious network or application outage. Manual spreadsheets or homegrown tools just don’t cut it for certificate counts that now reach into the thousands, even hundreds of thousands.
Keyfactor Command Certificate Lifecycle Automation can plug into your existing PKI deployment on-premise, or it can run in the cloud with our PKIaaS solution. At the highest level, it enables organizations to discover, monitor and automate the lifecycle of keys and certificates across their IT environment. This helps them effectively prevent outages or breaches, and easily adapt to change with crypto-agility.
Let’s dive into the new features and functionality in our latest release – Keyfactor 7. After months of work, we’re excited to announce improved security of our customer’s networks, and more importantly, the day-to-day work of the people running them.
Keyfactor 7 – New Features & Updates
New Integrations with CyberArk and Thycotic
Automating the lifecycle of keys and certificates is critical to preventing outages or breaches, and it also requires access to privileged system and application accounts. This includes certificate stores on web servers, load balancers and other critical network or cloud infrastructure. For those that have adopted Privileged Access Management (PAM) solutions, security teams will typically mandate that credentials for any privileged system or application accounts be kept in an enterprise password vault. But without access to the vault, automation just isn’t possible.
Keyfactor has partnered with leading PAM solutions, CyberArk and Thycotic, to help organizations strengthen their security, without compromise to productivity. These integrations allow Keyfactor Command to securely retrieve credentials held by CyberArk or Thycotic that are used to access certificate stores in applications like AWS, F5 Big-IP, Citrix ADC, and Microsoft IIS. This enables our customers to perform sensitive certificate renewal, revocation, and key rotation tasks, while keeping privileged credentials stored securely within their enterprise password vault.
Improved User Auditing Capabilities
Non-compliant or rogue certificates typically find their way into networks through lack of visibility and insufficient policy enforcement. Keyfactor Command allows enterprises to group certificates, monitor status, and enforce consistent policies to ensure that every certificate is identified and in compliance with your security policies. Equally important though is the ability to ensure that your system is running the way it’s intended to, and that all user activities are tracked and audited as well.
Our latest release offers improved auditing capabilities to track configuration changes and user activities within Keyfactor Command. This provides additional peace of mind for our customers, knowing that the system is running as configured with no unexpected changes to important settings such as certificate templates, workflow policies, scheduled reports, and security roles.
More Built-In Reports and Dashboards
Our customers need more than basic reporting – they need in-depth intelligence into their PKI and certificate landscape. With Keyfactor Command, a powerful built-in analytics engine allows our customers to do just that. Customizable widgets and reports make it easy for end users to get a holistic view of their keys and certificates, dive in deeper into audit details, or even take action right from the dashboard for tasks like renewal or revocation.
We are always expanding our collection of out-of-the-box reports and widgets to meet our customers’ needs, without any custom configuration required. For instance, a new dashboard widget provides users with a quick view of their SSL endpoints with certificates expiring within the next 30 days. Another report shows all certificates by signing algorithm for security and compliance reporting. These will help our customers to simplify compliance audits and ensure that no certificate passes expiration.
Extended Discovery Capabilities
Our SSL/TLS discovery engine helps organizations locate and actively monitor their certificates by scanning devices across their network, such as web servers, load balancers, firewalls, containers and cloud infrastructure. To enable deeper network discovery capabilities, and enable security teams to identify every certificate, we’ve introduced support for Server Name Indication.
Server Name Indication (SNI) is an extension of the TLS protocol. It enables web servers to host multiple TLS certificates for multiple websites, all under a single IP address. Now, Keyfactor Command will recognize SNI configurations and discover multiple certificates that could reside under one IP address. With no per-certificate fees, our customers can bring these newly discovered certificates under management without incurring additional charges.