Nov 20, 2019 9:01:20 AM
Are You Building On What's Already Broken? Why Your PKI Needs A Check-Up

After more than 20 years of working hands-on with public key infrastructure (PKI), few things ring truer than this: PKI may be complex to begin with, but the real challenge is finding the right resources and expertise to keep it running after deployment. If it weren’t, I wouldn’t be in the business of helping organizations tackle this challenge every day.

Nine times out of ten, the organizations I speak to either didn’t design and build their PKI properly from the start, opting to cut corners to reduce complexity and expense. Or the PKI they built years ago has become increasingly difficult to manage over time. All too often, decisions are made in the management of the PKI, which unexpectedly or unknowingly result in the downgraded security of the overall infrastructure. What once was a foundational security tool has now become a risk liability.

Building on What's Already Broken

Many of the PKIs built years ago had a team of experts behind them, but now most organizations have transitioned that responsibility to the security, IT team or the identity team. Unfortunately, it’s not unusual for the policies and practices set out from the start to get lost in translation, either in transition from the project team to the team responsible to run the PKI in production, or as responsibility for PKI switches hands between individuals over time. Simple misconfigurations, security vulnerabilities, and lapses in policy enforcement find their way into your PKI, all too often going undetected, undocumented and making it practically unrecognizable from the original.

Today, IT and security teams are confronted with the challenge of trying to securely retrofit and re-engineer their existing PKI to support new applications like IoT, DevOps and Cloud. But try as they might to fulfil that challenge, the reality is you only have one chance to get PKI right: at installation. After that, the only way to fix a mistake is to re-build from the ground up.

PKI implementations from the past were not designed to support the needs, scalability and complexity of today’s hyper-connected IT environments, and most organizations are building on what’s already broken.

The Obvious Example - Equifax

It’s all too easy to point a finger at Equifax, but the reality is that the underlying security gaps that led to this breach are not at all uncommon in many enterprises today, particularly when it comes to their PKI.

While a series of security missteps led to the breach – namely, an unpatched Apache struts vulnerability – it was a single expired certificate on a device used to monitor ACIS network traffic that caused Equifax to miss the exfiltration of data out of their environment. It wasn’t until they renewed the certificate (about 19 months past its expiration date) that suspicious traffic was detected.

As it turns out, it wasn’t just one certificate. According to the congressional report, “Equifax allowed at least 324 of its SSL certificates to expire. Seventy-nine of the expired certificates were for devices monitoring highly business critical domains.”

As organizations become increasingly dependent on their PKI, the risk of certificate-related breaches, outages, and failed audits grows as well. Security teams must not only automate the management of keys and certificates – they must also ensure that the underlying components of their PKI (i.e. Certificate Authorities, Certificate Revocation Lists, Backup, Disaster Recovery, etc.) are running at the expected assurance levels of the organization.

Prevent -- Don't Patch -- PKI Vulnerabilities

PKI simply cannot be patched.  Once a decision has been made that downgrades the security posture of the infrastructure, it can never be brought back up.  Think of it as a one-way street with the direction of travel beginning at secure and leading to insecure or risky.  All too often PKI fail audits due to an attempt to “fix” a mistake that has been made along the way.  There are just some things that can’t be undone, such as putting a Root CA online, allowing sensitive key usages into certificates, and many more.

For many organizations, the only way to ensure their PKI is secure and able to keep pace with demands for new use cases, technologies, and business growth, is to build and design a new PKI from the ground up. Don’t get me wrong, it’s a daunting task – but with proper investment in infrastructure, personnel and operations, the operational cost, risk, and complexity of PKI can be drastically reduced.

Where to Start

If you’re not sure where to start, learn more about our PKI as a Service that does the heavy lifting for you or check out these tools our team has developed to help you on your path to PKI success: