How Properly Managing Digital Certificates Enhances Your Security Posture
Digital Certificate Management and Cyber Security Today
Cryptography itself has been around for a while; what’s interesting is how it’s evolved over time. The landscape is changing from back in the day when we had mainframes and large computing power—with everything becoming smaller, and given the proliferation of devices and IoT, that’s a marked shift is happening in the marketplace. More and more digital certificates are being placed onto phones, iPads, Android devices, and even onto objects that simply have Bluetooth connections that require authentication. Large companies that are making Internet of Things (IoT) devices need to know how to secure them. Even cars have network stacks, and thus the need to be able to upgrade firmware.As a result, there’s a surge of digital certificates out in the wild, and as a business, it’s difficult to manage those certificates using a method such as an Excel spreadsheet. Using certificates for authentication results in the need to manage a volume of them, with the goal being to be more proactive than reactive. It’s important to put into perspective how your security team wants to manage your digital certificates. If you forget to replace even one certificate on a single device or server, or have a revocation list you forgot to replace, it can take down your entire network.
Consider Amazon, for example. For every transaction that Amazon does, a certificate is generated. If Amazon’s public key infrastructure (PKI) goes down, they will lose millions of dollars per second. So, having digital certificates out in the wild and relying on them to support day-to-day business functions and tasks requires proactivity.
With that being said, what is digital certificate management? The purpose is to have full visibility into all certificates holistically, identifying what is most business critical, and focusing energy on making sure they’re up and running, not compromised, and don’t expire. Often times, however, digital certificate management is viewed as a relatively low-maintenance task, since depending on the life of your certificates, you may only have to worry about expiration every 1-5 years. The problem is, this perspective allows for human error. If your employee who is responsible for digital certificate management goes on vacation the week a certificate expires, your business could be at stake. The objective of proper digital certificate management is to be actively engaged in making sure certificates are up and running.
Why Proper Digital certificate Management is Critical to Your Security Posture
There are two types of critical impacts to digital certificates:
Potential business impact(s):
- Loss of income
- Customer dissatisfaction
Outages happen when a certificate gets revoked and not replaced, or the lifecycle has expired. Sometimes, where certificate management is concerned, there may be a single certificate that expired, but 400 boxes needing replaced. If even one gets missed, or it’s improperly used, an outage can ensue.
Potential business impact(s):
- Loss of data
- Damage to reputation
- Legal fees
Certificates used for digital signature allows the certificate owner to have proof of signing a document and verification of identity at the time of the digital signature. If a certificate is out in the wild and gets breached, you’re no longer trusted. In the financial world, for example, this could result in fines as a result of certificate(s) expiration, and functionalities not working or running properly. If there’s a breach on an ecommerce site, for example, visitors will be exposed if they enter credit card information because it won’t be encrypted when it traverses back to the ecommerce site’s server.
How Security Teams Can Tackle Proper Management of Digital Certificates
First and foremost, properly managing digital certificates really comes down to finding experts who have a proven history with PKI and digital certificates, and have learned from the pitfalls and pain points of management activities.
Many companies will buy certificates from third-parties, which can become very expensive. Others try to manage digital certificates in-house in an effort to save money, however, protecting and governing certificate authorities involves a myriad of security decisions that are arguably more important than issuing certificates as a whole, and it can be considerably difficult to find internal resources with the right expertise to do so.
Managing certificates properly comes down to using a digital certificate management software solution and leaving behind the habit of using a spreadsheet. Keeping the infrastructure healthy is critical too, which software also helps with. There are many essential pieces to digital certificate management, not just from a software perspective, but related to keeping the PKI strong in order to have the level of assurance that you won’t be compromised.
A few tips:
- Know how many certificates you’re going to manage—know your number.
- If you have extremely large numbers of certificates, recognize that there are ways to take the human component out of the equation.
- Involving a third party to carry out infrastructure management
- Determine whether there’s a per cost basis for each certificate when evaluating software.
- If you’re executing certificate management internally, ask yourself if you’re truly comfortable and confident in how you set up your security policy around issuing certificates.
- Do you know what level of assurance you need?
- Are your certificate lifecycles properly defined?
- Are you opening your business up to vulnerabilities?
- Define business critical systems and assets.
- Are there places in your organization that you haven’t thought of that you can use digital certificates to secure?
The advantage of working with an external party for digital certificate management is having complete access to industry best practices for dealing with a complex infrastructure, as well as the knowledge and sensitivity of policies to ensure that your PKI isn’t compromised. If you’re not certain that you have the right internal specialists, don’t try to manage digital certificates in-house.
Whether you choose to manage certificates internally or work with a reputable provider, it has to be done right. Make the best decision for your business based on the resources available to you.