As the world’s top organizations go all in to modernize for the future, you can be sure that certificate lifespans will continue to shorten. Factors such as the pace of continuous development and rapidly evolving threat landscapes are key driving factors that push the industry towards more secure, shorter lifespan certificates.
To that end, Google has indicated a strong preference for shorter certificate lifespans. They are actively working to reduce the validity period from 398 days to 90. When ratified by the CA/B Forum, this shift will dramatically increase the number of certificates that organizations have to deal with. And that means a corresponding increase in staff hours and budget required to manage a continuously rotating certificate population.
With 90-day certificate lifespans, managing the rapidly changing number of TLS/SSL certificates that your organization relies on will become unworkable without the help of automation. Tools you have traditionally used to manually manage TLS certificates, such as spreadsheets, databases and CA dashboards, fail to provide the intelligence that will help you drive automated issuance, renewal and replacement quickly. Your challenge of managing shorter certificate lifespans will only get worse as the number of machines relying on these certificates continues to skyrocket.
To help address these challenges, the National Institute of Standards and Technology (NIST) supports the argument that organizations can no longer rely on manual processes to protect TLS certificates in its 2019 publication NIST SP 1800-16, Securing Web Transactions: TLS Server Certificate Management. NIST’s new SP 1800-16 framework gives organizations prescriptive guidance for developing policies and processes to secure and manage TLS certificates and private keys—with automation as the foundation to the effective management and security of these machine identities.
In SP 1800-16, NIST describes how many organizations fail to “leverage available automation tools to support effective management of the ever-growing number of [TLS] certificates. The consequence is continuing susceptibility to security incidents.” Put simply, the increased reliance on TLS keys and certificates has rendered “manual certificate management impractical,” with risks often being “the result of errors made while manually managing certificates.”
According to SP 1800-16, organizations must have automated processes in place to effectively discover, manage and perform actions on TLS certificates across their IT environments. For example, the ability to effectively rotate expired or compromised TLS certificates with little to no human intervention requires several steps that necessitate automation:
- Complete TLS certificate inventory: Having visibility into all TLS certificates across a network in real time
- Complete information about each TLS certificate: Knowing the location, owner, issuing CA and expiration date of every certificate managed by the organization
- Rotation and replacement: Ensuring that expiring certificates are replaced before they lapse and cause a security event
To deploy effective automation that will protect TLS certificates from security risks, you’ll need a comprehensive framework with commonly accepted parameters to follow. It’s not surprising that SP 1800-16 has been one of the most downloaded publications in NIST history, given the overwhelming need for guidance in this area. That’s because, until recently, guidance for protecting TLS certificates from major standards bodies was vague at best.
The impact of SP 1800-16 is just now being felt, with many CIOs only beginning to absorb the ramifications of its recommendations, particularly with regard to automation. What follows is a brief overview of what the NIST framework encompasses.
Best practices for automating TLS/SSL certificates
NIST SP 1800-16 provides detailed guidance for medium and large enterprises leveraging TLS to verify and authorize internet-facing and internal machines. Here are a few examples of best practices that relate to the policies driving automation:
- Clear identification of roles and responsibilities around securing TLS keys and certificates
- Defined operational and security policies specific to TLS keys and certificates
- Parameters around certificate procurement, including authorized CAs, as well as approval parameters based on how certificates will be used and who, if anyone, needs to approve those certificates within a given workflow
- Maintaining certificate validity periods
- Appropriate key lengths and signing algorithms with specific minimal standards provided by NIST
- Rotation policies based on a certificate owner’s reassignment or renewal
- Crypto-agility planning and bulk certificate replacement
- Continuous monitoring of a TLS certificate’s operational and security status
- Automation of the TLS certificate lifecycle, including procurement, issuance, and renewal or revocation
- Reporting for audit purposes
NIST SP 1800-16 also specifies the processes that are prime candidates for automation, including:
- Keeping an accurate inventory of all deployed certificates, including relevant metadata
- Tracking ownership of each deployed certificate and revoking the ownership of anyone who has been reassigned or terminated using the principle of least privilege
- Controlling ownership and access to private keys based on the principle of least privilege
- Maintaining a policy folder structure that includes self-service permissions and approval workflows
- Streamlining vulnerability remediation
Where should you start your certificate automation program?
Even if you are concerned about TLS/SSL certificate risks to your organization, do you have agreed-upon standards that will help you build and enforce your certificate management policies? What about the available tools that can help you prevent and mitigate these threats?
Fortunately, solutions are available that can help organizations gain insight into all TLS/SSL certificates on your network and automate multiple steps related to discovering, monitoring and managing these certificates across their lifecycles. The best tools usually take a holistic, CA- or platform-agnostic approach rather than solutions that may not monitor certificates issued by other CAs or used on other platforms.
To eliminate TLS security risks, you must be able to discover, track and continuously monitor all TLS certificates in real time across your entire enterprise network, including those used in the cloud and in virtual and DevOps environments. In complex, rapidly changing networks, this is a tall order.
So, how does your organization start to address the problem? Here are six steps Venafi recommends you take to implement an effective TLS machine identity management program for your organization:
- Discover all certificates. Choose a discovery tool that leverages automation to discover all TLS certificates across your entire extended network—including cloud and virtual instances, as well as various CA implementations. This will help you locate every certificate that can impact the reliability and availability of your organization’s critical infrastructure.
- Create a complete inventory. Catalog your entire inventory of certificates and store it in a centralized repository where you can track and manage their status and details. This makes it easy to rotate your certificates before they expire. Automation enables you to update your inventory in real time.
- Verify security compliance. Invest in a solution that will ensure all certificates have the proper owners, attributes and configurations no matter which CA issues them. This will guarantee all certificates meet key security regulations.
- Continuously monitor certificates. Conduct nonstop surveillance of all certificates so that you’ll know well in advance if a certificate is going to expire, giving you ample time to replace it. This approach also helps detect and prevent certificate fraud and misuse, addressing critical security concerns.
- Automate renewals. Eliminate the risk of human error by automating certificate renewals, so you can install, configure and validate certificates in seconds. You’ll not only improve availability, but you’ll be able to do it in a fraction of the staff hours previously required.
- Ensure crypto agility. If you discover that any of your TLS certificates have been compromised or untrusted, you need a way to quickly revoke and replace these certificates.
Organizations, especially those in the Global 5000, now rely on a huge number of machines to drive their businesses. As a result, CIOs and other senior-level IT executives need to reevaluate the ways in which they secure the identities of these machines to keep sensitive data secure. This is arguably one of the greatest security challenges they face, particularly as the number and types of machines continue to surge, along with increasing industry pressure to use short-lived certificates that improve the security of TLS communications across the internet.
If you are looking to gain control of your TLS/SSL certificates, NIST SP 1800-16 provides a prescriptive framework that describes how to implement an effective TLS certificate management program. Perhaps the most important takeaway from SP 1800-16 is the importance of leveraging automation to harden TLS certificate management processes. Manual certificate management and patchwork programs that depend on CA dashboards is no longer an option.
Without the intelligence and automation necessary to deliver comprehensive, real- time visibility into every machine identity in use across the organization and detailed intelligence on where and how they are being used, CIOs will not be able to reduce the growing security and operational risks connected with the vast population of certificates their organizations are using. This is the only approach that makes it possible to dynamically issue and replace certificates before they expire or are compromised and to minimize security and operational risks.
Learn how Venafi can help your organization automate certificate lifecycle management to harden your security: venafi.com/TLS-Protect.