Organizations use SSL/TLS certificates and keys to secure communications over the internet by providing end-to-end encryption of data-in-transit. That means that organizations are using X.509 certificates across their entire IT infrastructure to protect corporate information and their customers. Given the prevalence of these digital transactions in large organizations, certificate management is of great importance. One of the challenges of managing a large number of certificates is that the expiration of even a single certificate can cause application outages that may prove to be very costly and cause any number of ripple effects.
As digital transformation is well underway, and businesses automate processes to minimize costs and increase productivity, more cloud platforms, IoT devices, virtual machines and services are introduced in corporate networks. Organizations need to identify these machines that are providing access to corporate data. As a result, we are witnessing an explosion in the number of digital certificates owned by enterprises.
The problems with manual certificate management
Certificates are not a “fire and forget” solution. These machine identities have their own lifecycle, which needs to be managed effectively. Once a certificate is installed, it has to be continuously monitored for security issues breaking its validity, renewed when it expires, and replaced with a new one when necessary.
Using manual processes to manage the certificate lifecycle is an error-prone, unreliable, and time-consuming approach, especially if we consider the thousands of certificates an organization might need to handle on a regular basis. Certificate life spans are currently set at one year and we can anticipate that they will become even shorter in the months to come. Manual certificate management creates a lot of problems, including:
- Inefficient Policy Enforcement and Auditing: Lack of consistent control over who issues and owns certificates and keys does not allow for reliable auditing or corporate-wide policy enforcement.
- Blurred visibility: Lack of centralized processes severely limit visibility into your trust structures, which lead to certificates being untracked. Lack of visibility makes it extremely difficult—if not impossible—to locate certificates before they expire to prevent certificate outages.
- Insecure private key storage: Lack of visibility into certificate ownership results in keeping associated private keys in unsecured locations instead of centrally managed Hardware Security Modules (HSMs). This insecure practice leaves the enterprise vulnerable to data breaches because of compromised certificates and keys.
Why Do You Need a Control Plane for Machine Identities?
Best Practices for Certificate Management
Businesses can circumvent certificate management problems by establishing centralized, well-structured certificate lifecycle management processes and ensuring that all development and operations teams are equipped with clear visibility and control over their PKI. These processes should be automated to remove the margin of error and implement a security infrastructure to handle your encryption needs.
The best way to ensure you are following the industry’s best practices in certificate management is to delve into the NIST recommendations for TLS certificate management laid out in SP 1800-16. The following points, however, constitute a quick best practice guide for securely and effectively managing your certificates.
Obtain Visibility
Ensure that you are always aware of every certificate in your enterprise. Having visibility into your certificates means periodically scanning the network to identify certificates and mapping them to the machines where they are installed. While this greatly simplifies future certificate management processes, it also helps administrators look backward to discover orphaned, expired, or otherwise insecure certificates.
Maintain Inventory
Certificate discovery doesn’t stop with scanning your network. Care must be taken to ensure that the results of the scan are stored and updated in your existing inventory. In addition, discovered certificates should be grouped to allow for more simplified management. You may elect to create groups for certificates used in testing and production environments. You may also group them based on business functions. The latter will help you simplify tracking your certificates and alert escalation.
Enforce Policy
It is not enough to just develop organizational policies according to the NIST recommendations. You will have to enforce these best practices via automation. For example, it’s in your best interest to automate the renewal of certificates that exceed 80% of their validity period. Such rule-definition capabilities for policy enforcement enable you to prevent outages and recover from potential incidents.
Protect Private Keys
It is highly recommended that you store private keys in equipment accredited to the FIPS 140-2 standard – usually Hardware Security Modules (HSMs). No matter which key protection solution you chose to rely on, make sure to remove the human factor from the security equation. When you prevent individuals from having direct access to private keys, you eliminate the possibility of theft or misuse and make it simpler to discover potential compromises. You can automate key orchestration by automating workflows to push certificates and their keys to machines. In cases where you need access to keys, be sure to establish a role-based, least privilege approach.
Continuous End-to-End Monitoring
Besides establishing automated processes for certificate lifecycle management, PKI infrastructures have to be continuously monitored for gaps. You will need to set up a monitoring system that ties into every aspect of your certificates across multiple CAs and network security/automation software. Dashboards that monitor the expiry of certificates and redundancy to the corporate policy are incredibly handy. In addition, you should establish an early warning system to alert designated certificate owners to notify them of impending issues that require their action. The early warning system will keep all certificate stakeholders informed while minimizing noise.
Conclusion
Organizations should ensure that they adhere to these recommendations. Better safe than sorry—it takes just one untracked certificate to break an otherwise solid machine identity security program. Preventing certificate outages is a lot simpler than dealing with their impact afterward.
The Venafi TLS Protect Cloud solution can help discover all your TLS certificates and corresponding private keys so you can protect these machine identities across your infrastructure. By automating the replacement of expiring certificates, you can eliminate outages and quickly respond to vulnerabilities, CA compromise, or other errors.