Organizations are embracing digital transformation and emerging technologies at an increased rate. In fact, this rate has accelerated in 2020 to address a pandemic-driven move to online business. In addition, the proliferation of IoT devices, the migration of data in multi-cloud environments, and advances in virtualization and DevOps have skyrocketed the number of SSL/TLS certificates that enterprises hold.
More machines means more machine identities. And in addition to the increasing importance of digital certificates as machine identities, another crucial trend that is complicating machine identity management is the shortening of SSL certificate lifespans. As of September 2020, the lifespan of certificates has reduced to just 13 months or 398 days. This trend is expected to continue in the future, with some organizations already issuing certificates that are valid for only a few days or even hours.
Crypto agility is essential
Despite their importance, digital certificates are often left poorly managed. Because of weak certificate management practices, nearly every enterprise has experienced an outage due to an expired certificate. These outages have proven to cause great damages to affected businesses. Beyond the risk of certificate related outages, various cryptographic incidents, such as algorithm vulnerabilities and advances in computing, have enhanced the need for businesses to become crypto agile. Here are 6 key factors businesses need to consider for maintaining crypto agility:
- Mass certificate revocations: How do you respond to certificates being revoked en masse on a short notice?
- Algorithm deprecation: Researchers may discover vulnerabilities hidden into cryptographic algorithms. This was the case with the SHA-1 hashing algorithm. Organizations were required to migrate to SHA-2 family of hashing algorithms.
- CA compromise: If a CA is breached, the entire chain of trust is broken. Certificates issued by the compromised CA are rendered invalid and they must be replaced with new ones.
- CA agility: Most businesses rely on more than one CA to avoid lock-in. Being able to switch from one CA to another is critical for business agility and maintaining continuity in case of cryptographic incidents.
- Crypto-library bugs: If a bug is found with the key-generation functions of a cryptographic library, then all keys generated since the bug was introduced must be replaced. Vulnerabilities like Heartbleed in OpenSSL expose certificates and private keys to risk.
- Quantum crypto: Advancements in quantum computing require organizations to prepare for the implementation of post-quantum algorithms.
Key factors for effective certificate management
How do you respond to these certificate management challenges to maintain crypto agility? The answer is by employing policies and practices for effective certificate management.
Understand the importance of TLS certificates
To effectively address the challenges related to the management of TLS certificates, everyone needs to be aware of the importance of these machine identities. Every employee who interacts with certificates in any way needs to understand the consequences of rogue certificates or the damage that happens when a certificate expires. Certificate related outages can cause reputational damage and cost businesses a lot. According to Gartner, network downtime costs roughly $300,000 per hour. Compromised or stolen certificates are being leveraged by cyber criminals to wreak havoc, exfiltrate sensitive data or launch DDoS attacks. They can also be used to impersonate legitimate websites, causing harm to potential customers, and loss of revenue due to damaged trust.
The foundation to every successful security program is to have visibility into your assets. An effective certificate management program should also start by establishing and maintaining clear visibility across all SSL/TLS certificates in a corporate environment. The inventory should focus on:
- Certificate Authorities (CAs), which are the source of most certificates and synchronize with internal and public CAs.
- Devices and endpoints where certificates are installed across the business network.
- Key and certificate stores to discover certificates not exposed to a port on the network.
The process of identifying all SSL/TLS certificates in a business ecosystem should create a centralized inventory of all issued certificates. Additionally, it should identify certificate owners and map these certificates to the web servers and apps where they are being used.
Define responsibilities and policies
The proliferation of DevOps, microservices, containers and IoT devices has created a new category of certificate owners. These frequent users are not knowledgeable about the best practices for managing the certificates they own. With security teams being outnumbered by the certificate owners in DevOps, it is imperative to enforce consistent policies and responsibilities across the board. Defining clear roles and responsibilities for certificate owners and ensuring consistent policies for every team involved in the certificate lifecycle is the only way to avoid “blame games” that result from gaps in certificate management. These policies should include:
- Role-based access and permissions for certificate owners
- Audit all user and certificate-related activities
- Enforce standardized certificate templates and practices
Detect vulnerabilities and respond
Having visibility into the certificate ecosystem and assigning clear and consistent policies can assist organizations spotting vulnerabilities and mitigating them before becoming a threat. Poorly managed certificates that are close to expiration or weak cryptographic keys pose significant security risks. For example, an expired certificate disabled TLS inspection systems that enabled the notorious breach at Equifax. By continuously monitoring the status of the certificates and having an early warning system an organization can:
- Find vulnerable certificates (e.g., those signed with weak algorithms, like SHA-1)
- Prevent outages due to certificate expiration by notifying certificate owners beforehand
- Respond to cryptographic incidents such as CA or algorithm compromise
Automation and self-service
The sheer number of certificates and the complexity of effectively managing the entire certificate lifecycle make manual processes time consuming and error prone. Clearly, manual processes are not adequate for the modern business environment. Organizations need to invest on an automation solution to prevent certificate outages, free up IT resources and end-users from hours of manual tasks related to certificate requests, issuance, provisioning, and renewal. In addition, automated certificate management can enable self-service workflows for users to request and renew certificates prior to expiration, automate provisioning and installation of certificates on network endpoints and schedule reporting to certificate owners or PKI admins.
The Venafi TLS Protect solution can help discover all your TLS certificates and corresponding private keys so you can protect these machine identities across your infrastructure. By automating the replacement of expiring certificates, you can eliminate outages and quickly respond to vulnerabilities, CA compromise, or other errors.
- 8 Certificate Management Mistakes You Can Avoid
- Why Is Machine Identity Management Critical?
- Why You Need Automation for Certificate Management