As we’ve discussed in the previous blog, most PKI teams are maligned in their organizations because of certificate outages. Whenever there’s an outage due to a certificate expiring, executives shake their heads and say, “Why can’t that PKI team get it right? Certificates can’t be that complicated! I mean, it is just a freakin’ expiration date! They know it is coming!”
Hmmm. Let’s have a look at why PKI teams may need a little help.
In most large organizations, PKI teams typically have two to five people (usually closer to two than five). In addition to managing certificate authorities (CAs), these small teams are tasked with supporting hundreds of administrators with thousands of systems and corresponding certificates, normally spread across multiple geographical locations.
In order to fully install or replace a certificate, you need sufficient access to the system where it will be used so you can install it. Though PKI teams have responsibility to manage the CAs that issue certificates, they rarely have any access to the systems where those certificates are deployed. Those systems are controlled and managed by system administrators working in or with lines of business. As you can imagine, it is literally impossible for a team of two to five people to know on which systems thousands of certificates have been deployed and to keep track of who owns those systems, especially amidst regular reorgs.
When the PKI team knows that a certificate is nearing expiration, they’re stuck calling around trying to find the owner and/or following up with the owner when they don’t take action. Doing this for a handful of certificates is challenging enough. Doing it for thousands is mind boggling. In addition to the certificates that the PKI team knows about (because they’ve been issued through the approved CAs), system administrators will often generate their own certificates (self-signed or from an unapproved CA) that the PKI team is not aware of, leading to BIG surprises when they expire, and plenty of security risk.
And yet, even with this impossible situation, most executives still hold PKI teams accountable for outages caused by certificate expirations, even when they are not. However, because system administrators are not held accountable, there is no incentive for them to take responsibility for their certificates. You can see how this is a recipe for failure.
In future blogs, I’m going to expand on the risks this situation creates and best practices for certificate management. In the meantime, it is worth summarizing here one of the most important changes most organizations need to make to minimize their risk and turn certificates into a security asset instead of a security and operational liability:
- Make lines of business and systems administrators responsible and accountable for the management of certificates.
- Make sure they know what they need to do, through education and well-defined policies.
- Make the PKI team accountable for providing all the services necessary for these lines of business to be successful.
We’ll refer to this as the “governance best practice” in future posts. In my opinion, it is one of the most important elements of the successful use of certificates as a security infrastructure in medium to large organizations.
Read my next blog to learn where you may be at risk.