This is part two of a blog series on easy and intuitive PKI (Public Key Infrastructure) operation for non-security administrators. In part one, I explored the role of system admins in managing encryption for their respective applications. The goal of that blog was to empower system admins and application owners to manage the keys and certificates for their own environment. Now I’m going to give practical advice to systems admins on how to get started.
As a system administrator, you may now have responsibility for managing the digital certificates that enable secure connections with your applications. But these certificates and the PKI surrounding them is not your specialty. And frankly, it doesn’t have to be. You just need to know enough about PKI to secure your applications with certificates.
But you also need to know how your certificates impact your organization’s overall security. If you don’t get it right, you could actually increase security risks, undermining the reasons that you’re using certificates in the first place. Where do you start?
First, you need to know which of your applications need secure connections and, therefore, certificates. With that information, you can create a complete inventory of applications and their associated certificates. You will then have an accurate picture of what you need to manage and protect.
Auditors will also be interested in this information, so in addition to establishing an inventory of the certificates protecting your applications, servers, and/or devices, make sure you include the metadata associated with the certificates. This metadata is readily available, so just make sure you capture that.
Once this simple inventory is in place, you’ll be able to quickly see whether all requisite systems and devices have certificates and whether those certificates are valid. You’ll also want to know when they expire, so you can avoid embarrassing and costly application outages.
Knowing exactly which certificates you are responsible for is the first step in assuring that your environment is up to date and well protected. However, you still need to make sure it complies your organization’s PKI security policies.
The policies I’m talking about here are those defined by the team who oversees certificate management across the enterprise. Their job is to ensure the environment meets internal and regulatory requirements around securing data in transit. So, they define overall policy requirements around crypto libraries, hashing algorithms, key length, validation period—all that crypto black magic that may be outside of your immediate focus.
You need to know which attributes your policies require, so you can make sure the certificates in your inventory meet those requirements. With your up-to-date inventory, you should be able to identify which, if any, fall short and might lead to a security risk or application outage. When that happens, you’ll simply need to request replacements from your PKI team.
Sound difficult? Not necessarily. With the right solution, creating and maintaining a certificate inventory for your applications and systems should be fairly simple and straightforward. All you need is a current and accurate view of your environment and an understanding of the policy requirements that it should comply with.
Armed with this information, you can go forth and conquer PKI. You’ll have what you need to maintain an accurate, up to date inventory to make sure your applications remain online and well protected. And you won’t have to be a PKI expert to do it.
Read part III of this blog series to learn what you need to know about ongoing maintenance.