It’s that time of year again. The days are getting longer and the lists of to-dos are piling up, most likely motivated by the spring cleaning itch. In some parts of the country you can already see and hear the landscaping trucks buzzing through neighborhoods. The air begins to smell of freshly cut grass and ring with the distant hum of weed whackers. As I began to review my spring cleaning list, it became glaringly apparent that my garage was well beyond overdue for an overhaul. I realized I had many other tasks to take care of, but I had put off cleaning and organizing my garage for too many years. In fact, too many to actually count.
As I began my project, I realized that a number of comparisons exist between cleaning the garage and the corporate challenge of cleaning up old and unused certificates and keys: those extremely important, but often overlooked assets that establish identities for machines, such as servers, VM’s, Blockchain, etc. If you leave old machine identities lying around, bad guys can steal them to get access to your private information.
Just as I finally acknowledged that I needed to get my garage in order, more and more corporations are starting to realize that they need to do the same with their certificates and keys, which are foundational to their security. It’s great that many companies are beginning to realize this, which is the first step in the process. More important, however, is actually doing something about it. Having a plan and possessing the right tools and resources are critical to both.
This is where the first problem raises its ugly head. For over twenty years, companies have been using manual methods (queue the Excel spreadsheet) and perhaps a few homegrown scripts in an attempt to track and manage their certificates and keys. But how can the task of cleaning up tens of thousands of keys and certificates be accomplished when the location of many of them is unknown, as well as the current disposition of each? In my garage, I had a similar issue. I at least knew where all the boxes and piles of stuff were, but I certainly didn’t know the contents of the boxes and what to do with the stuff once I found it.
This leads to the second challenge: the meticulous process of sifting through the boxes and deciding what will be kept, cleaned, sold, or should make its way to its final resting place; the dump. This same process should be taking place across corporate data centers and networks concerning keys and certificates. Often called the inventory process, this is when the many certificates on a network are classified and cleaned up. Just like with my garage, the same decisions arise: what should be kept as is, updated/fixed, or deleted? Ultimately, what policies and workflow should be developed to ensure that machine identities are managed and protected? In other words, what will help you eliminate outages (caused by expiring certificates), and protect the multitude of certificates and keys from misuse by the bad guys?
The manual process of cleaning my garage was a bit overwhelming, but I realized that having the right process and tools helped me accomplish the task far more efficiently. Using a vacuum cleaner and blower to clear out the dead leaves, cobwebs and dust proved much more effective than simply using a broom. Similarly, many companies use ineffective and much less efficient manual processes that fail to meet the extensive requirements of today’s complex corporate networks. Lack of speed and automation, along with human error can often lead to costly consequences. Interestingly, while cleaning the garage, I also discovered other areas that needed to be updated, such as the aged shelving and paint. Similarly, corporations must update their old certificates (3+ year expiration dates), as well as many self-signed and wild card certificates.
Early in the process, I recognized that if I had kept up with regularly cleaning my garage, it wouldn’t have been such a big undertaking to clean and organize. Many corporations find themselves pushing away (or delaying)
the task of cleaning and securing their keys and certificates because it’s difficult and they have so many other competing challenges and projects. Also, it is nearly impossible to organize them without the proper processes and tools (platform) in place. Trying to search, inventory, clean up, conduct ongoing management, automate the certificate life-cycle, and maintain policies and workflows to protect these critically important assets with only a “broom” is crazy.
Ultimately, I realized that when you lack the process and tools necessary for the project, you risk creating a bigger mess and may just end up walking out in disgust because very little has been achieved. Have you ever felt this way? So, whether it is cleaning out your garage or securing those critically important keys and certificates on your network, don’t delay. The problem will only continue to grow and get worse. In my case, my project is completed, and my garage looks great! How do your keys and certificates look?