If your public key infrastructure (PKI) is like that of most companies today, it’s probably outdated. That can be a serious problem. Outdated PKI systems result in errors, missed updates, costly business interruptions, and even breaches. This is due to a lack of central visibility, consistent processes, and the refresh validation needed to streamline updates. Moreover, new security and compliance requirements and an evolving threatscape can make it costly and difficult to revamp PKIs.
Why is it so difficult and costly to refresh an outdated PKI? There are almost 24,000 keys and certificates in today’s average enterprise and 54% of security professionals admit to being unaware of where all of their keys and certificates are located, who owns them, or how they are used. In addition, establishing new root or intermediate CAs and distributing certificates to hundreds or thousands of applications and trust stores is incredibly time consuming, expensive, and error prone. Add to the mix differing, distributed applications and administrators unfamiliar with certificates, and the challenges quickly multiply.
But putting off a PKI refresh can open your business to outages and attacks. According to the Ponemon Institute, 100% of the Global 5000 surveyed have responded to attacks using keys and certificates and have had 2 or more certificate-related outages within the last 24 months. What does this mean in dollars and cents? Security professionals estimate that the total possible impact of an attack using keys and certificates is almost $600 Million and the total possible impact of a certificate-related outage is $15 Million. That’s a serious impact—even for the largest enterprises.
To stay protected from these costly and damaging incidents, you may want to consider adopting new PKI refresh standards and strategies:
- Reduce certificate lifetimes to 3 months or less, as recommended by Google and others to reduce certificate risk exposure (but even Google recently let a certificate expire, showing that even the most security conscious organizations can struggle with key and certificate management and security)
- Replace SHA-1 with SHA-2, due to potential attacks on SHA-1 certificates. (See NIST’s Policy on Hash Functions.)
- Update digital certificate maintenance rules according to compliance regulations, such as the PCI DSS, and other security frameworks, such as SANS 20.
- Develop new remediation strategies ;to apply following a CA compromise or new vulnerability (Venafi research shows that 3 out of 4 organizations still have not completely remediated the Heartbleed vulnerability).
Manage and Validate Your PKI Refresh with Confidence
How do you implement all of these standards and strategies? With today’s fast changing threatscape and increasing use of digital certificates, successful PKI refreshes require complete visibility, enforced policies and workflows, automation, and validation.
Visibility: Most don’t have complete visibility into their PKI. But for successful PKI management, you need to identify all keys, certificates, CAs, and trust stores across your enterprise networks, the cloud, and multiple CAs.
Enforcing policies and workflows: To ensure consistency while updating your PKI, you need to enforce configurable workflows capabilities for replacement, issuance, and renewal. Also, a policy-enforced, self-service portal can be used to simplify certificate requests and renewals.
Automation of PKI: Automation is critical for PKI in today’s enterprises and should cover the entire CA and certificate refresh process, including the distribution and whitelisting of new CAs in trust stores.
Validating your progress: You should be able to track your progress and completion of your PKI refresh, validating that certificates are installed and applications are running.
With all of these requirements, does a PKI refresh sound like an impossible task? Believe it or not, you can now take the guesswork and complexity out of your next PKI refresh and reduce your risk. With the right solution for your PKI refresh, you can achieve complete visibility, enforce policies and workflows, automate processes, and validate progress. But don’t put this project off—it could literally cost you millions.
What do you consider to be the most critical PKI updates needed? Please share your experiences and thoughts.