The on-going revelations about the SolarWinds attack made code-signing certificates known to the public. According to the analysis made by several security firms and SolarWinds itself, the code signing process seems to have failed, allowing adversaries to inject malware. However, code signing certificates were not the only machine identity misused in the attack. X.509 certificates were also compromised, permitting attackers to impersonate legitimate trusted users to move freely without being detected.
The attack was one more warning that strong, effective and efficient deployment and management of all your digital certificates is essential for securing yourself and your business against a variety of attacks. However, managing your certificates starts with knowing what each certificate does. Let us begin with the most popular ones, the TLS/SSL certificates.
The TLS/SSL certificates are used to encrypt data in transit and to authenticate the identity of websites. The certificates are based on public key encryption. When a browser or an IoT device wishes to connect over TLS protocol with a public facing server, it looks up to the corresponding certificate to obtain the server’s public key and validate its identity. The use of TLS machine identities prevents attacks that target the trust users place on legitimate sites and services.
There are three types of TLS/SSL certificates, namely Domain Validation (DV), Organizational Validation (OV) and Extended Validation (EV). The most prominent use of TLS/SSL certificates is found on HTTPS addresses, where the TCP layer is encrypted with the superposition of TLS encryption protocol layer. In addition, sites protected with these machine identities display a grey lock in the URL address bar.
Code-signing certificates are used to validate the authenticity of software components used for application development. These certificates confirm the identity of the author of the code and prove that the code has not been altered or tampered with after it was signed. Code-signing certificates are the foundation of secure and trustworthy software supply chains that underpin today’s speedy DevOps pipelines.
Just like with TLS/SSL certificates, code-signing is based on public key encryption. The software developer signs the code with its private key, while anyone who wishes to include that software component into their development project can use the developer’s public key to verify that the software is coming from a trusted source. In addition, end users can ensure the integrity of the component. If the application is tampered with or altered after being digitally signed, the signature will appear invalid.
While TLS/SSL certificates are used to validate servers, client certificates are used to authenticate people or devices requesting access to sensitive corporate data or services. These certificates are an effective authentication mechanism, removing the need to rely on insecure and vulnerable passwords. Although client certificates are used to authenticate individuals and connected devices, they do not encrypt data.
These certificates are gaining traction because traditional access security and authentication mechanisms based on passwords are not adequate enough to protect corporate data in the cloud. Passwords are famous for being easily compromised or stolen, allowing attackers to impersonate legitimate users and move undetected within corporate networks.
Client certificates benefit businesses by providing strong, effective, and efficient user authentication while enhancing user experience. Client certificates are installed on the users’ device and determine the privileges granted to that user to remotely access corporate data and services. If the users does not have the required permissions, they will not be granted access.
How to manage your digital certificates effectively
Now that you are aware of the various types of digital certificates, you need to establish industry best practices to manage them effectively and deploy them securely. The following tips will help your organization manage TLS/SSL certificates properly and avoid unexpected outages as well as security risks.
- Gain visibility. You should gain and maintain visibility of your digital certificates in your network infrastructure. Audit your certificates to know the endpoints on which they are installed. Also, keep an up-to-date list of CAs that have issued all your certificates.
- Identify blind spots. Once you have created an inventory of your certificates, make sure to find and close all security gaps in your machine identity ecosystem. These include weak cryptographic keys or hashes and crude implementation of wildcard certificates on your sub-domains. If you discover insecure or orphaned certificates, these should be your top priority to eliminate. Additionally, set early warning notifications to ensure the validity of your certificates and renew them before they expire.
- Establish a certificate management policy. Establish and enforce well-defined policies that delineate the roles and responsibilities of certificate owners, including system admins, public key infrastructure (PKI) admins, security teams, and DevOps staff. It’s also important to specify guidelines for requesting, renewing, and revoking certificates. Combined with expiration alert procedures, these mechanisms will help you stay clear of outages and security issues.
- Automate. Once you have all the basics in place, you’re prepared to automate deployment of your digital certificates. That’s great because manual certificate management is time-consuming and error prone. Because automation is both time-efficient and accurate, it can significantly facilitate the enrollment, installation, auditing, and renewal of certificates. Additionally, certificate management automation solutions can check your organization’s digital infrastructure for vulnerable or misconfigured machine identities and verify compliance with relevant policies.
The Venafi Control Plane for Machine Identities powers enterprise solutions that give you the visibility, intelligence and automation to protect machine identities throughout your organization. Plus, you can extend your protection through an ecosystem of hundreds of out-of-the-box integrated third-party applications and certificate authorities. So you’ll never lose track of a digital certificate that could be misused in an attack like SolarWinds.
Ready to start automating? Contact us.