Security Best Practice – How to Keep the Keys to the Kingdom Safe

By Calum MacLeod, EMEA Director at Venafi

Organisations of all sizes and industries maintain extensive financial, customer and mission-critical business data. However, when sensitive information is misused or compromised, organisations will often pay a heavy price. Recent high-profile security breaches have cost millions in revenue and lost opportunities. These fears, along with new security standards and regulations, have driven IT professionals to deploy encryption more broadly.

The problem is that, having done so, the encryption keys used to secure data become the figurative “keys to the kingdom.” The key (and not the data itself) becomes the entity that must be safeguarded. Efforts to manage these keys manually, however, represent a significant security risk and become operationally challenging, especially as encryption is deployed across disparate systems and applications.

Organisations are struggling to properly manage and control these rapidly multiplying certificates and keys to prevent security breaches, system downtime and other disasters. It’s a catch 22 situation – but it doesn’t have to be.

The EKCM Challenge
Before we can solve the problem of enterprise key and certificate management (EKCM), we must first fully understand the challenges faced:

• Certificates that are not renewed and replaced before they expire can cause serious downtime and outages
• Regulations and requirements (like PCI-DSS) demand stringent security and management of cryptographic keys and auditors are increasingly reviewing the management controls and processes in use
• Private keys used with certificates must be kept secure or unauthorised individuals can intercept confidential communications or gain unauthorised access to critical systems. Failure to ensure proper segregation of duties means that admins who generate the encryption keys can use them to access sensitive, regulated data
• The average certificate and private key require four hours per year to manage, taking administrators away from more important tasks and costs hundreds of thousands of pounds per year for many organisations
• The rollout of new projects and business applications is hindered because of the inability to deploy and manage encryption to support the security requirements of those projects
• If a certificate authority is compromised or an encryption algorithm is broken, organisations must be prepared to replace all of their certificates and keys in a matter of hours

The simple fact is that certificates and private keys play a critical role in securing data and systems across all types of organisations. Having understood the risks of unmanaged encryption deployments, it is imperative to utilise EKCM best practices.

EKCM Best Practice
The effective management of certificates and private keys involves multiple individuals and groups. It is critical to establish clear and concise responsibilities for the various stakeholders. This helps ensure that nothing gets overlooked and multiple parties aren’t duplicating work to other projects.

The critical starting point in any certificate and private key management strategy is to create a comprehensive inventory of all certificates, their locations and responsible parties. This is not a trivial matter because certificates are deployed in a variety of locations by different individuals and teams – it’s simply not possible to rely on a list from a certificate authority. Adhering to the below practices will ensure that no certificates are missed:

Import from Certificate Authorities
Gather what you already know about the certificates from existing certificate authorities. It is very dangerous to assume that an import from your known CAs will provide an accurate inventory of all certificates; it’s merely a starting point that must be augmented by discovery.

Individual Import from Admins
Network and agent-based discoveries can take time and it may not be possible to perform them in all corporate locations. That makes it critical to educate administrators and make sure they are proactively reporting any certificates they are aware of and adding them to the inventory.

Perform Network Discovery
Perform a network discovery to find certificates that are present on a listening port such as HTTPS. Start by gathering your network address ranges and then collect a list of ports to check. You can initially check on port 443, but there are many ports on which certificates are commonly presented.

Agent-based Discovery
Many certificates are not discoverable via network ports, such as client-side certificates used for mutual authentication on SSL. Finding these certificates typically involves performing file system scans on server and client systems with a locally-installed agent.

Sounds simple! Just remember that performing an inventory is not a one-time event. You should repeat the steps above weekly to ensure the inventory is up to date.

As you’re developing your inventory, establish a correlation of who the contacts and owners are for certificates. Wherever possible assign groups as the contacts instead of individuals to avoid a single point of failure. Some helpful sources include certificate authorities, tracking spreadsheets, and even a CMDB. Define clear responsibilities for maintenance of certificate contact information.

An important method for preventing in-service expirations is to establish a central monitoring function that ensures certificates are replaced prior to expiration by automatically notifying responsible groups. Only when the new certificate has been installed and the application has been reset to use the new certificate prior to the time of expiration is the risk of downtime averted.

Expiration reports should be sent to certificate owners each month that show a list of all certificates expiring in the next 90 days. Individual expiration notifications should be sent if action has not been taken on an individual certificate within 30 days of expiration. If action has not been taken within 20 days prior to expiration, escalation to additional parties should be added. At 10 days from expiration, notifications should be sent to a NOC or other corporate group that is responsible to respond to the crisis until it is resolved.

Establish standard practices for enrolment and provisioning that maximize reliability and repeatability, ensure security and compliance to policy, and minimize load on your administrators. There are easily 20 or more steps involved in issuing or renewing a certificate. These steps must be standardised and implemented in compliance with policy every time.

Errors are inevitable when the steps outlined above are performed manually. In addition, confidently ensuring the security of the private key is very challenging when these operations are performed manually. Automated methods of certificate enrolment and provisioning exist and should be considered.

EKCM best practice is vital if you’re to avoid the complications, embarrassment and expense of your organisation’s security being compromised. Make sure you have a clear understanding what the risks that apply to your organisation are. By prioritising them, and clearly communicating the importance of addressing them in your organisation, you can accelerate the implementation and adoption of best practices since all stakeholders will understand the implications of not doing so.