As part of Cybersecurity Awareness Month, Keyfactor is highlighting ways teams can adapt to the escalating challenge of managing certificates and machine identities in their organizations.
Until recently, public-key cryptography has been a fairly niche practice. However, with the emergence of remote work, cloud computing, and IoT devices, the volume and prevalence of certificates have exploded.
This growing vulnerability is becoming a favored attack vector among bad actors. Meanwhile, enterprises have been caught on their back foot, scrambling to assess the state of certificates across their organizations and implement long-term policies for securing and managing them.
Keyfactor’s 2022 State of Machine Identity Report revealed that enterprises have an average of 269,562 public and private certificates.
Managing public-key infrastructure (PKI) is a tall order when added to your team’s primary responsibilities. To efficiently manage and scale PKI, there are a lot of things security teams need to know –– that’s why we’ve laid out nine that you should take into consideration.
1. Visibility is key, and your team may not have the insight it thinks it does.
A 2021 report by Keyfactor and Ponemon revealed that 50% of companies don’t know exactly how many keys and certificates they have. And in Keyfactor’s 2022 State of Machine Identity Report, gaining complete visibility of all certificates was the top priority for PKI and certificate management.
This is symptomatic of PKI sprawl — various teams using different certificate authorities (21 on average) with no centralized hub for tracking and managing certificates. To compound the complexity, many organizations don’t establish clear ownership of PKI across the enterprise.
Implementing a certificate lifecycle management solution is the answer. Keyfactor Command is a certificate lifecycle management and automation solution that can be deployed on-prem, as a service, or combined with cloud-hosted private PKI (known as PKI-as-a-Service). However you choose to deploy, you’ll be able to quickly discover and manage existing certificates in your environment, then scale up PKI operations as business needs grow.
2. Managing PKI is a full-time job.
Many IT and security teams simply have too many other priorities to incorporate PKI management into their everyday responsibilities. At the end of the day, other duties are more central to the nature of their roles. PKI will take a back seat to maintaining systems, responding to incidents, and investigating alerts. According to Keyfactor’s 2022 State of Machine Identity Report:
- 65% of enterprises are concerned about the increased workload and risk of outages caused by shorter TLS certificate lifespan.
- 50% said they don’t have enough IT personnel dedicated to their PKI.
- 33% of organizations named insufficient time and budget as their biggest challenge to adopting an enterprise-wide PKI management strategy.
Meanwhile, certificate lifespans are decreasing to insulate enterprises from the threats of compromised or stolen certificates. Since 2020, 398 days has been the widely-accepted lifespan for certificates. However, many certificate authorities are adopting 90-day lifespans.
These lifespans will continue to decrease, meaning certificates will expire at a higher frequency, increasing risk exposure for organizations without a reliable system for managing PKI. Without adequate PKI resources, the whack-a-mole of keeping up with expired certificates will come at higher and higher costs.
3. Managing PKI demands PKI-specific expertise.
“Ok,” you think, “we’ll just create an internal PKI team composed of IT and security analysts we already have on staff.”
Far too often, organizations thrust PKI onto the shoulders of staff with limited (or sometimes not any) previous experience managing PKI. Though your IT and security technicians are likely plenty competent, they are starting at square zero in a constantly-shifting PKI landscape.
- The level of change and uncertainty around PKI ranked as the top challenge to adopting an enterprise-wide PKI management strategy.
- A lack of skilled personnel ranked as the second-highest challenge to adopting an enterprise-wide strategy. [Keyfactor’s 2022 State of Machine Identity Report]
The learning curve is too steep and the stakes are too high to leave your PKI in the hands of anyone who isn’t experienced and knowledgeable in the PKI realm.
Getting PKI right starts with design. However, there are a large number of PKI design aspects that, once configured, can’t be changed without a complete redeployment. These rigid aspects have significant implications for the long-term use of your PKI.
4. Manual processes make it impossible to scale PKI efficiently.
Dedicated PKI staff and resources are becoming mission-critical. If PKI must fall into the hands of IT and security professionals with other significant responsibilities, organizations must endeavor to minimize the complexity of PKI management as much as possible.
In any context, manual processes are the enemy of modernization, scale, and transformation. In a PKI context, manual processes coupled with a lack of PKI expertise create a recipe for disaster.
- The process of manually requesting, generating, and deploying a new certificate is cumbersome, especially when those doing so aren’t comfortable with PKI.
- 42% of organizations still use spreadsheets to track and manage certificates. Yet spreadsheets can’t notify you when a certificate expires or nears expiration, nor can they flag the errors that come with manual data entry.
- Manual processes lend themselves to ad-hoc, inconsistent usage by teams. This lack of standardization makes it tough to drive and scale best practices.
- When vulnerabilities are revealed, acting quickly to replace certificates is vital, yet manual processes make it impossible to respond with the necessary speed. This is especially true in the event of a CA compromise, which requires a bulk issuance of new certificates.
Automation is the answer. With a centralized PKI management platform, you don’t have to babysit your certificates. From continuous monitoring and automated alerts to API integrations to enabling end users to carry out their own certificate processes, automating PKI processes are key to enabling scale.
5. Proper PKI management is crucial for modern operational needs.
Remote work, IoT, DevOps — the traditional network perimeter is not what it once was. Team members need secure access to the systems and apps that enable their workflows. In regards to remote work and IoT, the challenge in securing devices lies in a whole new crop of conditions and factors that lie outside of your control. If someone is working remotely, the devices and networks through which they access your servers may not be up to snuff in terms of security. For IoT devices, the device must connect to a server to validate ownership, no matter where it’s activated.
For DevOps, it’s all about scale and speed. The manual PKI processes described above present a significant challenge to DevOps momentum and achieving CI/CD. A streamlined, efficient PKI can speed up development cycles while improving quality—all without sacrificing security.
6. Crypto-agility is becoming more than a nice-to-have.
No matter how hardened your security posture is today, it will deteriorate over time. New technologies and threats are always emerging. With enough time, any security implementation will fall, and no individual encryption method is invincible.
Business agility means the ability to adapt quickly with minimum disruptions. In a PKI context, crypto-agility means that your enterprise can evolve its PKI processes without disrupting the entire IT or security infrastructure. Crypto-agility allows organizations to stay ahead of vulnerabilities before they are revealed by a break, breach, or compliance penalty.
Agility and adaptability create sustainability—a long-lasting PKI architecture that can grow along with your enterprise, keep pace with heightening compliance regulations, and even contribute to innovation initiatives.
7. Good PKI starts with design.
The explosion in use cases and volume around PKI necessitates a new set of best practices. When implemented from the start, these practices can preserve the integrity of your PKI and save you from a disruptive redeployment later down the line.
With PKI, there’s no making it up as you go. You need an in-depth roadmap in hand before you take the first step.
- How is PKI used in your organization, and how will it need to be used in the future?
- What are the best policies and procedures for managing certificates across their lifecycle in your organization?
- What controls will you implement to support these policies and procedures?
- How will you capture, explain, and document changes to your plan and your PKI?
Setting up your PKI with good design is just the beginning. A PKI requires a significant amount of care and maintenance to remain functional. This is risky for security teams focused on implementing PKI but not focused on operating it indefinitely.
8. Audit, audit, audit.
When managing PKI internally, you need to build regular audits into your PKI practice. An audit should include a review and testing of everything listed in your Certificate Policy and Certificate Practice Statements (CP/CPS), business continuity, and disaster recovery plans for all PKI components. If there is a legitimate need for a change, kick off a change control to update any of the documents. Think of them as living, breathing documents that evolve to maintain the PKI’s intended level of assurance.
Organizations that schedule and conduct their own internal audits can regularly and easily identify issues, answer external auditor questions, and provide proof of the required level of assurance. PKI owners should also monitor and benchmark their enterprise PKI controls against current and emerging standards, including the CA/Browser Forum, WebTrust, and industry regulatory agencies. This helps the organization stay ahead of trends that could otherwise lead to PKI shortcomings. Another best practice is to conduct an annual PKI health check to uncover anything the organization may not have considered.
9. You can solve PKI and take it off your security team’s plate.
The resources required to design, implement, maintain, and evolve PKI internally come at a steep cost and a high technical barrier, especially amid the current cybersecurity labor shortage.
So how do you properly tackle PKI implementation, manage the widespread surge of certificates coursing through your enterprise, and scale PKI through visibility, traceability, and automation in the face of a rapidly changing landscape?
A partner with deep PKI expertise can give you a turnkey solution for implementing and operating your own internal PKI—or they can offer total PKI management as a white-glove service.
Need help advancing your cybersecurity efforts?
The risks of inadequate PKI management will only increase, but the complexity doesn’t have to. Keyfactor helps companies (including those with under-resourced teams) secure every digital key and certificate for multi-cloud enterprises, DevOps, and embedded IoT security. Click here to learn more about what we offer, including how our Cloud PKI-as-a-Service offers every organization access to an elite team of cybersecurity experts.