In today’s complex business landscape and increasingly digital world, organizations of all kinds grapple with the universal challenges of establishing trust and ensuring compliance. This is particularly true among financial services organizations.
Nevertheless, trust and compliance are essential to ongoing success. So what does it take? We sat down recently to discuss how financial services organizations can introduce scalable, flexible PKI to help meet stringent regulatory requirements while driving innovation and enhanced customer experiences, build a robust security framework based on industry best practices, and streamline identity and access management processes. Read on for a recap of our conversation, or click here to watch the full webinar.
Machine identities and how to manage them
The world around us is changing: Whereas many organizations previously ran their own data centers, securing everything within a physical perimeter, that’s not the case anymore. More and more organizations are relying on the cloud, for example through Azure, to secure resources both inside and outside the four walls of an office. And this new approach requires companies to easily identify users and devices, wherever they may be – even if they are in a completely unprotected area – and give them just enough access to carry out their jobs and nothing more. The use of identity-based certificates supports this new world.
All of this becomes especially important when we look at machine identities, which are everywhere today (think desktops, phones, IoT devices). But managing machine identities is challenging for a few reasons:
- Machine identities are often invisible, even though they play a vital role in ensuring the integrity and confidentiality of critical communications.
- Machine identities also lack clear ownership, as many teams are often not aware of how many are out there, who owns them, how they’re being used, and where they’re being used.
- Machine identities are short-lived, but they also need to be reliable and trustworthy, as they safeguard financial transactions and customer data.
Despite these challenges, getting the management of machine identities right is essential since they help strengthen the security of financial services by creating trust. When managed properly through certificates and PKI, machine identities allow us to know we can trust a device – that they are who they say they are, and that they’re not using a forged certificate.
So what does it take? There are three key aspects to certificates and PKI for machine identities:
- Issuing digital certificates: This is where things start. You have to issue proper certificates to manage the identities of users and devices appropriately – making sure they’re issued to the right people or devices and that those people and devices are authorized and trusted.
- Automating certificate lifecycle management: Next, what do you do after a certificate is issued? It has an entire lifecycle that needs managing – installing, binding, using, and revoking the certificate – and the best way to accomplish that is through automation.
- Managing digital signatures: Finally, certificates can help support digital signatures, whether that’s code signing, signing documents, or anything else.
Industry trends: common problems with machine identities
According to Keyfactor’s 2023 State of Machine Identity Management Report, the biggest pain points and challenges around machine identities for many organizations, including financial services companies, are:
- Decentralized PKI models: Oftentimes, new use cases arise, and different teams start doing things their own way. While that’s fine as a bandaid to get things moving faster, it adds up over time and creates sprawl that becomes very difficult for one person or even one team to manage. After all, it’s very challenging to regain centralized control of what’s going on when PKI is done differently everywhere, let alone have any visibility into what’s happening.
- Short-lived certificates: The lifespan of certificates keeps getting shorter and shorter, with the potential for a 90-day lifespan for TLS certificates on the horizon. These shorter lifespans mean certificates require more frequent attention and management.
- Key attestation requirements: New rules for key attestation from the Certificate and Browser Authority (CA/B) Forum for how to protect code signing keys also require more attention from security teams.
- Post-quantum revolution: Preparing for the transition to NIST-candidate quantum-safe algorithms now occupies a lot of time and energy, especially as we still don’t know the specifics around when and what that will look like.
And the complexity of today’s PKI environments only exacerbates these challenges, rather than making things easier. Some of the biggest PKI roadblocks are:
- CA and PKI sprawl: Many companies have different solutions to issue and manage certificates for each potential use case (a lot of which are also outdated). When this happens, especially in large organizations, teams end up with multiple, disparate PKI implementations, and that creates a lot of complexity as well as limited visibility. This becomes a serious issue when organizations have an average of 256,000 certificates across nine different PKI solutions.
- Self-signed certificates: Many organizations don’t even use a PKI solution for some of their use cases and do self-signed certificates instead. For example, they’ll issue a 10-year certificate just to check a box and make an application work and forget about it. But this can cause major problems down the line – both in terms of security vulnerabilities and audit risks.
- Lack of governance: When companies have too many PKI solutions and/or don’t use one at all, maintaining control becomes nearly impossible. Let’s say there was a point solution brought on by a particular employee, but now they’re no longer with the company, and there’s an outage because something expired – does anyone have access to take control? Oftentimes the answer is no.
- Lack of expertise: Many companies are struggling to find PKI experts and end up delegating these responsibilities to people with little experience in PKI, which creates even more risk.
The solution: properly managing machine identities for financial services with scalable, flexible PKI
So what’s the solution to all of this? Scalable and flexible PKI, which can support a variety of use cases, secure new applications, workforces, devices, and infrastructure, and reduce complexity overall. Ultimately, the right PKI setup provides full visibility and control over your environment.
A scalable and flexible PKI solution allows administrators to easily track, monitor, and update certificates across various devices and product lines. It supports lifecycle management, automated renewal processes, and the ability to revoke and replace compromised or outdated certificates. Additionally, it integrates with existing security frameworks and tools to streamline workflows and ensure seamless operability – especially for code signing, which minimizes the risk of running malicious software and secures all new releases for customer-facing apps. And perhaps most importantly, it uses automation to keep pace, as manual certificate provisioning and management become impractical and error-prone at scale.
Of course, it’s not just about having the right PKI solution in place: Organizations also need proper management. That’s where we see teams taking back PKI as a central function, making it an internal shared service to provide everyone across the organization with controlled, reliable, and automated services that are easy to monitor. This approach not only reduces risk, but it also saves time and money.
All of this is particularly important in financial services, where organizations must not only secure typical IT use cases like email, but also internal banking applications, transactions, payment processing, and more.
Case study: EQ Bank empowers security and DevOps to move faster
EQ Bank does a lot electronically and identified PKI as a key security pillar for their organization. Unfortunately, they had a very dispersed PKI footprint consisting of point solutions that were hard to manage. Specifically, they had difficulty getting an accurate inventory of their certificates, struggled to handle internal requests, and didn’t feel well-positioned to pass audits.
To turn the situation around, EQ Bank implemented Keyfactor as a central shared service to support all of their certificate lifecycle management. Keyfactor allowed them to streamline the process of issuing certificates by automating everything from putting certificates into production to rotating and renewing them. As a result, they no longer do manual tracking and have avoided outages due to expired certificates. They also now have a quick and easy way to take inventory of all internal and external certificates, plus their DevOps team can automate the issuance and rotation of certificates across their Docker containers, Azure Kubernetes Service, and Istio service mesh deployments. Now, the bank views PKI as a much stronger layer of security and knows they are in a good position to pass audits.
Accessing critical PKI capabilities for financial services
Financial services organizations must get ahead of potential security risks by implementing a scalable, flexible PKI program sooner rather than later. Being proactive in this area, particularly when it comes to running your own audits and fixing any issues, is critical to minimizing risk.
This proactivity starts by replacing static, manual processes with dynamic, automated security that makes it easy to identify and manage certificates throughout their entire lifecycle. It also requires the right team to manage that solution so that you can ensure every workload, device, and software deliverable is authenticated, and so you can maintain the visibility and reliability you need to avoid outages.
Interested in learning more about what it takes and how Keyfactor can help financial services organizations prioritize PKI? Click here to watch the full webinar for a deeper discussion, including an in-depth look at Keyfactor Signum, which is now available on Microsoft Azure for developers to easily and securely sign code and containers without any disruptions to productivity.
Subscribe to The Source, Keyfactor’s identity-first security newsletter, to get helpful resources and insightful perspectives from cybersecurity leaders delivered to your inbox every month.