As the enterprise IT landscape has emerged in hybrid and distributed models across the globe, managing digital certificates across the cloud, firewalls, and applications, be it internal or external; data centers have become increasingly complex. Manual certificate processes and legacy management are further intensifying the problem, resulting in frequent application outages and increased vulnerabilities that, in turn, impact the security scorecard of an organization and disrupt CIA triads.
With an industry experience of more than two decades, I can say aloud and request leaders to avoid fundamental pitfalls that often hamper organizations from achieving the level of digital trust required to safeguard sensitive information and maintain a secure, hygienic environment. Few of them noticeably are-
- Digital certificates are managed within spreadsheets and notepads. -Say a big No to the manual process.
- The same certificate and key are used across multiple use cases. – If a single key is compromised, it can provide unauthorized access to multiple systems, causing a high risk of security breach.
- No certificate expiry notifications – This can result in unexpected outages more than we realize.
- Critical storage practices are poor – The tendency for most of us to place private keys in insecure locations causes potential unauthorized access. Robust key storage locations such as FIPS 140-2 Compliant HSM should be practiced.
Ninety days of SSL/TLS Validity is coming our way…?
The number of Digital certificates that were there during the last two decades versus today’s fast-growing technology world has skyrocketed & since then, we have witnessed the life span of certificates trend shrinking from 7 years to 5 years followed by three years and literally one year now & most likely in times to come it might be just 90 days only (it’s not a typo error, smiles) if Certification Authority Browser (CA/B) Forum proposal passes. However, this trend makes it harder for attackers to exploit fraudulent certificates. Still, the cost of operational and service downtime and recent incidents involving industry biggies have highlighted the significance of managing digital certificates in an automated way, which guardians of secure digital communications often overlook; these incidents raise the red alarm that no entity, regardless of whatever annual turnover it may have is immune to consequences of expired certificates.
Pay attention to NIST – it’s time to focus on visibility!
In 2020, the National Institute of Standards and Technology (NIST) published Special Publication 1800-16: Securing Web Transactions, TLS Server Certificate Management; this framework emphasizes that organizations need to carry out fundamental certificate life cycle management tasks, such as
- Finding flaws in cryptographic methods or software libraries.
- Identifying expiring certificates and replacing them.
- A single central inventory is recommended, as it minimizes the possibility of overlooking critical TLS server certificates.
Using the power of automation in Handling Certificates makes IT professionals better
The need to issue, renew, and revoke certificates makes automated Certificate Life cycle management (CLM) necessary. Modern CLM tools are essentials nowadays, and in times to come, they will be a must-to-have rather than a good-to-have from a budgeting forecast perspective and with apparent reasons for enabling the IT workforce to put their expertise on elsewhere productive things like business process automation, etc., rather than spending massive time on manual processes. Accepting automation can feel like a leap of faith for a few organizations, but as certificate numbers continue to grow, the risks associated with manual work will become evident.
Cyber security hygiene and etiquette are in our genes – No choice moving forward
We all have witnessed an increase in numerous outages, service downtime, and exfiltration happening majorly across all different industries and sectors during the last few years, and I would not talk about various IT tools, be it SIEM, PAM, ZTNA, MDR, EDR, XDR, etc. which is of-course essential depending on business information sensitivity; however, fundamentally, it is our right to follow simple benchmark guidelines & should adhere to security etiquettes in our genes such as hardening systems, zero trust, conditional access, having only required licensed software, permitting only OEM recommended browsers which should have auto-update enabled, turning windows firewall to always ON, be it on any endpoints or servers, encrypting devices, allowing only role-based access control with just in time access / denying privilege account to login on odd-hours. Bring in two-tier access control and strict no domain admin eco system, no internet on servers unless recommended. Let us embrace this as it would provide sound sleep for techies guys.
Interestingly, the future of security is passwordless authentication only for the majority of the IT Enterprise landscape (Millennials would love not to use the traditional approach of complex passwords) and enforcing Data classification at whatever channels we can, thereby protecting and safeguarding humongous tera bytes from exfiltration; this would reduce attack surface & will maintain CIA triads.
Let us confidently navigate and browse the online world and keep customers happy and secure. Signing off as of now and continue to excel in automation and keep things around us safe, digitally or otherwise.