digital certificate management – best practices to avoid outages and data breaches
TRANSCRIPT
Digital Certificates Management: Best Practices to Avoid Outages and Data Breaches
Michael Kubach
Software Engineer
Certified Security Solutions
Place
speaker
photo
The Problem
© 2015 Certified Security Solutions, Inc. 2
Agenda
Typical certificate usage
Why use certificates
The growing use of certificates
Costs & impacts related to certificate issues
Challenges of a managing a high volume of certificates
Managing certificates is critical
Certificate management best practices
Tips for evaluating certificate management software
© 2015 Certified Security Solutions, Inc. 3
Typical certificate usage
© 2015 Certified Security Solutions, Inc. 4
Use Cases Options
Authentication Devices, software, users
Passwords, fingerprint, facial and voice
recognition, biometric, tokens, human
manual verification, smart cards, PINs, time stamps, certificates
Encryption Data at-rest / in-motion Certificates
SignatureVerify authenticity of software and data
Certificates
Many technologies exist. Certificates are often
selected because of the value they add.
Why use certificates?
• Flexible for many Use Cases (Enterprise + IoT)
• Transactional / sensitive websites
• Passwords were the traditional way to ensure security
• Many companies continue to rely solely on passwords for some use cases
• Multi-factor authentication becoming an increasing need (Often a regulatory requirement)
• Traditionally used to secure enterprise system resources
• Some IoT devices cannot accommodate traditional IAM methods (Need a small footprint)
• Proactive organizations are increasingly adding certificates to their holistic security approach
© 2015 Certified Security Solutions, Inc. 5
The growing use of certificates
• The value / fit for specific Use Cases (As noted above)
• Evolving IoT/IoE (New products / retrofit security into existing products)
• Industrial Internet
• Additional layer of security for enterprise systems
• Minimize fraud with stronger binding to identity
• Provide integrity to documents and emails through digital signatures
• Provide confidentiality through encryption (Disk/file encryption, S/MIME, etc.)
• Supports multi-factor authentication (Smart Card, Virtual Smart Card, SSL Mutual Authentication, etc.)
• Provide non-repudiation of transactions so people cannot deny their involvement in an electronic transaction
• Helps control application execution through code signing
© 2015 Certified Security Solutions, Inc. 6
Costs related to digital certificate issues
© 2015 Certified Security Solutions, Inc. 7
Impacts related to digital certificate issues
Outage
• e-commerce site – Lost money
• Lack of product access – Reimburse for customer downtime
• Reputation damage / loss of trust
Breach• Reputation damage / loss of trust
• Fines
• Legal fees
• Credit monitoring
© 2015 Certified Security Solutions, Inc. 8
When Amazon.com
failed for 49 minutes in
2013, Amazon lost
nearly $7.25 million.
© 2015 Certified Security Solutions, Inc. 9
© 2015 Certified Security Solutions, Inc. 10
Challenges of a managing a high volume of certificates
Volume
o A few purchased certificates easy to track
o But, hit 100+, 1M+, harder to track and manage – risky to manage on a spreadsheet
o Industrial Internet
Use Cases (Multiple things need encryption, authentication, and signature)
o Enterpriseo IoT / IoE: Devices, data, software o Industrial Internet
Multiple Certificate Sources
o Purchased from 3rd Certificate Authoritieso Internally generated from own Certificate Authorities
© 2015 Certified Security Solutions, Inc. 11
Managing certificates is critical
Certificate management is especially critical for
o Large, growing numbers of certificates (100+)
o Across multiple sources
o For multiple use cases (Mergers and acquisitions for enterprise systems, growth in
IoT opportunities)
It’s not about the millions you manage effectively every day
o It’s about the 1 that expired
o It’s about the other 1 that was improperly issued
Just 1 oversight can lead to a costly mess
o Improperly-issued certificates can allow hackers to spoof content or perform phishing and man-
in-the-middle attacks
o Expired certificates causing costly outages. Not to mention that manual certificate tracking and
management functions are time-consuming and error-prone
© 2015 Certified Security Solutions, Inc. 12
Certificate management best practices
Step away from your certificate spreadsheet; automate certificate management processes
You need 3-D radar for your entire world of certificates to avoid:
o Costly outages due to certificate and CRL expiration
o Breaches from improperly-issued certificates
Make your certificate management processes:
o Proactive
o Efficient
o Effective
o Cost-effective
o Scalable
© 2015 Certified Security Solutions, Inc. 13
Implement software
Certificate management software helps
Improve availability through the following monitoring options:
o Certificate Revocation List (CRL) access and validity
o Certificate expiration
o Ability to monitor Certificate Authority (CA) uptime
o Across all certificate sources (Public + private)
Provide the following benefits through reporting and alerts:
o Identification of anomalous certificate enrollments
o Identification of certificate expiration trends
Provides additional security by supporting on device key generation
Helps manage the certificate lifecycle management through custom workflows
Provides customization opportunities through exposed APIs to support flexible workflow definition
© 2015 Certified Security Solutions, Inc. 14
Evaluating certificate management software
It’s hard to compare apples-to-apples.Vendors offer different flavors.
Make your comparison realistic.
Know your number (or anticipated future number) of certificates to manage
Does the vendor offer “free” or “discounted” software to balance expensive per-certificate management fees?
What’s the per-certificate cost to manage certificate functions?
Does the software only manage certificates from specific sources?
What workflows does it automate?
Does the vendor offer other services from a single source?
o Managed PKI
o PKI Design & Deployment
© 2015 Certified Security Solutions, Inc. 15
Thank You!
Michael Kubach
Software Engineer
Certified Security Solutions
https://www.linkedin.com/in/michaelkubach
CSS is committed to simplifying the
proper application of digital security
to protect our clients’ identities,
data, and business processes.
Contact CSS to help with:
• Certificate Management Software
• PKI Managed Services
• PKI Professional Services
css-security.com
Q&A© 2015 Certified Security Solutions, Inc. 17