(Ping! Zine Issue 56) – Given the proliferation of valuable and often regulated information, organizations strive to carefully conceal it behind the best security technologies available. However, data remains only as secure as the encryption keys and certificates that safeguard it. And here lies the problem – enterprise key and certificate management (EKCM) is extremely complex. With hundreds of different companies providing these services, and even variable technologies used internally within organizations, EKCM is considered by those working in the IT space as a black art. Venafi’s EMEA Director Calum MacLeod takes a closer look at what’s needed to master this discipline.
Data leaks can ruin an organization’s reputation, expose it to draconian fines, and even result in expensive legal tussles. In an effort to deflect the explosion of threats enterprises face, many are deploying encryption on a vast scale, installing tens or hundreds of thousands of SSL certificates and encryption keys to secure valuable data.
However, with everyone exposed to encryption today – especially in business, it’s increasingly untenable for organizations to have one central team managing the escalating encryption assets across the whole infrastructure. This means that, rather than EKCM remaining the domain of a technical expert, it is instead being delegated to business owners. And it’s this trend that’s causing organizations to lose sleep – and data!
From a logical point of view it would make sense for the business owner to determine its value to the organisation and how to protect it. However, EKCM is complex – even for those working within IT. For the average user, it might as well be a foreign language.
For a start there are hundreds of different companies providing PKI services (public key infrastructure – a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates). Even internally within an organization there can be dozens of different technologies that have to be managed.
Next is the language used, as it is historically the domain of a technical expert. It’s a minefield of CAs, VAs and RAs, offering SSLs, DNs, CNs and hashing algorithms – and that’s just the tip of the acronym iceberg. For someone who lives, eats and breathes IT it’s complex, but when you’re talking about average users having to deal with this once, or perhaps twice a year, as certificates need to be renewed, it is mind blowing. Of course, if that’s not enough, to add to the melting pot is the fact that every different system has its own unique way of requesting the relevant information.
In summary – the problem is all too often the user is faced with a very complex interface, littered with acronyms, requesting a myriad of information that changes from supplier to supplier, leaving these non-technical users confused and frustrated.
Complexity Made Simple
There are companies that offer a ‘subscription service’ that facilitate the purchase of certificates from each of the various certificate authorities. However, even this is complex as the user is eventually just given access to the portals of the various vendors, albeit from a central point. They then still have to decipher the site, translate what’s relevant information and what’s marketing hype, and determine what information goes where in the various fields. When dealing with all of the different acronyms, and idiosyncrasies, this is easier said than done.
It’s time that the PKI industry takes a leaf out of the banking sector. Once it became possible to withdraw money from a ‘hole in the wall’, banks couldn’t present users with the whole banking system – instead it had to be a simple to use interface that anyone on the street could use.
An ATM (automatic teller machine) on the face of it is just that. It asks in plain English what the user wants and gives it to them. Imagine how different it would be if the average person on the street had to navigate their way through the entire complex banking system powering these ‘interfaces’ to withdraw cash. And, that it changed from machine to machine? Banks couldn’t afford to have someone standing next to each device explaining how to withdraw money. Instead it had to be simple, intuitive, serve the purpose and be reliable.
Keeping it neat and tidy
Organizations want average users to take ownership of their encryption assets, but that means giving them the means to manage encryption. It’s impractical to train non-technical users to work with complex systems, especially when they vary from multiple vendors, for occasional use. It all has to be logical and it all has to be simple.
• Make it easy to manage – just like an ATM, EKCM needs a single generic interface where users can request and receive certificates, regardless of provider.
• Secure access – as long as people are involved there is always risk. Private keys used with certificates must be kept secure or unauthorized individuals can access confidential information. Direct administrative access to private keys should be eliminated wherever possible.
• Keep it tidy – Keep your certificate validity periods to a maximum of one year. Organizations should be also managing revocations to ensure that they are protected, rather than relying on third parties to do this for them!
• Close security holes – Do you know where every hole is that malware can sneak in through? Probably not. The malware is looking to hide itself among the tens of thousands of certificates in the infrastructure and only needs a tiny hole to get in.
The time has come to decipher the black art of keeping data secure, remove the secrecy, confusion and complexity associated with the practice, and instead allow users to focus on the essentials – acquiring, renewing and cancelling certificates and protecting their data.