Given the proliferation of valuable and often regulated information, organisations strive to carefully conceal it behind the best security technologies available. However, data remains only as secure as the encryption keys and certificates that safeguard it. And here lies the problem - enterprise key and certificate management (EKCM) is extremely complex. With hundreds of different companies providing these services, and even variable technologies used internally within organisations, EKCM is considered by those working in the IT space as a black art. Venafi’s Calum MacLeod takes a closer look at what’s needed to master this discipline.
Data leaks can ruin an organisation’s reputation, expose it to draconian fines, and even result in expensive legal tussles. In an effort to deflect the explosion of threats enterprises face, many are deploying encryption on a vast scale, installing tens or hundreds of thousands of SSL certificates and encryption keys to secure valuable data.
However, with everyone exposed to encryption today – especially in business, it’s increasingly untenable for organisations to have one central team managing the escalating encryption assets across the whole infrastructure. This means that, rather than enterprise key and certificate management (EKCM) remaining the domain of a technical expert, it is instead being delegated to business owners. And it’s this trend that’s causing organisations to lose sleep – and data!
Simple Complexity
It makes sense that the best person to determine something’s worth is its owner and that, by the same token, the best person to assign as protector of something that is valuable, is the owner. However, as already alluded, EKCM is complex – even for those working within IT. For the average user, it might as well be a foreign language.
For a start there are hundreds of different companies providing PKI services (public key infrastructure - a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates). Even internally within an organisation there can be dozens of different technologies that have to be learned.
Next is the language used, as it is historically the domain of a technical expert. It’s a minefield of CAs, VAs and RAs, offering SSLs, DNs, CNs and hashing algorithms - and that’s just the tip of the acronym iceberg. For someone who lives, eats and breathes IT it’s complex, but when you’re talking about average users having to deal with this once, or perhaps twice a year, as certificates need to be renewed, it is mind blowing.
Of course, if that’s not enough, to add to the melting pot is the fact that every different system has its own unique way of requesting the relevant information. For example, Verisign might ask for a [INSERT SOMETHING APPROPRIATE], but then Globalsign will ask for a [INSERT SOMETHING APPROPRIATE]. The trained eye will have spotted that these are both looking for the same thing!
In summary – the problem is all too often the user is faced with a very complex interface, littered with acronyms, requesting a myriad of information that changes from supplier to supplier, leaving these non-technical users confused and frustrated.
Complexity Made Simple
There are companies that offer a ‘subscription service’ that facilitates the purchase of certificates from each of the various certificate authorities – be it Verisign, Comodo or Globalsign. However, even this is complex as the user is eventually just given access to the portals of the various vendors, albeit from a central point. They then still have to decipher the site, translate what’s relevant information and what’s marketing hype, and determine what information goes where in the various fields. When dealing with all of the different acronyms, and idiosyncrasies, this is easier said than done.
It’s time that the PKI industry takes a leaf out of the banking sector. Once it became possible to withdraw money from a ‘hole in the wall’, banks couldn’t present users with the whole banking system – instead it had to be a simple to use interface that anyone on the street could use.
An ATM (automatic teller machine) on the face of it, is just that. It asks in plain English what the user wants and gives it to them. Imagine how different it would be if the average Joe on the street had to navigate their way through the entire complex banking system powering these ‘interfaces’ to withdraw cash. And, that it changed from machine to machine? The banks couldn’t afford to have someone standing next to each device explaining how to withdraw money. Instead it had to be simple, intuitive, serve the purpose and be reliable.
Keeping it neat and tidy
Organisations want average users to take ownership of their encryption assets, but that means giving them the means to manage encryption. It’s impractical to train non-technical users to work with complex systems, especially when they vary from multiple vendors, for occasional use. It all has to be logical and it all has to be simple.
Make it easy to manage - just like an ATM, EKCM needs a single generic interface where users can request and receive certificates, regardless of provider.
Secure access – as long as people are involved there is always risk. Private keys used with certificates must be kept secure or unauthorized individuals can access confidential information. Direct administrative access to private keys should be eliminated wherever possible.
Keep the garden tidy – Keep your certificate validity periods to a maximum of one year. Organisations should be also managing revocations to ensure that they are protected, rather than relying on third parties to do this for them!
Close security holes – Do you know where every hole is that malware can sneak in through? Probably not. The malware is looking to hide itself among the tens of thousands of certificates in your infrastructure and only needs a hole about the size of a “dime” to get in.
The time has come to decipher the black art of PKI, remove the secrecy, confusion and complexity associated with the practice, and instead allow users to focus on the essentials - acquiring, renewing and cancelling certificates and protecting their data.