Not too long ago, AppViewX CERT+ was named in a comprehensive research report released by Gartner, arguably one of the most respected and trusted analyst firms in the world. The report precisely summarizes the issues faced by security leaders today in managing the certificates associated with their organizations, and the steps they can take towards remedying them.
Introduction: A Growing Need for Automated Management
The report starts off by delving into the ever-expanding purview of digital certificates and their rapid proliferation across security setups, acting as critical mechanisms that encrypt machine-to-machine and program-to-program communications. Naturally, with increased use comes a need for continuous innovation to pre-emptively prevent malicious agents from using them against the very systems they were meant to protect. This is a double-edged sword – as the complexity of the underlying technology increased, so does the effort required to efficiently manage them.
With increasing complexity and volume being the core issues the report focuses on, it stresses upon the need for proper management to ensure that mishaps stay a distant possibility. Furthermore, the emergence of cutting-edge technology that requires PKI for encryption reaffirms the critical requirement for robust management. Why? Because unmanaged ( or poorly managed) certificate infrastructures are accompanied by a host of problems – unplanned expiry, the existence of rogue certificates (undocumented certificates that are requested by individual BUs or employees), an inability to enforce compliance, and the firm’s ability to enforce crypto-agility being severely crippled.
Here’s an example. How would an administrator migrate a thousand certificates running on, say, TLS 1.0, to the latest version, TLS 1.3? An administrator using spreadsheets to manage PKI would be at an utter loss. He’d have to find each one, revoke them, and send individual requests to each issuing CA. The process could take days. On the other hand, using a certificate management system, the entire process can be automated and wrapped up in a couple of hours.
The Drawbacks of Legacy Management Methods
In order to understand the predicament better, let’s look at the consequences of running into common certificate issues, such as:
Unplanned Expiry: When a certificate expires without the administrator’s knowledge, it’s often because said administrator has no alert system in place to initiate a renewal process. Shrinking validities complicate this issue further. Browsers are quick to reject the legitimacy of a website with an invalid certificate – this means it throws warnings at visitors the moment your certificate expires. This is a significant blow to your brand, and also turns away visitors who intend to make transactions on your site.
Deprecation of Protocols: When protocols like TLS are renewed to new version, governing bodies draw deadlines for organizations to upgrade to them. The deadline notwithstanding, it is still imperative for the upgrades to be made, to prevent hackers from taking advantage of an old, insecure security measure. In such cases, PKI teams are expected to migrate entire batches of certificates from the old protocol to the new one, failing which every single endpoint leveraging them is at risk of being compromised and acting as a back-door to an infiltration or data-exfiltration operation.
A Pressing Need for Management Tools
Now that we’ve made you rethink the idea of using spreadsheets or manual management methods, you’ll want to know what exactly a dedicated certificate management/automation tool can give you, and what pain points it solves. While the report makes a deep dive into these issues, we can tell you that certificate management tools boast of a few valuable functions:
- CA-agnostic Certificate Discovery and Location
- Cross-network Inventory
- Single-window Monitoring and Management
- Automation of Certificate Processes (Renewal, Installation, Revocation)
Gartner also provides valuable recommendations for security leaders regarding the implementation, management, and use of PKI, all of which can be easily adhered to with the use of a centralized management tool.
AppViewX: A Gartner-recognized Representative Vendor
Finally, the report names and evaluates 9 vendors of certificate management tools, of varying functionality and capabilities. Specifically, it names four areas of interest that management tools are expected to fulfil, the criteria being:
- Discovery Functions: The ability to scan entire environments, detect, and locate the certificates on them. Auto-inventory is a bonus feature.
- Full-Cycle Certificate Management: The task of managing the entire lifecycle of a certificate – from issuance, monitoring, renewals, and revocation, from a single point, and automate necessary functions.
- DevOps Use-Case Fulfilment: Compatibility with DevOps tasks, such as securing containerized environments using x.509 certificates.
- SSH Key Management: Generating, distributing, and destroying SSH keys securely, and implementing secure workflows to do so.
Gartner, Technology Insight for X.509 Certificate Management, 3 October 2019, David Mahdi, David Collinson