Working remotely? Why certificate management is key for secure communication.
Working from home has been the new reality for many employees since the coronavirus outbreak, and digital communications are crucial for this. People are meeting on Zoom, signing contracts online, sharing screens and more. The problem is, this can throw up all kinds of security issues — often ones that even IT teams aren’t aware of. Fortunately, they can be prevented by establishing a digital security strategy and a strong public key infrastructure to manage security certificates.
How X.509 certificates protect digital identities
In the digital world, most things have a digital identity, including people, servers, software, websites, email systems, access badges and so on. They’re often secured with X.509 certificates, which use public and private keys to verify them.
These certificates help to increase security and ensure business continuity because they’re used to:
· Authenticate users and machines and grant access to internal or external networks or spaces.
· Provide secure communication and ensure the reliability of websites using Transport Layer Security (TLS) or Secure Sockets Layer (SSL).
· Enable programme-to-programme and machine-to-machine communication (for the internet of things, for example).
· Allow pieces of software code to be signed personally in product development processes.
· Encrypt and decrypt important data and information.
· Enable the use of digital signatures on documents or emails.
The problem? Keeping track of them.
One option for managing the requesting, validation, creation and revoking of X.509 certificates is a manual system such as a spreadsheet. This becomes too complex though if you have any more than around 50 certificates.
For most organisations, a certificate management system is essential. It helps to create a reliable public key infrastructure (PKI) that brings together policies, roles, hardware and software to manage public keys and digital X.509 certificates.
Overall, as the use cases and volume of certificates increase, the complexity of X.509 certificate management will grow dramatically. — Gartner.
Knowledge means power — and less time wasted
As a security and risk manager, it’s crucial to be at least aware of the number of certificates your organisation has and their impact on your operations. This is often not the case, however.
When issues arise such as someone being unable to log in, a system malfunctioning or a website being down, one of the first checks should be the X.509 certificate. It may be as simple as the certificate having expired, which is straightforward to fix. All too often, certificates aren’t considered early on though. This can lead to an unnecessarily lengthy, and often costly, hunt to identify the problem.
Strong certificate management prevents costly issues
It is, therefore, really important to set up your PKI properly so certificates can be managed efficiently and effectively. Otherwise, incorrect certificates can be issued, or they can become out of date, leading to technical problems. Poor management of X.509 certificates can also pave the way for unauthorised people using them and hacking into your network and systems.
Security and risk management leaders are often unaware of the scope or status of their X.509 certificate deployments. As certificate scope expands to devices, containers and the IoT, they need to use automated certificate management to avert system outages and gain operational efficiencies. — Gartner
Opt for an automated system that’s secure and compliant
Very few people, even in the IT world, have the specialist skills to renew X.509 certificates. So a reliable certificate management system is vital for establishing a public key infrastructure that’s not only secure, but GDPR compliant.
Such a system will also help you to check and monitor the following, as well as the expiry of X.509 certificates.
· Is the certificate authority issuing the certificate still trustworthy and is the data you hold for it up to date?
· Are the hashing, key length and cryptographic algorithms still at the right level or have hackers found vulnerabilities in them?
· Are you maintaining control of the use of certificates? It’s important to monitor who is using certificates and how they’re being used. Is it in line with your policy? Keeping an eye on this will help to prevent phishing attacks, for example, or the use of SSL or TLS certificates by fake websites. It will also help to protect your data and prevent sensitive communications being intercepted.
· Finally, it’s important to keep track of the ownership of your organisation’s certificates. Usually, different people in different departments are designated as the owners of different certificates. You need to know who the current owners are at all times, so you can approach them quickly if there’s a problem relating to one of them.
First, set your digital security strategy
To address all of the points outlined above, it’s vital to have a comprehensive digital security strategy. To begin with, study the way certificates are currently managed in your organisation. What are the challenges? Is the process smooth and effective? Does it meet all relevant security and privacy standards? Are you fully in control?
If the answer to any of the above questions is no, it’s time to create a digital security strategy — or update your existing one.
Key considerations for your strategy
When creating a digital security strategy, we carefully consider how to deal with the digital identities in your organisation. If certificates are already in use, we also check whether there are built-in vulnerabilities. These include expired certificates; certificates without a designated owner; certificates that all expire on the same date; certificates that are being misused; and certificates that don’t meet current cryptographic standards and legal frameworks such as eIDAS.
This then enables us to draw up a policy based on security frameworks such as the ISO27001 for certificate management, and privacy frameworks such as GDPR. We also determine whether your certificates can be managed manually, with spreadsheets. Or whether a certificate management system, s should be considered.
It’s all part of our striving for a safe, secure and reliable digital environment, where all personal and commercial data is protected. Will you join us in this mission?
Jordan van den Akker, Business Security Consultant for AET Europe.
