With the premature scaling of the certificates, organizations should opt for automating the lifecycle of certificates to eliminate the manual steps employed by most organizations.
All too often, certificates are issued and forgotten about, until they expire. Many organizations lack the platforms to gain a full inventory of issued certificates. Lack of full visibility is the leading cause of outages.
“The simple fact is that most legacy PKI, such as Microsoft ADCS, has been deployed across the enterprise with little to no consideration as to how to deal with the ongoing lifecycle management of the certificates that are issued,” says Chris Hickman, Chief Security Officer, Keyfactor. Layer in the fact that certificates are often issued from multiple sources (Internal PKI, Public CAs, DevOps tools, etc.) and the issue of lifecycle management quickly becomes a concern not just of IT security or a particular user group, but a concern impacting the entire organization. Thus, to address this issue, Keyfactor has taken unique and practical approaches to help organizations solve certificate and key lifecycle management at scale.
As per Chris Hickman,“Our Crypto-agility platform allows organizations to gain complete visibility into the certificates in use and where they are being used.” Utilizing the platform, organizations can leverage the Keyfactor orchestrators to automate certificate lifecycle across their endpoints, network, multi-cloud infrastructure, and DevOps toolchain. Once deployed, teams gain full visibility, eliminating outages and manual certificate management. Keyfactor has the unique flexibility to deliver fully-managed PKI and certificate automation in a cloud, hybrid or on-premises deployment.
Implementing the platform
The platform enables organizations to seamlessly orchestrate every key and certificate across the enterprise. A few steps recommended by Chris Hickman are as follows:
- Inventory the certificates
Simply put, this involves gaining full visibility from each CA on the certificates it has issued to the organization. Getting this data from the CAs means that it is authoritative and therefore, you can see exactly what certificates should be in use in the organization.
Next, scan the environment to find where the certificates are deployed. Coupling the certificates that have been issued from the CA and where they are in your network will provide full visibility.
At this point, it is wise to look at the data to make an educated decision as to what needs to be addressed and in what priority based on the following:
Risk: finding certificates that put your organization at risk is often an immediate priority. It is common to identify certificates that are self-signed, do not meet current cryptographic standards, or are issued to assets no longer in use.
Impact: The next most common pool of certificates to be addressed are those that are of a high impact to the business if they expire, get breached or need to be quickly changed in the event of an event. It is not uncommon to include certificates used to protect web traffic like SSL/TLS certificates and those on load balancers.
Needs: Many certificates are highly prioritized but have a lesser or limited impact should there be an issue or an outage.
Now that the highest risks have been mitigated and the entire inventory is known, it is a good time to use the output from the analysis above to automate certificate lifecycle management. Using an orchestrator to manage certificates on the devices where they are needed will eliminate the need for manual renewal and configuration changes.
Keeping an eye on the certificates in the organization will now be significantly simplified and organizations will have the ability to cut through any “noise” to better detect and act on any events or anomalies that might occur.
Keeping up with the evolving needs
Keeping up with the evolving needs of the customers is the only way for brands to progress. Hence, Keyfactor takes steps to constantly monitor trends and business needs from its customer base, partners, industry analysts and the broader market. “From pioneering cloud-based PKI as a Service in 2014, to expanding into SSH key management and code signing, to introducing a new industry-first hybrid model, we continue to stay ahead of the innovation curve in machine identity management,” said Chris Hickman.
The Road Ahead
The trend for certificate use will continue to accelerate and therefore, proven scale and frictionless integrations will continue to be at the forefront of customer needs. “The reality is that with the explosive growth of the use of certificates, this challenge can lead to undesirable business consequences such as disruption, outages or breaches,” said Chris Hickman.
Keyfactor continues to innovate to address these challenges for its customers, be it in the enterprise or IoT devices. Earlier in 2021, Keyfactor made the acquisition of PrimeKey, creating the IAM industry’s first-ever machine identity management platform for the enterprise.
“PrimeKey is a huge part of Keyfactor’s vision for scalability and flexibility. Organizations want the flexibility to deploy where and how they want and scale-up without friction – that means rapid issuance of certificates and seamless automation to provision identities in fast-paced DevOps and cloud environments,” adds Chris Hickman.