Image courtesy of tgkrause on Flickr.
I’ve just discovered that I’m an illegal alien. My identity card expired two months ago, so technically I could be kicked out of the country where I’m currently resident. (For obvious reasons I don’t want to mention that country until I resolve this small matter.) If that wasn’t bad enough, my wife is also an illegal, so domestic panic has taken hold: "We’ll be kicked out, never to see family or friends again!"
How did this suddenly come about? Well, it seems something fell through the administrative cracks. We should have received a reminder three months prior to expiry, telling us that we would need to renew our residence permit, but for whatever reason nothing arrived.
The first port of call was to contact the department that has looked after this process for the past 25 years, only to find that a new governmental department has been set up to look after ‘aliens’. A visit to the appropriate website presented us with a 26-page questionnaire to be completed to renew our status – it used to be a one-pager at the so-called ‘alien police’.
The similarities with the IT security world are obvious. Daily, organisations are confronted with problems associated with the expiry of encryption keys and certificates, and almost always the problem is a result of the failure to properly implement best practices.
Most organisations, in spite of having policies and processes defined, regularly overlook encryption keys and certificates. They lose track of them, or someone else takes over responsibility and the result is that certificates expire because no-one knew they were there. It is not a trivial matter to track digital certificates because they are deployed in so many different locations and in such a variety of systems, and installed on systems that are managed by an army of IT teams. They are just like us aliens – all over the place!
Tracking the ‘aliens’
The first step the new government organisation should have taken was to ensure they collected every piece of information for every alien in the country. The same applies to certificates. Start with the obvious source – the certificate authorities (CAs) you know are being used. But don’t assume that once you have the information you have tracked all the ‘aliens’ – after all, even the ones you know about may have already left.
The next step should have been some contact with every address in the country asking if there were any aliens resident. Similarly, the next step in managing certificates should be a network discovery to find those present on a listening port such as HTTPS. Start by gathering your network address ranges and then collect a list of ports to check. Now you are making progress because you can start to reconcile what you think you have with what you actually discover. You will be surprised to find that not all certificates are issued by your certification authority.
Finally, a house-to-house search would have found aliens ‘hiding’ from the system. Just as user certificates are not going to respond to a simple network query, a detailed search of each system will reveal those hidden certificates that only appear when someone specifically asks them to. Many certificates, such as client-side certificates used for mutual authentication on SSL, are not discoverable via network ports. Finding them typically involves performing file system scans on server and client systems with a locally installed agent.
Now, no-one is denying that discovering certificates is not time-consuming, and where possible automation should be used, but ultimately you cannot start managing them until you know where they are.
Although it’s always good to have a snapshot, certificates, like aliens, tend to move around. So continuous monitoring and validating that everything is where it should be helps maintain control. Continuous monitoring also prevents expirations, and to avoid perfectly good certificates from expiring there needs to be notifications sent to the owners to warn them in plenty of time that action is required.
Finally, set up common sense processes for certificates to be renewed. Don’t waste money hiring consultants who develop complex security practices no-one can understand and which you can probably ‘Google’ in five minutes. Keep it simple, use compliance standards such as PCI, and wherever possible use automated methods to create certificates and install them. After all, ensuring the security of the private key is very challenging when these operations are performed manually.
Calum MacLeod, EMEA director, Venafi.
