Managing your company’s security posture can be daunting at times. But given the new reality of ransomware, phishing, deep fakes and other advanced identity attacks, it’s critical that strong identification and authentication controls are in place for both humans and machines so that there is no chance of impersonation, fraud or man-in-the-middle attacks, writes GlobalSign CISO, Arvid Vermote.
From a CISO’s perspective, there is a great deal to consider. But among the many critical security steps needed for any organization is the proper management of your company’s identification and authentication processes. The best means to achieve this is using a public key infrastructure (PKI), which allows you to issue certificates to both users and machines for authentication, identification and encryption.
In terms of machines SSL/TLS certificate(s) confirming the identity of IT services, authentication certificates are used for machines to talk to each other, and code signing certificates make sure software and binaries are legitimate, and not malware.
Users employ certificates for authentication towards corporate services, signing documents and signing e-mails so that recipients do not need to doubt ,the sender’s identity and authenticity of any message. New technologies like the Virtual Smart Card (VSC) on Microsoft Windows provide an excellent mechanism for seamless and centralized certificate-based identification and strong authentication.
Not only is it important to make sure every human and machine within your company possesses a certificate so it is identifiable, but also to properly manage the lifecycle of those certificates. A very recent example about why certificate lifecycle management is so important is Microsoft Teams. In early February the popular product experienced an unfortunate incident where an authentication certificate expired. This caused the service to be unavailable for at least three hours, leaving its users around the world unable to login to their Microsoft Teams environment.
See also: Microsoft Teams Takes a Tumble after Cert Expires
Reality is Microsoft is certainly not the only entity to suffer the consequences of a forgotten certificate renewal. In the last several years, LinkedIn, Pokemon Go, the UK’s Conservative Party, and even The White House, all experienced episodes of certificate expiry and consequent unavailability of their services.
Not only are outages highly inconvenient, but they can have a real cost in terms of productivity. Without a valid certificate, data can’t be sent as identity between sender and recipient cannot be confirmed.
Perhaps some will take this with a grain of salt as I am the CISO for a certificate company. However, I assure you my suggestions below will help you better manage your certificates no matter what type of certificate authority scenario you currently have in place. Right off the top, you definitely don’t want to let your certificates expire. But what can you do to prevent it from happening at all?
Here are some tips:
Certificate Management: Some Tips to Stop Certificates Expiring
> Do regularly run complete certificate inventories. You might think you have a handle on all your certificates – you’re using your CAs management portal, getting email alerts, maybe even syncing your renewal periods – when, bam, you learn that some random certificate expired and now everyone’s blaming you. Doing a full scan of both your public and internal networks makes you aware of everything you’re working with so you can be prepared for when that random certificate someone from the dev teamed ordered is up for renewal.
> Do leverage your CA’s certificate management portal. Most CAs offer some kind of management interface where you can see all certificates you have ordered from them and filter for upcoming expirations. And if yours doesn’t perhaps it’s time to check out other options.
> Do check the email address tied to your certificates. You should be sure you have email reminders set up by default which are periodically sent as a certificate’s expiration date approaches. However, these reminders won’t be much use if the emails are never or rarely checked.
> Do use a fully automated, managed PKI solution for certificate provisioning and management. You should be able to easily issue and manage your publicly trusted certificates throughout their life cycle, including renewal, saving valuable IT resources and reducing the risks of having expired certificates.
> Do work with a CA that offers you ease of use to control your certificate needs with the click of a button. Also be sure your CA offers support for multiple business entities and departments under one umbrella account.
> But whatever you do, don’t rely on homegrown solutions like spreadsheets as some people still do. In 2020! The potential issues with this method are stressful just to think about because they are very risky. Someone could forget to update a file, or someone could accidently overwrite it with incorrect information. Or worse, what if your system crashes and you lose everything? That said, it is strongly recommended you find a modern solution to manage your certificates.
Even in a mature IT and security organization it is likely that employees lose track of all the keys and certificates if manually manage. By following these guidelines and automating certificate management your organization will be ahead of the game.