Data is only as safe as the encryption used to protect it. Managing keys and certificates is extremely complex, however. Calum MacLeod, EMEA director at Venafi, takes a closer look at what’s needed to master a discipline often viewed as a dark art.
Data leaks can ruin an organisation’s reputation, expose it to draconian fines, and even result in expensive legal tussles. In an effort to deflect the explosion of
threats enterprises face, many are deploying encryption on a vast scale, installing tens or hundreds of thousands of SSL certificates and encryption keys to secure valuable data.
However, with everyone exposed to encryption today, especially in business, it’s increasingly untenable for organisations to have one central team managing the escalating encryption assets across the whole infrastructure. This means that, rather than enterprise key and certificate management (EKCM) remaining the domain of a technical expert, it is instead being delegated to business owners. And that is a trend which is causing organisations to lose sleep – and data!
It makes sense that the best person to determine something’s worth is its owner and that, by the same token, the best person to assign as protector of something that is valuable is the owner. However, as already alluded, EKCM is complex - even for those working within IT. For the average user, it might as well be a foreign language.
For a start there are hundreds of different companies providing PKI services (public key infrastructure - a set of hardware, software, people, policies and procedures needed to create, manage, distribute, use, store, and revoke digital certificates). Even internally within an organisation there can be dozens of different technologies that have to be learned.
Next is the language used, as it is historically the domain of a technical expert. It’s a minefield of CAs, VAs and RAs, offering SSLs, DNs, CNs and hashing algorithms - and that’s just the tip of the acronym iceberg. For someone who lives, eats and breathes IT it’s complex, but when you’re talking about average users having to deal with this once, or perhaps twice a year, as certificates need to be renewed, it is mind blowing.
Of course, as if that’s not enough, to add to the melting pot is the fact that every different system has its own unique way of requesting the relevant information. What Verisign might ask for is different to what Globalsign will ask for, even when both are looking for the same thing!
In summary - the problem is all too often the user is faced with a very complex interface, littered with acronyms, requesting a myriad of information that changes from supplier to supplier, leaving these non-technical users confused and frustrated.
Complexity made simple
There are companies that offer a subscription service that facilitates the purchase of certificates from each of the various certificate authorities - be it Verisign, Comodo or Globalsign. However, even this is complex as the user is eventually just given access to the portals of the various vendors, albeit from a central point.
They then still have to decipher the site, translate what’s relevant information and what’s marketing hype, and determine what information goes where in the various fields. When dealing with all of the different acronyms and idiosyncrasies of each solution, this is easier said than done.
It’s time that the PKI industry took a leaf out of the banking sector’s book. Once it became possible to withdraw money from a “hole in the wall”, banks couldn’t present users with the whole back office of the banking system. Instead, it had to be a simple-to-use interface that anyone on the street could use.
An ATM (automatic teller machine), on the face of it, is just that. It asks in plain English what the user wants and gives it to them. Imagine how different it would be if the average Joe on the street had to navigate his way through the entire complex banking system, powering these interfaces to withdraw cash. And that it changed from machine to machine? The banks couldn’t afford to have someone standing next to each device explaining how to withdraw money. Instead, it had to be simple, intuitive, serve the purpose and be reliable.
Keeping it neat and tidy
Organisations want average users to take ownership of their encryption assets. But that means giving them the means to manage encryption. It’s impractical to train non-technical users to work with complex systems, especially when they vary from multiple vendors for occasional use. It all has to be logical and it all has to be simple. Here’s how:
•Make it easy to manage - just like an ATM, EKCM needs a single, generic interface where users can request and receive certificates, regardless of provider.
•Secure access - as long as people are involved, there is always risk. Private keys used with certificates must be kept secure or unauthorised individuals can access confidential information. Direct administrative access to private keys should be eliminated wherever possible.
•Keep the garden tidy – keep your certificate validity periods to a maximum of one year. Organisations should be also managing revocations to ensure that they are protected, rather than relying on third parties to do this for them!
•Close security holes – do you know where every hole is that malware can sneak in through? Probably not. The malware is looking to hide itself among the tens of thousands of certificates in your infrastructure and only needs a hole about the size of a dime to get in.
The time has come to decipher the black art of PKI, remove the secrecy, confusion and complexity associated with the practice, and instead allow users to focus on the essentials - acquiring, renewing and cancelling certificates and protecting their data.