Unmanaged Cryptographic Keys and Certificates Pose Significant Risk
Venafi, a product vendor for Internet Security, recently revealed results from a global survey of CIOs that believe security defenses are less effective and that they expect to suffer from an attack. The underlying issue, according to Venafi, is due to the prevalence of unprotected and unmanaged cryptographic keys and digital certificates. CIOs admitted in the survey that they are “spending millions of dollars on layered security defenses,” effectively trusting keys and certificates without being able to differentiate between trusted and compromised keys.
Even more troublesome is Gartner’s prediction that by 2017, approximately 50% of the attacks against an enterprise network will come from encrypted traffic, bypassing controls put in place to stop attacks. This prediction means that tools like IDS, behavior-anomaly detection, next-generation firewalls will only function at about 50% capacity, letting through half of the attacks. Additionally, the Ponemon Institute recently revealed that approximately 54% of organizations said: “they lack policy enforcement and remediation for keys and certificates.”
While the survey does point out worrying figures about the underlying digital trust that enterprises rely on, it is important to note that there are ways to rebuild confidence in your keys.
3 Steps to Rebuild Confidence in Your Cryptographic Keys and Certificates
1: Know and understand where your keys are located
Many CIOs in the survey admitted to not knowing where all of their keys and certificates are located. Having a program in place to manage and monitor keys, who has access to them and most importantly, where they are located, will help build confidence in your cryptographic key management program. Knowing that your keys are accounted for will help you reduce the risk of untrusted keys.
2: Establish policies and procedures for how certificates and keys are handled
Having policies and procedures for key management, including those that ensure formal assignment of key management responsibilities in a key custodian role, will make employees managing cryptography more accountable. An established procedure will ensure that key management is handled the right way every time and when there is turnover, the next employee will be following the same procedure, and so on. The main takeaway is that the policies must be, without doubt, enforceable, and the procedures must be known, aligned with policy, implemented, and followed accordingly by key management staff.
3: Log and document all key management activities
Every time key management activity is performed (updated, changed, expired), that activity needs to be logged and documented. Metrics should be collected to get an idea of what is normal behavior and what is not. Suspicious activity or suspected key compromise should be reported and investigated.
While these are just some of the ways to protect your keys and certificates, it goes without saying that attacks coming over SSL/TLS are a real concern (as evidenced by the Heartbleed bug). The survey, which was conducted by an independent market research company, provides some important data on the health of cryptographic key management across industries, according to respondent CIO’s. Given the reliance on cryptography to protect sensitive data, protecting cryptographic keys and understanding encrypted data flows are smart first steps to combating these evolving attacks designed to evade your perimeter defenses using the same techniques used to protect your sensitive data.
Did You Like This Post?
Subscribe to CyberSheath’s blog today to receive email updates as new posts become published.