Unmanaged Cryptographic Keys and Certificates Pose Significant Risk

By Eric Noonan • March 11, 2016

Venafi, a product vendor for Internet Security, recently revealed results from a global survey of CIOs that believe security defenses are less effective and that they expect to suffer from an attack.  The underlying issue, according to Venafi, is due to the prevalence of unprotected and unmanaged cryptographic keys and digital certificates.  CIOs admitted in the survey that they are “spending millions of dollars on layered security defenses,” effectively trusting keys and certificates without being able to differentiate between trusted and compromised keys.

Even more troublesome is Gartner’s prediction that by 2017, approximately 50% of the attacks against an enterprise network will come from encrypted traffic, bypassing controls put in place to stop attacks.   This prediction means that tools like IDS, behavior-anomaly detection, next-generation firewalls will only function at about 50% capacity, letting through half of the attacks.   Additionally, the Ponemon Institute recently revealed that approximately 54% of organizations said: “they lack policy enforcement and remediation for keys and certificates.”

While the survey does point out worrying figures about the underlying digital trust that enterprises rely on, it is important to note that there are ways to rebuild confidence in your keys.

3 Steps to Rebuild Confidence in Your Cryptographic Keys and Certificates

1: Know and understand where your keys are located
Many CIOs in the survey admitted to not knowing where all of their keys and certificates are located.  Having a program in place to manage and monitor keys, who has access to them and most importantly, where they are located, will help build confidence in your cryptographic key management program.  Knowing that your keys are accounted for will help you reduce the risk of untrusted keys.

2: Establish policies and procedures for how certificates and keys are handled
Having policies and procedures for key management, including those that ensure formal assignment of key management responsibilities in a key custodian role, will make employees managing cryptography more accountable.  An established procedure will ensure that key management is handled the right way every time and when there is turnover, the next employee will be following the same procedure, and so on.  The main takeaway is that the policies must be, without doubt, enforceable, and the procedures must be known, aligned with policy, implemented, and followed accordingly by key management staff.

3: Log and document all key management activities
Every time key management activity is performed (updated, changed, expired), that activity needs to be logged and documented.  Metrics should be collected to get an idea of what is normal behavior and what is not.  Suspicious activity or suspected key compromise should be reported and investigated.

While these are just some of the ways to protect your keys and certificates, it goes without saying that attacks coming over SSL/TLS are a real concern (as evidenced by the Heartbleed bug).  The survey, which was conducted by an independent market research company, provides some important data on the health of cryptographic key management across industries, according to respondent CIO’s.  Given the reliance on cryptography to protect sensitive data, protecting cryptographic keys and understanding encrypted data flows are smart first steps to combating these evolving attacks designed to evade your perimeter defenses using the same techniques used to protect your sensitive data.

Did You Like This Post?  

Subscribe to CyberSheath’s blog today to receive email updates as new posts become published.

Cybersheath Blog

CMMC Compliance Dashboard: Gain New Visibility into Compliance

CMMC is not a compliance framework. It’s a maturity model. That has big implications for how you approach compliance, but also how you keep track of all the elements that make up compliance. And yet, visibility has been one of the most difficult challenges facing DIB contractors. It used to…

CMMCEnclave: Add Versatility with a More Flexible Approach

The enclave approach to CMMC compliance is one of the most cost effective and least disruptive ways to safeguard CUI. You can maintain high-value custodial security of CUI without upending your existing processes, procedures, and people. That way, you can maintain the proper level of CMMC compliance and remain eligible…

How to Offboard Your Managed Services Provider

For any of a variety of reasons including lack of communication, slow response times, or prolonged downtime, your organization has decided to change your managed service provider (MSP). Whether you have already signed an agreement with a new MSP or you are actively looking for a replacement, now is the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft