BEST PRACTICESEnterprise Encryption Key andDigital Certificate Management
VENAFI IS THE INVENTOR OF AND MARKET LEADER IN ENTERPRISE                              REASONS TO IMPLEMENT               ...
1   1      REASONS TO           IMPLEMENT           ENTERPRISE KEY AND CERTIFI-           CATE BEST PRACTICES             ...
2                                                RATIONALIZE    It is critical to understand why encryption is being used ...
3                                            CERTIFICATE     Select the specific certificate authorities (CAs) and        ...
CERTIFICATE   The validity period is the time window a certificate is      KEYSTORE     Many keystores rely on a password ...
PRIVATE KEY         Every time private keys are accessed in order to transfer DISTRIBUTION        them from one location t...
4           DEVELOPING A            COMPREHENSIVE            INVENTORYThe critical startingpoint in any certificateand pri...
1    IMPORT FROM     CERTIFICATE                   The first step is to gather what you already know about                ...
5                                            EXPIRATION    Immediately begin evaluating and tracking expiration           ...
RESPONSIBLE     GROUPS                   Analyze and collate certificates according to responsible                   teams...
6                                                   MANAGING    As you’re developing your inventory, start establishing   ...
MONITORING       An important method for preventing in-service                NOTIFICATIONS       Expiration reports shoul...
ENROLLMENT     Establish standard practices for enrollment and     AND            provisioning that maximize reliability a...
Worldwide: +1 801 676 6900EMEA: +31 641 789 667www.venafi.com
Upcoming SlideShare
Loading in...5
×

GDS International - Next - Generation - Security - Summit - US - 2

124

Published on

Venafi Best Practices - Enterprise Encryption Key and Digital Certificate Management

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
124
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "GDS International - Next - Generation - Security - Summit - US - 2"

  1. 1. BEST PRACTICESEnterprise Encryption Key andDigital Certificate Management
  2. 2. VENAFI IS THE INVENTOR OF AND MARKET LEADER IN ENTERPRISE REASONS TO IMPLEMENT 4KEY AND CERTIFICATE MANAGEMENT (EKCM) SOLUTIONS. EKCM BEST PRACTICESVENAFI DELIVERED THE FIRST ENTERPRISE-CLASS SOLUTION TO GETTING STARTED 6AUTOMATE THE PROVISIONING, DISCOVERY, MONITORING ANDMANAGEMENT of encryption keys and digital certificates, built specifically for ESTABLISHING EKCM POLICIES 8encryption management interoperability across heterogeneous environments. DEVELOPING A COMPREHENSIVE INVENTORY 14This document provides an introduction to EKCM best practices that Venafi hasdeveloped while working for nearly a decade with Global 2000 organizations. The 18 ANALYZE YOUR INVENTORYbest practices in this document apply directly to the management of certificates andtheir associated private keys. OPERATIONAL BEST PRACTICES 22For a much more in-depth version of these best practices, visitwww.venafi.com/bestpractices.2 3
  3. 3. 1 1 REASONS TO IMPLEMENT ENTERPRISE KEY AND CERTIFI- CATE BEST PRACTICES Challenges Downtime and System Outages Private Key Compromise Causes Certificates that are not renewed and replaced before they expire can cause serious downtime and outages. Private keys used with certificates must be kept secure or unauthorized individuals can access confidential information. Compliance Compliance assessors are increasingly scrutinizing Before starting to Violations management practices for encryption keys. The average certificate and private key require four implement best High Administrative hours per year to manage, costing hundreds of thousands of dollars per year for many practices, it helps to understand Costs organizations. why a best practices approach is important. Certificates and private keys play a critical role in securing data and systems across all types of organizations. The following table shows some of the challenges that can arise when they’re not properly managed. 5
  4. 4. 2 RATIONALIZE It is critical to understand why encryption is being used THE NEED FOR within your organization and risk of that security being ENCRYPTION compromised. The risks presented by poor management GETTING STARTED of encryption may seem obvious, but time spent capturing the specifics will be helpful when working with DEFINING ROLES & cross-functional teams. RESPONSIBILITIESThe effectivemanagement ofcertificates and private QUANTIFY THE COSTS Gather information on the costs of the current process, including the costs associated with outages. Use thiskeys involves multiple individuals and information to build the business case for implementinggroups. It is critical to establish clear and these best practices.concise responsibilities for the variousstakeholders. This helps ensure that Getting support from executives in your organizationnothing gets overlooked and multiple OBTAIN for implementing EKCM best practices is critical dueparties aren’t duplicating work to other EXECUTIVE to the cross functional nature of key and certificateprojects. SPONSORSHIP management in most organizations. Also, be sure to also identify all the individuals and teams that play a role in the process, as their cooperation will be necessary. 7
  5. 5. 3 CERTIFICATE Select the specific certificate authorities (CAs) and AUTHORITIES certificate templates that are approved for particular use ESTABLISHING AND TEMPLATES cases such as externally- and internally-facing systems. Use publicly trusted CAs for external facing systems and ENTERPRISE KEY AND private CAs for internal and test/development systems. CERTIFICATE BEST PRACTICES ADMINISTRATOR Direct administrative access to private keys should be ACCESS TO eliminated wherever possible. If access is required,There are many PRIVATE KEYS that access should be closely monitored to prevent the possibility of a copy of the private key being made.areas to define All private key access should be logged. Every time apolices for EKCM. system’s administrator is changed, the private key and corresponding certificate should be changed.This section highlights some of these andmakes specific recommendations. of manycritical enterprise systems. 9
  6. 6. CERTIFICATE The validity period is the time window a certificate is KEYSTORE Many keystores rely on a password to protect privateVALIDITY valid and consequently the period during which you PASSWORD keys. Establish policies for minimum keystore passwordPERIODS must ensure the secrecy of the certificate’s private key. STRENGTH length and complexity. Wherever possible, use Resist the urge to use longer certificate validity periods passwords of at least 12 characters with a combination – they create a false sense of operational benefit while of lower and uppercase characters with at least one greatly increasing the risk of data exposure. Wherever number and one non-alphanumeric symbol. Keystore possible, use one year validity periods. passwords should be changed each time a certificate and private key are replaced/renewed. RENEWAL Define a minimum number of days prior to expiration WINDOWS that the certificate renewal must begin. Use 30 days as a benchmark and adjust accordingly for your organization. You’ll start sending notifications prior to this window, but it defines a line in the sand of when the process will start. KEY LENGTH The current minimum recommended key length by the U.S. National Institute of Standards and Technology (NIST) is 2048-bits. Assure that all smaller certificates and keys are proactively replaced immediately. Determine whether there are any applications or devices that do not support 2048-bit keys.10 11
  7. 7. PRIVATE KEY Every time private keys are accessed in order to transfer DISTRIBUTION them from one location to another, it dramatically increases the risk of a key compromise. Private keys Budget Security Arch PKI Operations Approval Approval Approval Approval must be securely wrapped during transport. Use a password encrypted file (e.g. PKCS#12 or PEM) or a wrapping key from the target device. Ideally, use a A B C D E F G system that eliminates administrative handling of private Request Generate Key Submit CSR Issue Retrieve Install Restart keys during distribution. If this isn’t possible, require Certificate Pair/CSR to CA Certificate Certificate Certificate Application that two individuals each type in half of the wrapping password. This reduces the possibility that a single DUAL CONTROL The establishment and enforcement of clear dual control person could gain access to the private key. policies is critical in the context of certificate and private key management in order to prevent a single individual from performing unauthorized actions. The specific Keystore operations that require dual control should be driven File by an analysis of specific security risks and threats as well as governance oversight requirements (such as Sarbanes-Oxley). Keystore wrapped Audit logging is important for your certificates and, Application with password AUDIT LOGGING Private Key wrapped especially, private keys. However, collecting all of the with password (some events related to managing certificates and private keys keystores) into a single log is challenging due to the technologies traditionally used to manage keys and certificates. Nonetheless, you need to develop a strategy for collecting and securing log information for all certificate and key management operations, especially for any access to private keys.12 13
  8. 8. 4 DEVELOPING A COMPREHENSIVE INVENTORYThe critical startingpoint in any certificateand private keymanagement strategy is to createa comprehensive inventory of all certificates,their locations and responsible parties. Thisis not a trivial matter because certificates aredeployed in a variety of locations by differentindividuals and teams – it’s simply not possibleto rely on a list from a certificate authority. Takea multi-pronged approach to ensure that nocertificates are missed. 15
  9. 9. 1 IMPORT FROM CERTIFICATE The first step is to gather what you already know about from existing certificate authorities. It is very dangerous Be aware that AUTHORITIES to assume that an import from your known CAs will provide an accurate inventory of all certificates; it’s performing an inventory is not merely a starting point that must be augmented by a one-time event. You should repeat the steps discovery. above weekly to keep the inventory up to date.2 PERFORM NETWORK Next, perform a network discovery to find certificates that are present on a listening port such as HTTPS. Start by gathering your network address ranges DISCOVERY and then collect a list of ports to check. You can initially check on port 443, but there are many ports on which certificates are commonly presented.3 AGENT-BASED Many certificates are not discoverable via network ports, such as client-side certificates used for mutual DISCOVERY authentication on SSL. Finding these certificates typically involves performing file system scans on server and client systems with a locally-installed agent.4 INDIVIDUAL Network and agent-based discoveries can take time and it may not be possible to perform them in all IMPORT BY corporate locations. That makes it critical to educate ADMINIS administrators and make sure they are proactively reporting any certificates they are aware of and adding them to the inventory.16 17
  10. 10. 5 EXPIRATION Immediately begin evaluating and tracking expiration DATES dates to assure that any certificates brought into the inventory that expire in less than 30 days are flagged for renewal. ANALYZE YOUR ANALYZE YOUR INVENTORY INVENTORY CAS IN USE Determine which CA issued each certificate so that you can identify CAs that are not approved or certificates that are self signed. As you develop yourAs you develop your inventory, analyze theinventory, analyze the KEY LENGTHS Note certificates with noncompliant key lengths and data you’ve collected.data you’ve collected. replace immediatelyHere are some of the things to look for: Here are some of the things to look for: VALIDITY Flag all validity periods longer than 1 year and PERIODS remediate. 19
  11. 11. RESPONSIBLE GROUPS Analyze and collate certificates according to responsible teams. As you analyze your MANAGEMENT inventory, determine whether any of the policies you’ve Review and document current key and certificate PROCESSES management processes for each group where they’re in use. defined should be adjusted in order to address the specific needs of your organization.20 21
  12. 12. 6 MANAGING As you’re developing your inventory, start establishing CONTACTS/ a correlation of who the contacts and owners are for OWNERSHIP certificates. Wherever possible assign groups as the contacts instead of individuals to avoid a single point of failure. Some helpful sources include certificate OPERATIONAL authorities, tracking spreadsheets, and even a CMDB. BEST PRACTICES Define clear responsibilities for maintenance of certificate contact information.Once you’ve identifiedthe compliance gapsbetween your policies and yourcurrent environment and processes, educateyour organization on operational best practices.Wherever possible, leverage management toolsto reduce operational risks and improve secu-rity while reducing operational overhead. 23 23
  13. 13. MONITORING An important method for preventing in-service NOTIFICATIONS Expiration reports should be sent to certificate owners AND VALIDATION expirations is to establish a central monitoring function AND EXPIRATION each month that show a list of all certificates expiring that ensures certificates are replaced prior to expiration REPORTS in the next 90 days. Individual expiration notifications by automatically notifying responsible groups. Only should be sent if action has not been taken on an when the new certificate has been installed and the individual certificate within 30 days of expiration. application has been reset to use the new certificate If action has not been taken within 20 days prior to prior to the time of expiration is the risk of downtime expiration, escalation to additional parties should be averted. added. At 10 days from expiration, notifications should be sent to a NOC or other corporate group that is responsible to respond to the crisis until it is resolved. Onboard Validation Notifications Network Validation24 25
  14. 14. ENROLLMENT Establish standard practices for enrollment and AND provisioning that maximize reliability and repeatability, PROVISIONING ensure security and compliance to policy, and minimize load on your administrators. There are easily 20 or more steps involved in issuing or renewing a certificate. These steps must be standardized and implemented in compliance with policy every time. Errors are inevitable when these steps are performed manually. In addition, confidently ensuring the security of the private key is very challenging when these operations are performed manually. Prudent organizations will evaluate automated methods of certificate enrollment and provisioning. Worldwide: +1 801 676 6900 EMEA: +31 641 789 667 www.venafi.com For more detailed steps and recommendations for each of these areas of best practice, visit www.venafi.com/bestpractices. Copyright © 2011 Venafi, Inc. All rights reserved. Venafi and the Venafi logo are trademarks of Venafi, Inc. in the United States and other countries. All other company and product names may be trademarks of their respective companies. This document contains the intellectual property of Venafi, Inc. and is provided for the reader solely for the purpose of helping them improve the operations of their business processes. The reader agrees that they will not use the information contained in this summary for any other purpose. Venafi makes no warranties, express or implied, in this summary, as to the fitness for purpose of the best practices described herein. Covered by United States Patents #7,418,597, #7,568,095, #7,650,496, #7,6,50,497, #7,698,549 and other patents pending.26 27 Part number: 1-0010-0211
  15. 15. Worldwide: +1 801 676 6900EMEA: +31 641 789 667www.venafi.com

×