SlideShare a Scribd company logo

eBook_PKI-AreYouDoingItWrong2022-f.pdf

H
HaNguyenThanh21

Personal improvement book

Business
1 of 28
Download to read offline
PKI: Are You Doing It Wrong?
3 PKI mistakes can be hazardous to your machine identity management Public key infrastructure (PKI) is the set of hardware, software, policies, processes and procedures you need to create, store and manage digital certificates and public keys. A well-managed PKI will help you create a secure and trusted business environment that allows you to protect systems, users and data throughout your organization. Because PKI is the foundation of your machine identity management, it’s important to get it right. But it’s not always easy. There are many factors that can increase the complexity of your PKI—and the likelihood of making a mistake. For one, digital transformation continues to inspire an overwhelming growth in the number and complexity of machines. Plus, as you move to the cloud, you’ll need to extend PKI authentication to a growing range of web services, cloud instances and containers, as well as increasing numbers of industry-specific and IoT devices. And securing the vast numbers of keys and certificates that govern an ever-wider range of machine identities can challenge even the most dedicated PKI professionals. So, who can you turn to for clear guidance on the best practices and governance policies you need to manage PKI? We’d like to think it’s…well… us. That’s why we put together this eBook. We hope that by highlighting some of the things we’ve seen that can go terribly wrong with PKIs, you can learn from other people’s mistakes. And you’ll never have to go through the PKI pain that so many of your peers have endured.
4 Oops, I accidentally deleted my PKI! If your root-signing certificate authority (CA) goes offline for any reason, you’d better make sure that you know where it’s located. We know of a couple of organizations that have set up their root CA on a virtual machine and then allowed that machine to go dormant. When IT ops teams come along to tidy up dormant virtual machines, they inadvertently disable the entire PKI by deleting the virtual machine where the forgotten root CA was installed. If this happens, you will lose access to all machines that use certificates from the deleted internal CA. And if you rely solely on CA management or a homegrown solution to manage your PKI, this could take months to fix!
6 Where the heck are my wildcard certificates anyway? Wildcard certificates are so easy to use that they are often used indiscriminately—so indiscriminately that many organizations don’t track them. So, when wildcard certificates expire, they don’t know which machines are using which wildcard certificates. That makes it nearly impossible to renew them all before they expire. When a wildcard certificates expires, every machine where it is installed will stop communicating at the same time. And it will take hours of precious time and resources to track them all down and reinstall new certificates. And, of course, Murphy’s Law dictates this will happen at the worst possible time.
9 So what if I used a production certificate for dev testing? It’s tempting to “help” application developers by issuing them production certificates to test new or updated apps. This may seem like an easier alternative than trying to force them to use test certificates issued specifically for that purpose and slowing down the development process. But this goodwill gesture can backfire. It’s all too easy to quickly lose track of where these certificates are being used and suffer the potential damage they may cause when they expire—or fall into the wrong hands. Production certificates grant full privileges to those who can access them. So, if a cybercriminal gains access to your development environment, they could use that production certificate to pivot across your organization. They would then be able to impersonate, eavesdrop on or monitor your infrastructure, cloud or mobile devices.
11 Live long and prosper (not): certificates with random lifespans! Managing certificates manually can be time and resource intensive. Many organizations are still using spreadsheets, internal scripts or CA dashboards with limited functionality. These basic tools make it extremely hard to keep track of when each certificate is going to expire and every location where it’s being used. So, it’s pretty tempting to try to eliminate this problem by extending certificate expiration periods. Why not issue a certificate that lasts, say, 99 years? In theory, you won’t have to worry about rotating them in this lifetime. Right? Not so fast. This hack may save you some time, but it does so at the expense of increasing your organizational security risk. Longer lifespans simply give attackers more time to hack the private keys for those certificates. Even three-, five- or ten- year certificates will put your organization at greater risk.
12 Dang. I forgot that I left the key under the mat! It’s important to use a password manager for shared administrative controls, but other password security best practices need to be used as well. Unfortunately, admins who actively protect all kinds of controls for the rest of the IT infrastructure often keep things like CA credentials on Notepad or another plaintext app where anyone can access them. If your admins store credentials on handwritten notes in a desk drawer or under a keyboard, it’s like leaving the keys to the kingdom under the mat. These controls are vital to your organization’s security, and if you fail to use proper password hygiene, your organization’s security is at risk. Nobody wants to make that mistake.
14 Who needs a governance framework for PKI anyway? Do you have an established PKI governance program? Or has it just “evolved” organically over the years, like in so many companies? Lots of organizations use repurposed IT hardware—including servers and desktop computers—but they never update the old keys and certificates on these devices. This is especially common in organizations that don’t have an established set of PKI security controls they regularly audit. Any kind of rogue certificate in your network is like an open invitation for abuse. A haphazard approach to building your PKI can significantly increase the risk of certificate outages and weak, vulnerable or misconfigured certificates.
17 What do you mean I have too many CAs? How many CAs does your company use? Okay, what about internal CAs? It’s easy to add another one, but the number of CAs in many organizations can easily spin out of control. We’ve spoken to companies that were using more than 17 different CAs. That’s just too many options for novice or occasional certificate users, and it makes it very hard for the PKI team to get a holistic view of PKI security. Without any guidance about which type of certificate is best for a given purpose, certificate users will often make the wrong choice. Or, worse, they decide to set up a new, unauthorized CA and issue their own certificates. Without clear governance, it’s not all that surprising that many organizations end up using certificates that increase security and operational risks. Trying to impose order on this kind of chaos involves cleaning up hundreds of certificates from unauthorized CAs as well as finding and replacing certificates that don’t meet security policies or compliance requirements.
19 We don’t need no (substantive PKI) education! Unfortunately, the ABCs of PKI aren’t taught in most cybersecurity programs. Moreover, many organizations have a hard time vetting employees’ PKI resumes before letting them work with the keys and certificates that serve as machine identities for their critical infrastructure. We’ve even seen some large financial institutions hire data-entry people to work on their PKI teams because they “have an interest in security.” When you entrust keys and certificates to people who don’t understand these critical security assets, the possibilities for what can go wrong are endless. And the money you save on staffing can quickly be outstripped by the work required to fix the inevitable problems that will crop up as a result of inexperience.
20 Okay. Whose turn was it to clean up our PKI? If you’ve got someone who doesn’t understand PKI, chances are they’re eventually going to do some unwise things due to a lack of experience. For example, it’s pretty common for an administrator to try to install a certificate on an Exchange server, but they don’t really understand where it should go. They may eventually put the certificate in the right place— but what about all the other places they tried to put it that didn’t work? Were those instances properly deleted? Or are they littered across that server, giving bad guys plenty of opportunities to find and abuse them? Any certificate that’s outside of your visibility is one that will probably come back to haunt you.
22 I thought they were just trying to help me with my private key! The bad guys know that most organizations don’t really understand PKI, so they stand up websites that offer to “validate” private keys; all the user has to do is paste the key into a form. Some of these sites even offer to generate a private key for the unwary! These websites look legitimate, but their intent is to give bad guys access to the private keys for any machine using the corresponding certificate. It’s easy to understand how this can happen. Most employees just don’t understand the critical role that machine identities play in your overall security posture. They might appreciate it more if you tell them that sharing a private key with anyone is like giving bad guys the PIN code for your business bank account.
25 It turns out we were teaching employees to be phished! When certificates have security issues, browsers issue warnings. It could be that the certificate was generated from an untrusted certificate authority, or it has an invalid date or the name on the certificate doesn’t match the site. Although these warnings flag important security issues, PKI teams often let the warning messages persist. If their organization’s workforces see these warnings all the time, they become conditioned to click through them in order to get their work done. But these security warnings are important. They help to flag malicious sites, such as phishing sites that often use certificates that don’t match domains. So, organizations that don’t fix these certificate issues and inadvertently encourage their workers to click past security warnings may well be training their users to be perfect targets for phishing exploits.
26
27 Here’s how you can easily fix your PKI problems Automating routine business operations requires a growing number of machines on every enterprise network. Yet businesses are just beginning to build programs that safeguard the identities of machines that control the flow of sensitive data within their organizations. So, you have two choices. You can stick with the status quo and keep your fingers crossed. Or you can eliminate human error by investing in a program that gives you the visibility, intelligence and automation you need to maintain a worry-free PKI. It’s all too easy to make mistakes with your PKI that have serious implications for your business, but Venafi can help. Contact us for more information on how to make it easy to do PKI the right way. venafi.com
© 2022 Venafi, Inc. All rights reserved. Venafi is the cybersecurity market leader in machine identity management, securing the cryptographic keys and digital certificates on which every business and government depends to deliver safe machine-to-machine communication. Organizations use Venafi key and certificate security to protect communications, commerce, critical systems and data, and mobile and user access. To learn more, visit venafi.com 28

Recommended

Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)
Avirot Mitamura
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
PROIDEA
 
The Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL Certificates
CheapSSLsecurity
 
The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates
RapidSSLOnline.com
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of Mediocrity
T.Rob Wyatt
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 
Easing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate Management
Entrust Datacard
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
Brianna Johnson
 

Recommended

Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)
Avirot Mitamura
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
PROIDEA
 
The Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL CertificatesThe Hidden Costs of Self-Signed SSL Certificates
The Hidden Costs of Self-Signed SSL Certificates
CheapSSLsecurity
 
The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates The Hidden Costs of SelfSigned SSL Certificates
The Hidden Costs of SelfSigned SSL Certificates
RapidSSLOnline.com
 
Build and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of MediocrityBuild and Operate Your Own Certificate Management Center of Mediocrity
Build and Operate Your Own Certificate Management Center of Mediocrity
T.Rob Wyatt
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 
Easing the Pains of Certificate Management
Easing the Pains of Certificate ManagementEasing the Pains of Certificate Management
Easing the Pains of Certificate Management
Entrust Datacard
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
Brianna Johnson
 
Meeting Mobile and BYOD Security Challenges
Meeting Mobile and BYOD Security ChallengesMeeting Mobile and BYOD Security Challenges
Meeting Mobile and BYOD Security Challenges
Symantec
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
C02
C02C02
C02
newbie2019
 
PKI - The Backbone of Digital Signatures - DrySign by Exela
PKI - The Backbone of Digital Signatures - DrySign by ExelaPKI - The Backbone of Digital Signatures - DrySign by Exela
PKI - The Backbone of Digital Signatures - DrySign by Exela
Drysign By Exela
 
Finding Your Lost Keys
Finding Your Lost KeysFinding Your Lost Keys
Finding Your Lost Keys
trueidentity
 
Certificate Management Made Easy
Certificate Management Made EasyCertificate Management Made Easy
Certificate Management Made Easy
Jason Newell
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
Aditya Nama
 
Visitor management system
Visitor management systemVisitor management system
Visitor management system
mikeecholscyber
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
Attributable Networks - Guardtime Whitepaper
Attributable Networks - Guardtime WhitepaperAttributable Networks - Guardtime Whitepaper
Attributable Networks - Guardtime Whitepaper
Martin Ruubel
 
Is web security part of your annual security audit
Is web security part of your annual security auditIs web security part of your annual security audit
Is web security part of your annual security audit
Dianne Douglas
 
The Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineThe Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonline
RapidSSLOnline.com
 
technology
technologytechnology
technology
nomber8
 
Cryptography Inventory
Cryptography Inventory Cryptography Inventory
Cryptography Inventory
The Cryptography Centre For Excellence
 
Backup of FinalExam-EssayQ-Mon
Backup of FinalExam-EssayQ-MonBackup of FinalExam-EssayQ-Mon
Backup of FinalExam-EssayQ-Mon
Fares Sharif
 
The Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.comThe Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.com
Kayra Obrain
 
idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!
idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!
idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!
Identive
 
How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?
mirmaisam
 
Whole Process PPT of LC-Latest.pptx
Whole Process PPT of LC-Latest.pptxWhole Process PPT of LC-Latest.pptx
Whole Process PPT of LC-Latest.pptx
LearningChain
 
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy GoalsIRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET Journal
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
nandhinijagan9867
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
rajveerescorts2022
 

More Related Content

Similar to eBook_PKI-AreYouDoingItWrong2022-f.pdf

PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
Attributable Networks - Guardtime Whitepaper
Attributable Networks - Guardtime WhitepaperAttributable Networks - Guardtime Whitepaper
Attributable Networks - Guardtime Whitepaper
Martin Ruubel
 
Is web security part of your annual security audit
Is web security part of your annual security auditIs web security part of your annual security audit
Is web security part of your annual security audit
Dianne Douglas
 
Backup of FinalExam-EssayQ-Mon
Backup of FinalExam-EssayQ-MonBackup of FinalExam-EssayQ-Mon
Backup of FinalExam-EssayQ-Mon
Fares Sharif
 
How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?
mirmaisam
 

Similar to eBook_PKI-AreYouDoingItWrong2022-f.pdf (20)

Meeting Mobile and BYOD Security Challenges
Meeting Mobile and BYOD Security ChallengesMeeting Mobile and BYOD Security Challenges
Meeting Mobile and BYOD Security Challenges
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
C02
C02C02
C02
 
PKI - The Backbone of Digital Signatures - DrySign by Exela
PKI - The Backbone of Digital Signatures - DrySign by ExelaPKI - The Backbone of Digital Signatures - DrySign by Exela
PKI - The Backbone of Digital Signatures - DrySign by Exela
 
Finding Your Lost Keys
Finding Your Lost KeysFinding Your Lost Keys
Finding Your Lost Keys
 
Certificate Management Made Easy
Certificate Management Made EasyCertificate Management Made Easy
Certificate Management Made Easy
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
 
Visitor management system
Visitor management systemVisitor management system
Visitor management system
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
Attributable Networks - Guardtime Whitepaper
Attributable Networks - Guardtime WhitepaperAttributable Networks - Guardtime Whitepaper
Attributable Networks - Guardtime Whitepaper
 
Is web security part of your annual security audit
Is web security part of your annual security auditIs web security part of your annual security audit
Is web security part of your annual security audit
 
The Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonlineThe Best Practices of Symantec Code Signing - RapidSSLonline
The Best Practices of Symantec Code Signing - RapidSSLonline
 
technology
technologytechnology
technology
 
Cryptography Inventory
Cryptography Inventory Cryptography Inventory
Cryptography Inventory
 
Backup of FinalExam-EssayQ-Mon
Backup of FinalExam-EssayQ-MonBackup of FinalExam-EssayQ-Mon
Backup of FinalExam-EssayQ-Mon
 
The Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.comThe Best Practice with Code Signing Certificates - CodeSignCert.com
The Best Practice with Code Signing Certificates - CodeSignCert.com
 
idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!
idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!
idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!
 
How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?How EverTrust Horizon PKI Automation can help your business?
How EverTrust Horizon PKI Automation can help your business?
 
Whole Process PPT of LC-Latest.pptx
Whole Process PPT of LC-Latest.pptxWhole Process PPT of LC-Latest.pptx
Whole Process PPT of LC-Latest.pptx
 
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy GoalsIRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
 

Recently uploaded

👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
rajveerescorts2022
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
dlhescort
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Damini Dixit
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
dollysharma2066
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
Aggregage
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
kapoorjyoti4444
 
Call Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂Escort
Call Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂EscortCall Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂Escort
Call Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂Escort
dlhescort
 
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceMalegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Sheetaleventcompany
 

Recently uploaded (20)

Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business Potential
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture concept
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Call Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂Escort
Call Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂EscortCall Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂Escort
Call Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂Escort
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceMalegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 

eBook_PKI-AreYouDoingItWrong2022-f.pdf

  • 2.
  • 3. 3 PKI mistakes can be hazardous to your machine identity management Public key infrastructure (PKI) is the set of hardware, software, policies, processes and procedures you need to create, store and manage digital certificates and public keys. A well-managed PKI will help you create a secure and trusted business environment that allows you to protect systems, users and data throughout your organization. Because PKI is the foundation of your machine identity management, it’s important to get it right. But it’s not always easy. There are many factors that can increase the complexity of your PKI—and the likelihood of making a mistake. For one, digital transformation continues to inspire an overwhelming growth in the number and complexity of machines. Plus, as you move to the cloud, you’ll need to extend PKI authentication to a growing range of web services, cloud instances and containers, as well as increasing numbers of industry-specific and IoT devices. And securing the vast numbers of keys and certificates that govern an ever-wider range of machine identities can challenge even the most dedicated PKI professionals. So, who can you turn to for clear guidance on the best practices and governance policies you need to manage PKI? We’d like to think it’s…well… us. That’s why we put together this eBook. We hope that by highlighting some of the things we’ve seen that can go terribly wrong with PKIs, you can learn from other people’s mistakes. And you’ll never have to go through the PKI pain that so many of your peers have endured.
  • 4. 4 Oops, I accidentally deleted my PKI! If your root-signing certificate authority (CA) goes offline for any reason, you’d better make sure that you know where it’s located. We know of a couple of organizations that have set up their root CA on a virtual machine and then allowed that machine to go dormant. When IT ops teams come along to tidy up dormant virtual machines, they inadvertently disable the entire PKI by deleting the virtual machine where the forgotten root CA was installed. If this happens, you will lose access to all machines that use certificates from the deleted internal CA. And if you rely solely on CA management or a homegrown solution to manage your PKI, this could take months to fix!
  • 5.
  • 6. 6 Where the heck are my wildcard certificates anyway? Wildcard certificates are so easy to use that they are often used indiscriminately—so indiscriminately that many organizations don’t track them. So, when wildcard certificates expire, they don’t know which machines are using which wildcard certificates. That makes it nearly impossible to renew them all before they expire. When a wildcard certificates expires, every machine where it is installed will stop communicating at the same time. And it will take hours of precious time and resources to track them all down and reinstall new certificates. And, of course, Murphy’s Law dictates this will happen at the worst possible time.
  • 7.
  • 8.
  • 9. 9 So what if I used a production certificate for dev testing? It’s tempting to “help” application developers by issuing them production certificates to test new or updated apps. This may seem like an easier alternative than trying to force them to use test certificates issued specifically for that purpose and slowing down the development process. But this goodwill gesture can backfire. It’s all too easy to quickly lose track of where these certificates are being used and suffer the potential damage they may cause when they expire—or fall into the wrong hands. Production certificates grant full privileges to those who can access them. So, if a cybercriminal gains access to your development environment, they could use that production certificate to pivot across your organization. They would then be able to impersonate, eavesdrop on or monitor your infrastructure, cloud or mobile devices.
  • 10.
  • 11. 11 Live long and prosper (not): certificates with random lifespans! Managing certificates manually can be time and resource intensive. Many organizations are still using spreadsheets, internal scripts or CA dashboards with limited functionality. These basic tools make it extremely hard to keep track of when each certificate is going to expire and every location where it’s being used. So, it’s pretty tempting to try to eliminate this problem by extending certificate expiration periods. Why not issue a certificate that lasts, say, 99 years? In theory, you won’t have to worry about rotating them in this lifetime. Right? Not so fast. This hack may save you some time, but it does so at the expense of increasing your organizational security risk. Longer lifespans simply give attackers more time to hack the private keys for those certificates. Even three-, five- or ten- year certificates will put your organization at greater risk.
  • 12. 12 Dang. I forgot that I left the key under the mat! It’s important to use a password manager for shared administrative controls, but other password security best practices need to be used as well. Unfortunately, admins who actively protect all kinds of controls for the rest of the IT infrastructure often keep things like CA credentials on Notepad or another plaintext app where anyone can access them. If your admins store credentials on handwritten notes in a desk drawer or under a keyboard, it’s like leaving the keys to the kingdom under the mat. These controls are vital to your organization’s security, and if you fail to use proper password hygiene, your organization’s security is at risk. Nobody wants to make that mistake.
  • 13.
  • 14. 14 Who needs a governance framework for PKI anyway? Do you have an established PKI governance program? Or has it just “evolved” organically over the years, like in so many companies? Lots of organizations use repurposed IT hardware—including servers and desktop computers—but they never update the old keys and certificates on these devices. This is especially common in organizations that don’t have an established set of PKI security controls they regularly audit. Any kind of rogue certificate in your network is like an open invitation for abuse. A haphazard approach to building your PKI can significantly increase the risk of certificate outages and weak, vulnerable or misconfigured certificates.
  • 15.
  • 16.
  • 17. 17 What do you mean I have too many CAs? How many CAs does your company use? Okay, what about internal CAs? It’s easy to add another one, but the number of CAs in many organizations can easily spin out of control. We’ve spoken to companies that were using more than 17 different CAs. That’s just too many options for novice or occasional certificate users, and it makes it very hard for the PKI team to get a holistic view of PKI security. Without any guidance about which type of certificate is best for a given purpose, certificate users will often make the wrong choice. Or, worse, they decide to set up a new, unauthorized CA and issue their own certificates. Without clear governance, it’s not all that surprising that many organizations end up using certificates that increase security and operational risks. Trying to impose order on this kind of chaos involves cleaning up hundreds of certificates from unauthorized CAs as well as finding and replacing certificates that don’t meet security policies or compliance requirements.
  • 18.
  • 19. 19 We don’t need no (substantive PKI) education! Unfortunately, the ABCs of PKI aren’t taught in most cybersecurity programs. Moreover, many organizations have a hard time vetting employees’ PKI resumes before letting them work with the keys and certificates that serve as machine identities for their critical infrastructure. We’ve even seen some large financial institutions hire data-entry people to work on their PKI teams because they “have an interest in security.” When you entrust keys and certificates to people who don’t understand these critical security assets, the possibilities for what can go wrong are endless. And the money you save on staffing can quickly be outstripped by the work required to fix the inevitable problems that will crop up as a result of inexperience.
  • 20. 20 Okay. Whose turn was it to clean up our PKI? If you’ve got someone who doesn’t understand PKI, chances are they’re eventually going to do some unwise things due to a lack of experience. For example, it’s pretty common for an administrator to try to install a certificate on an Exchange server, but they don’t really understand where it should go. They may eventually put the certificate in the right place— but what about all the other places they tried to put it that didn’t work? Were those instances properly deleted? Or are they littered across that server, giving bad guys plenty of opportunities to find and abuse them? Any certificate that’s outside of your visibility is one that will probably come back to haunt you.
  • 21.
  • 22. 22 I thought they were just trying to help me with my private key! The bad guys know that most organizations don’t really understand PKI, so they stand up websites that offer to “validate” private keys; all the user has to do is paste the key into a form. Some of these sites even offer to generate a private key for the unwary! These websites look legitimate, but their intent is to give bad guys access to the private keys for any machine using the corresponding certificate. It’s easy to understand how this can happen. Most employees just don’t understand the critical role that machine identities play in your overall security posture. They might appreciate it more if you tell them that sharing a private key with anyone is like giving bad guys the PIN code for your business bank account.
  • 23.
  • 24.
  • 25. 25 It turns out we were teaching employees to be phished! When certificates have security issues, browsers issue warnings. It could be that the certificate was generated from an untrusted certificate authority, or it has an invalid date or the name on the certificate doesn’t match the site. Although these warnings flag important security issues, PKI teams often let the warning messages persist. If their organization’s workforces see these warnings all the time, they become conditioned to click through them in order to get their work done. But these security warnings are important. They help to flag malicious sites, such as phishing sites that often use certificates that don’t match domains. So, organizations that don’t fix these certificate issues and inadvertently encourage their workers to click past security warnings may well be training their users to be perfect targets for phishing exploits.
  • 26. 26
  • 27. 27 Here’s how you can easily fix your PKI problems Automating routine business operations requires a growing number of machines on every enterprise network. Yet businesses are just beginning to build programs that safeguard the identities of machines that control the flow of sensitive data within their organizations. So, you have two choices. You can stick with the status quo and keep your fingers crossed. Or you can eliminate human error by investing in a program that gives you the visibility, intelligence and automation you need to maintain a worry-free PKI. It’s all too easy to make mistakes with your PKI that have serious implications for your business, but Venafi can help. Contact us for more information on how to make it easy to do PKI the right way. venafi.com
  • 28. © 2022 Venafi, Inc. All rights reserved. Venafi is the cybersecurity market leader in machine identity management, securing the cryptographic keys and digital certificates on which every business and government depends to deliver safe machine-to-machine communication. Organizations use Venafi key and certificate security to protect communications, commerce, critical systems and data, and mobile and user access. To learn more, visit venafi.com 28