81% of organizations
experienced two or more disruptive outages caused by expired certificates
in the past 2 years.
On average, it takes 3 hours to recover from such outages. These outages have a
very direct impact on user experiences and company reputation.
Shorter certificate
lifecycles, increasing digital certificates, and unreliable certificate renewal
processes have made the certificate management processes much more challenging.
In this article, we have put together a certificate
management best practices
checklist to help you effectively manage certificates across their lifecycle
and prevent certificate-related outages.
Certificate
Management Best Practices Checklist
1. Prioritize
Visibility through Centralization of Certificate Management
One of the most
important items in any certificate management best practices checklist is
real-time visibility into and control over all digital certificates of the
organization. This helps ensure that you are not blindsided by expired
certificates, shadow certificates, rogue certificates, and so on, which hurt
the availability and reliability of infrastructure and services.
By leveraging a
centralized certificate management system like from Indusface,
you can effectively map all certificates, eliminate silos, monitor ownership,
installation, and expiry status, improve visibility into all your certificates,
and gain greater control over them. It is best to leverage certificate
management systems offered by trusted vendors/ Certificate Authorities (CAs)
rather than building your own to avoid technical and security challenges.
2. Discovery
and Inventorying
It is often through undetected,
unknown, insecure, and rogue certificates that attackers orchestrate TLS
attacks. To identify these certificates, you must regularly scan your entire
extended network, including the cloud and virtual instances, to identify all
certificates, map all the endpoints installed, gather ownership details, etc.
These scans should be performed daily during periods of low network traffic to
avoid network overload.
Further, you must
maintain an updated, centralized inventory by storing all insights from the
scans. You must categorize certificates to simplify operations. You can
categorize them based on the environment in which they are deployed or the
ownership hierarchy for easier tracking and alert escalation.
3. Leverage
Automation in Certificate Management
Automation enables
you to avoid the challenges of manually managing the increasing number of
certificates. Rudimentary methods such as spreadsheets and manual management
are not only time-consuming and arduous but error-prone and costly.
certificate
management solutions enable you to issue, install, renew, revoke , and secure
disposal of certificates. This way, you save the bandwidth of your IT teams
while avoiding the outages caused by expired and revoked, certificates, thus,
improving the availability of your services.
4. Proactively
Identify Vulnerabilities and Gaps
Another important
certificate management best practice checklist item is continuous scanning of
certificates and TLS implementations for vulnerabilities, gaps, and weaknesses
such as misconfigurations, OpenSSL
vulnerabilities, etc. scanning helps organizations proactively
identify and remediate such vulnerabilities.
From old TLS
versions and outdated hashing algorithms to insecure cipher suites and weak
keys, there are several vulnerabilities regarding digital certificates that
organizations must stay on top of. Organizations must perform crypto-agility
and TLS server tests to identify and remediate these issues.
5. Protect
Private Keys
Protecting private
keys is an important item on the certificate management best practices
checklist. People should not have direct, unlimited access to private keys.
Private keys must be encrypted at rest. Like CVV numbers on credit cards, they
should not be shared on multiple servers or users.
Ensure private keys
are not reused when certificates are reissued or renewed. Regardless of how you
store private keys, you must remove the human element in key management.
6. Implement
Granular Permissions
Following the
principle of least privileges, ensure that users have the absolute minimum
permissions necessary to carry out their role-based activities.
7. End-to-End
Monitoring is Important
Even when you have a
state-of-the-art certificate management system, you must continuously monitor
all your certificates. Reporting, logging, real-time alerts, and notifications
are extremely useful in monitoring and managing certificates effectively.
8. Verify
Compliance
Different compliance
frameworks, such as NIST, HIPAA, PCI-DSS, etc., have clear requirements with
respect to TLS certificates and encryption standards. Violation of/
non-compliance to these standards and best practices attracts large penalties
and reputational damage. That is why testing and verifying compliance with
different frameworks makes it to the certificate management best practices
checklist.
9. Certificate
Management Operational Policy
A well-defined
certificate management operational policy makes the process much smoother and more
effective. This policy defines the uses of digital certificates, ownership,
permission, approval and escalation workflows, primary and backup CAs,
purchase, renewal, and decommissioning processes.
10. Choose
the Right Certificates from a Trusted Certificate Authority (CA)
Always choose the
right certificates with the OV or EV validation from trusted CAs. It is best to
avoid self-signed certificates.
The
Way Forward
On average, the cost
of outages in Global 5000 companies costs USD 5600 per minute or
over USD 300,000 per hour; for larger networks, the costs are more than USD
500,000 per hour. Leverage this certificate management best practices checklist
to avoid such outages and stay on top of certificate management.