How to choose a certificate management tool | #emailsecurity | #phishing | #ransomware | #education | #technology | #infosec


Many years ago, Madonna sang about sharing her secrets with us. While the IT version may not be as entertaining as what was discussed in that song, there are still important reasons to understand your corporate encryption secrets and how they are provisioned, managed and deployed. The tools to do this go by various monikers, including SSL/TLS certificate or key management tools, machine identity management, or PKI as a service.

These secrets are found all over the IT map, including those for servers, for applications, to encrypt your email messages, for authenticating to connect with IoT devices, to allow you to make edits to a piece of code, and for user identities to have access to a particular shared resource. For example, these certs are commonly used to encrypt web and database traffic across the internet to protect these applications from man-in-the-middle attacks and other compromises.

That adds up to a lot of certs to keep track of and the consequences are the typical business has to deal with hundreds, if not tens of thousands, of individual certs. Another example: The typical web server has a choice of three different types of SSL certs. What is worse is that these certs are designed to expire periodically—after a year typically—so renewals need to be done in a timely fashion by using automation tools.

Managing certificates

An earlier CSO article provided best practices for managing these certs. It has links to free testing tools for your SSL infrastructure and other suggestions on how to deploy and manage your certs, including specifics for managing Windows application and user certs. If you are new to the world of certs, you might want to start with some of these more exemplary tutorials that will give you a better overview of the issues and how the components all fit together:

This management capability isn’t the same as running a certificate authority (CA) to create the actual certs themselves, although some of the CAs, such as Digicert, Sectigo, GlobalSign and Entrust, offer management as one of their additional services. Management is needed because the CA options are numerous: running your own internal root CA, hosting a private CA on some managed service, using a public CA, or mixing private CAs on a public cloud.

Most enterprises have certs from a variety of sources and keeping track of them—when they expire, what they cover, whether they have been provisioned properly—isn’t an easy job. Ideally, you will want to use some kind of automation to ensure that the keys and secrets are properly protected, and you can scale up your protection as you deploy more servers and applications that depend on these secrets. This is why so many hackers are successful at breaching networks and finding weak or unprotected servers to compromise. You’ll want a tool to automate the provisioning and revocation of certificates, track lifecycle management, provide irrefutable logs for security audits and integrate with other back-end security applications.

Copyright © 2022 IDG Communications, Inc.



Source link