www.venafi.com

IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATES

Page 2 of 11 I IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATESwww.venafi.com

IntroductionSSL/TLS certificates and encryption keys are the foundation of an enterprise’s security. SSL/TLS keys and certificates protect communication channels across the internet and throughout internal networks. Enterprises rely on encrypted communications to transact securely across the edge to the endpoint because they can trust the identifying certificates on each end of the channel. This trust allows them to engage in the web transactions such as e-commerce and online banking that their consumers now rely on without having a second thought about security.

Enterprises tend to take key and certificate management for granted once it has been successfully established. All too often it becomes a forgotten security program until an event such as an outage or breach occurs. Largely, this is because SSL/TLS keys and certificates are a challenge to manage without the right tools. The result is that most security programs rely on operations teams to manually inventory, deploy, revoke, and monitor hundreds if not thousands of keys and certificates through reactionary processes. This lack of attention can leave security gaps. Almost all enterprises have rogue or misconfigured certificates that are unknown to operations teams—without a discovery tool they are blind to the potential threats of the unknown.

In addition, there is a blind trust of secured communications—they are assumed to be safe simply because they are encrypted. Even enterprises that invest in technologies to decrypt and inspect traffic face an uphill climb. They are burdened by the challenge of ensuring that their tools have access to all keys and certificates, especially those that are rogue and being leveraged by a malicious actor.

Almost all enterprises have rogue or mis-configured certificates that are unknown to operations teams—without a discovery tool they are blind to the potential threats of the unknown.

!"#$%&'(TrustNet

AgentsPolicy

Reporting

VisibilityWork�ow

Portals

‘‘

‘‘

Page 3 of 11 I IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATESwww.venafi.com

Venafi can help enterprises regain control of their keys and certificates, making sure they work properly to safeguard mission-critical business communications. The Venafi Trust Protection Platform discovers and protects all keys and certificates in the datacenter, on desktops, on mobile and IoT devices, and in the cloud. This protection helps enterprises improve their security posture with increased visibility, threat intelligence, policy enforcement, and faster incident response for issues such as certificate-related outages and compromises that leverage misused keys and certificates.

The platform coordinates protection for all Venafi products and provides native integration with thousands of applications and common APIs for the extensive security ecosystem. The platform also automates the entire issuance and renewal process with policy enforcement and workflows that enable new encryption-dependent applications to be scaled quickly. Trust Protection Platform provides the automated tools that organizations need to stay secure, comply with standards, and quickly remediate key and certificate misuse.

Discovering the Blind Spots in the EnterpriseThe platform coordinates protection for all Venafi products and provides native integration with thousands of applications and common APIs for the extensive security ecosystem. The platform also automates the entire issuance and renewal process with policy enforcement and workflows that enable new encryption-dependent applications to be scaled quickly. Trust Protection Platform provides the automated tools that organizations need to stay secure, comply with standards, and quickly remediate key and certificate misuse.Discovering the Blind Spots in the Enterprise

Most major service interruptions and unplanned outages result from expired digital certificates. Digital certificates provide a crucial security function by assigning public keys to be used for cryptographic purposes, including digital signatures and encryption. Enterprises rely on both external and internal Certificate Authorities (CAs) to issue certificates based on varying risk postures and policies that determine how long they will be valid—weeks, months, or years—before they will need to be replaced or updated.

Security policies that assume a larger risk profile will typically set expiration dates out as far as possible in order to reduce the burden of managing expiring certificates and prevent service outages. As the threat landscape has evolved, many enterprises have not responded by reviewing or updating these policies. They typically do not do so until a security incident has been identified, or worse, taken place. Lacking a certificate management program and a strict lifecycle are strong indicators of a larger security problem. Those enterprises that do not know where all keys and certificates are (most large organizations have over 23k per the Ponemon Institute) will not know who has control of them.

A survey conducted by TechValidate on behalf of Venafi, most organizations (56%) used manual methods to manage certificates before turning to Venafi. According to research by the Ponemon Institute, the average enterprise employs more than 23,000 keys and certificates. It’s virtually impossible to use manual methods to discover where all keys and certificates are located, how to secure and keep track of them, or when they will expire. In fact, the TechValidate survey also revealed that, after deploying Venafi, customers found over 16,500 previously unknown keys and certificates.

Page 4 of 11 I IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATESwww.venafi.com

Defining a strict certificate lifecycle program is imperative, and starts with discovery and management of all keys and certificates. The first step is to define which teams are responsible for discovery and inventory of all keys and certificates. Most often today there are various internal teams with the permission to issue certificates from both internal and external CAs. In that case, you need to implement a solution that is robust enough to discover certificates issued from any CA.

When mitigating a compromised certificate, it is critical to leverage internet certificates from multiple trusted CAs, not just a single CA. There is already an unfortunate history of internet CAs issuing trusted certificates to malicious actors. Accordingly, proper policy today requires investing in redundancy to recover from a CA compromise.

The certificate lifecycle policy must also reduce expiration windows to avoid the significant risks of certificates that are issued for extended periods of time. This reduces security risks, but may result in more outages, unless the enterprise invests in the proper program to manage both expirations and validity. Some CAs will offer services that attempt to solve this problem by providing certificate inventory and lifecycle management. But certificate authorities have no way of discovering nor managing certificates that they have not issued therefore should not be relied upon for certificate management.

The Venafi Trust Protection platform can discover or enroll any certificate from any source. More importantly the platform can implement policies to secure the certificate lifecycle. As part of this platform, Venafi TrustAuthority features a high-performance network-based discovery system that enables organizations to discover SSL/TLS certificates rapidly across their enterprise environments. The discovery module performs this function by establishing connections via defined IP addresses and ports.

When mitigating a compromised certificate, it is critical to leverage internet certificates from multiple trusted CAs, not just a single CA.

‘‘

‘‘

Page 5 of 11 I IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATESwww.venafi.com

For discovery, administrators must configure one or more IP addresses, or an IP address range with one or more ports or port ranges. IP address and port entries can be manually entered via the Venafi TrustAuthority console or imported from a file. TrustAuthority enables administrators to create more targeted discoveries by gathering known, active addresses and ports from other sources, such as a port or vulnerability scanner. When viewing the certificates that have been discovered, administrators can select one or more certificates to bring under lifecycle management.

TrustAuthority can then begin monitoring and validating the certificates, keys, and the systems where they reside. The solution tracks and manages expiration dates for certificates and automatically sends notifications at configurable timeframes prior to expiration.

TrustAuthority provides fully customizable notifications to assure that administrators are informed and take action prior to expiration.

TrustAuthority enables administrators to create more targeted discoveries by gathering known, active addresses and ports from other sources, such as a port or vulnerability scanner.

‘‘

‘‘

Page 6 of 11 I IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATESwww.venafi.com

Once certificates are brought under management, administrators can select the policy where they will be placed. This enables administrators to group and organize discovered certificates according to organizational needs and policies. Once the initial inventory is dealt with, only newly discovered certificates will appear on the list and can be handled quickly and easily.

Validating certificates may be the single most important phase of the certificate lifecycle. Validation ensures that certificates are not only correctly installed, configured, and working properly, but also checked for compliance with security policies. It is critical that each and every certificate that has been deployed is accounted for; this level of intelligence is required for a low-risk security posture. Yet, if done manually, it will consume a great deal of time and effort.

2048-bit Key

Root PolicyObject

Policy A Policy B

Cert Contact:JDandy

Cert Contact:BLarson

CA TemplateObjects:

MicrosoftEnterprise

CA TemplateObjects:

GSK Application IIS Application

www.abc.com www.abc.biz

DeviceDevice

VeriSign EV

IBM IBM Microsoft

mail.abc.com

VeriSign MPKIStandard SSL

4096-bit KeyEncryption

Locked Policy Value

Unlocked Policy Value

Object-Level Value

2048-bit Key

Root PolicyObject

Policy A Policy B

Cert Contact:JDandy

Cert Contact:BLarson

CA TemplateObjects:

MicrosoftEnterprise

CA TemplateObjects:

GSK Application IIS Application

www.abc.com www.abc.biz

DeviceDevice

VeriSign EV

IBM IBM Microsoft

mail.abc.com

VeriSign MPKIStandard SSL

4096-bit KeyEncryption

Locked Policy Value

Unlocked Policy Value

Object-Level Value

Validation ensures that certificates are not only correctly installed, configured, and working properly, but also checked for compliance with security policies.

‘‘

‘‘

Page 7 of 11 I IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATESwww.venafi.com

Venafi Trust Protection Platform can enforce certificate policies for all new and imported certificates. It provides a centralized location for certificate creation that can authenticate users and restrict certificate creation based on defined policies. This eliminates the risk of creating rogue certificates and ensures only trusted users are creating certificates that meet security requirements.

Detecting and identifying encrypted threatsWhether they are internally or externally developed, enterprises are burdened with securing communications for applications with SSL/TLS encryption to protect customer privacy and secure intellectual property. SSL encrypted traffic represents an increasing share of enterprise network traffic and continues to grow every year. As a result, cybercriminals have the perfect attack vector, hiding in encrypted traffic where most organizations cannot detect malicious activity.

According to Gartner, by 2017, 50% of network attacks will use SSL. SSL/TLS is being used against enterprises to deliver malware undetected, to listen in on private conversations, to disrupt secured transactions, and to extract data over encrypted communication channels. Most organizations lack the ability to inspect and decrypt SSL communications to assess these SSL threats. This failure to secure all keys and certificates and decrypt traffic causes blind spots and undermines existing security controls.

The ability to quickly inspect and decrypt SSL traffic to detect threats in real time is imperative. In order to eliminate blind spots within encrypted traffic, you need to be able to secure the keys and certificates. Otherwise other security controls become less effective and leave the door open to cybercriminals.

Enterprises need to maximize the amount of inbound and outbound encrypted traffic that can be inspected and decrypted to provide visibility into SSL threats. They can gain this visibility by detecting all keys and certificates within the enterprise and ensuring automatic, secure delivery of key and certificates. Eliminating blind spots from encrypted traffic, while protecting all keys and certificates helps to strengthen overall security controls such as NGFW, IDS/IPS and DLP.

Most enterprises do not realize that their existing layered security defenses are blind to encrypted traffic and therefore are less effective at reducing risk. Securing and protecting all keys and certificates helps enterprises to strengthen layered security defenses and protects them against trust-based attacks.

According to Gartner, by 2017, 50% of network attacks will use SSL. SSL/TLS is being used against enterprises to deliver malware undetected, to listen in on private conversations, to disrupt secured trans- actions, and to extract data over encrypted communication channels.

‘‘

‘‘

Page 8 of 11 I IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATESwww.venafi.com

Leveraging applications and appliances to decrypt and inspect traffic is a challenge, due largely to the impact and demands of scaling enterprise communications through these solutions. In addition, provisioning and installing the keys and certificates required to secure, decrypt, and inspect is a completely different challenge. Using manual process to accomplish all of this requires an incredible amount of dedicated resources and arduous change control that just is not scalable for most enterprises.

TrustAuthority works together with Venafi TrustForce to detect, provision, and install certificates while enforcing security policies such as key length, encryption algorithm, and expiration dates. TrustForce can provision and install certificates into both in-house applications and commercial products. This frees valuable resources to focus on more important issues such as evaluating decrypted traffic to gain a more complete visibility into SSL threats and eliminating blind spots.

Automating the assurance of keys and certificatesThe foundation of enterprise security is built upon the assurance of identifying each and every transaction taking place—whether they involve interactions with humans or systems. Today, this identification relies upon authentication at the endpoint for humans and at the network level for applications and devices. Enterprises that wish to maintain a low risk tolerance must assure that identification is consistently challenged and validated—not only at the start of a transaction, but consistently and

SSL session established

Security Device(FW/IDS/DLP)

Venafi Trust Protection Platform detects all keys and certificates

and enforce policies

SSL session is inspected and forwarded to security tools Secure traffic

between end user and SSL server

Integration with SSL inspection/decryption

appliancesVenafi platform securely delivers keys and certificates to SSL server

Page 9 of 11 I IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATESwww.venafi.com

repeatedly throughout the transaction. This continuity ensures that the identity has not been compromised after the initial transaction.

Automating the validation of identity, not only streamlines the checking of credentials, but introduces workflow processes that can notify, validate, respond, and remediate immediately if a compromise or failed validation is detected. But the solution also has to be able to scale to meet demand as well as extending visibility across on-premises enterprises and out into the cloud, including the internet of things (IoT).

The Venafi Trust Protection platform has the speed and scalability required to automate the assurance of keys and certificates, delivering the frequency of validation demanded by the most vigilant enterprises today. By automating workflows, enterprises can consistently validate identity assurance, identifying security incidents, and automatically remediating threats.

The Venafi Trust Protection Platforms automates a wide variety of provisioning processes, such as the generation of certificate signing requests, CA approval, certificate installation, private key backup, and certificate renewal.The workflow can trigger the immediate remediation of SSL/TLS—such as a SHA-1 certificate vulnerability—by automatically replacing vulnerable keys and certificates. Automation of identity assurance extends enterprise-wide encryption to hundreds of thousands of users without compromising security across both on premises and cloud enterprise systems.

In the event of a CA compromise, Venafi can scale to meet the massive remediation demands, replacing certificates across the cloud to on premises and IoT devices. The platform’s automation, policy enforcement, and workflow capabilities can immediately identify and securely re-issue certificates associated with any user, any application, and any device.

On-Premise Environment

!

WEB Configuration,Management & Dashboards

Venafi Trust Protection Platform

Cloud Environment

• Enterprise Directory• Security• Certificate Authorities

• Infrastructure Devices• Enterprise Application• Mobile Devices

• Security Administrators• System Administrators• Users

Discovery

ExternalCertificationAuthorities

Web TransactionServices

Internal CertificateAuthorities

TLS/SSL Keys& Certificates

Key Stores(JKS, CAPI, GSK, PEM)

Active Directory/LDAP

Policy Vault Access Control

Workflow Audit Logging Notification ReportingActive Directory/LDAP

Automation of identity assurance extends enterprise-wide encryption to hundreds of thousands of users without compromising security across both on premises and cloud enterprise systems.

‘‘

‘‘

Page 10 of 11 I IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATESwww.venafi.com

ConclusionThe Venafi Trust Protection Platform helps you maintain the security and availability of your SSL traffic. The platform stops outages due to invalid or expired certificates by enforcing policies and automates workflow for certificate renewal before expirations. Because outages are symptom of a larger security issue, Venafi can scale through automation by building processes that validate, generate, install, and configure keys and certificates. With Venafi, you now have an instant “kill switch” to enforce policies across all devices, resources, and users.

Venafi scales to support millions of keys and certificates across the enterprise. All user and device certificates are centrally managed and audited regardless of whether they are in the cloud or on premises. This enables enterprises to gain immediate visibility of secured channels and credentials and quickly identify and eliminate bad guys and insiders misusing keys and certificates. Venafi integrates with security products that inspect encrypted traffic by managing the keys and certificates required to decrypt the traffic. By removing blind spots in encrypted traffic, your existing security solutions are 100% effective—they can now see inside all encrypted traffic.

With Venafi Trust Protection Platform, you gain the intelligence to detect certificate misuse on the internet to stop website spoofing resulting in brand damage and breaches. Venafi’s Trust Protection Platform can discover, inventory, enforce, and control security policies that can identify expiring internal CAs, ensure standards like SHA-2 are only used, and stay up to date with changes in the threatscape. You can implement policy-enforced self-service for administrators with automated auditable workflows to scale, secure, and stay informed of changes within the PKI environment. Venafi helps enterprises pass audits and comply with new standards and regulations through vulnerability identification and remediation with on-going reporting.

RequestCertificate

Applicationrequest

certificate

REST APP

REST APPCreateCSR

GenerateKeys

EnforceSecurityPolicies

SubmitCertificate

to CA

RetrieveCertificatefrom CA

SignedCertificate

Venafi Trust Protection Platform

Applicationrequest

certificate

Applicationinstalls

certificateWeb Applications

Venafi’s Trust Protection Platform can discover, inventory, enforce, and control security policies that can identify expiring internal CAs, ensure standards like SHA-2 are only used, and stay up to date with changes in the threatscape.

‘‘‘‘

Page 11 of 11 I IMPLEMENTING A SOLUTION FOR ASSURING KEYS AND CERTIFICATESwww.venafi.com

CONTACT VENAFIinfo@venafi.com www.venafi.com

©2016 Venafi, Inc. All rights reserved. Venafi and the Venafi logo are trademarks of Venafi, Inc.

The Venafi Trust Protection Platform supports all three Venafi products—Venafi TrustAuthority™, Venafi TrustForce™, and Venafi TrustNet™.

Venafi TrustAuthority Continuously monitors keys and certificates to provide the complete visibility enterprises need to identify vulnerabilities, enforce policies, and detect anomalies.

• Identifies all keys and certificates across networks, cloud instances, CAs, and trust stores

• Maps access to all servers, users, and applications • Establishes a baseline to identify misuse • Enforces Policies and Workflows • Provides flexible policy control, including key lengths, validity periods,

and cryptographic hash types • Enforces configurable workflow capabilities for replacement, issuance,

and renewal, and provides API integration with third-party enterprise workflow systems

• Integrates with thousands of applications and common APIs for the extensive security ecosystem

Venafi TrustForce Automates remediation of vulnerable keys and certificates to speed protection and eliminate the risk of human error.

• Automates and validates the entire issuance and renewal process • Distributes keys and certificates to other systems automatically • Scales to 500,000 users and devices • Terminates access, automatically revoking all certificates associated

to a user • Replaces certificates in seconds, integrating with dozens of CAs, and

remediates across thousands of certificates in just hours in the event of a CA compromise or new vulnerability such as Heartbleed

Venafi TrustNet Employs global reputation intelligence to establish certificate trustworthiness and identify rogue usage.

• Identifies the trustworthiness of any certificate on the internet • Finds certificate misuse such as stolen or fraudulent certificates used

for spoofed websites • Remediates immediately through certificate whitelisting and blacklisting

ABOUT VENAFIVenafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity—cryptographic keys and digital certificates—so they can’t be misused by bad guys in attacks. Venafi constantly assesses which SSL/TLS, SSH, WiFi, VPN and mobile keys and certificates are trusted, protects those that should be trusted, and fixes or blocks those that are not. As the market-leading cybersecurity company in Next Generation Trust Protection (NGTP), the Venafi Trust Protection Platform™ protects keys and certificates and eliminates blind spots from threats hidden in encrypted traffic.

Venafi also publishes best practices for effective EKCM and works with the world’s leading standards bodies including NIST, OASIS KMIP, and Cloud Security Alliance. Venafi customers include the world’s most demanding, security-conscious Global 5000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail.