“The proliferation of digital keys, certificates and secrets means that IT and security leaders recognize the need for an enterprise-wide cryptography and machine identity management strategy,” says Ted Shorter, CTO, KeyFactor in an exclusive interview with ITSecurityWire.
ITSW Bureau: How can companies have internal conversations about machine identities with executives that’s not at a technical level?
Ted Shorter: Machine identity is a topic that’s relevant across all areas of the business and the key to making it relative at an executive level is to connect the dots between digital transformation and data. At a high level, executives appreciate digital transformation and digital trust as individual priorities. Nowadays, digital business is vital, especially at the CXO level. These leaders recognize the importance of driving secure digital business and the need to establish digital trust through trusted identities, which include machine identities (the applications, devices and systems that support digital business).
Cryptography, like public key infrastructure (PKI), uses digital certificates and keys to secure machine identities. And when considering the connection between digital transformation and data, cryptography has become critical infrastructure that underpins these priorities and digital business growth.
Digital transformation is driving massive investments in containers, IoT and mobile devices that help companies embrace multi-cloud and DevOps strategies to accelerate transformation initiatives. CISOs want solutions that can keep teams agile and help achieve security goals in line with their rapidly expanding digital footprint.
Recent research surveying enterprises found that 61% of responding companies are deploying more cryptographic keys and digital certificates in their environments, yet only 40% of those companies have an enterprise-wide strategy in place for managing cryptography. There’s a sense of urgency when it comes to addressing machine identities within the business and establishing a strategy to manage them. Not doing so introduces risks that impact the entire c-suite as well as the business’s overall ability to drive digital transformation and digital business growth.
ITSW Bureau: What are the red flags that will show that enterprises are not properly managing my digital certificates?
Ted Shorter: Unfortunately, in most businesses the first flag raises when teams feel like they’re not in control anymore. For years most companies have relied on complex, outdated on-premises PKI as well as manual processes to support it.
A more dangerous flag rises when a company experiences an outage or downtime due to an expired certificate. In those events companies tend to realize a few issues: a lack of visibility of all keys and certificates in the business, a lack of internal expertise in managing their PKI and an accumulation of hours of unnecessary work due to manual processes.
When faced with these challenges businesses realize it’s time to evolve to a more proactive state when it comes to securing and controlling their machine identities.
ITSW Bureau: What are the DevOps tools that have onboard certificate authorities (CAs) to keep an eye out for?
Ted Shorter: DevOps teams appreciate how tools like Istio Service Mesh, HashiCorp Vault and Kubernetes allow them to stand up a CA and start issuing certificates quickly, however in many cases this is done without consideration for potential security implications. By the time a PKI team engages, projects often grind to a halt while the team figures out how to overlay policy and oversight to mitigate security risks.
PKI professionals realize that standing up a CA isn’t just about ‘getting it to work’.
Simply standing up a self-signed CA and churning out high volumes of certificates without policy enforcement or visibility wasn’t an option – they needed to ensure all certificates were issued from a secure root of trust (which is a security-operated PKI) that remained compliant with policies and ensured full lifecycle management.
ITSW Bureau: When does the crypto management lifecycle begin? What should be done if keys or encryption standards need to be changed?
Ted Shorter: The crypto management lifecycle begins the moment you issue a certificate from your private or public certificate authority. The reason being that a certificate’s lifecycle and its expiration date is established at the moment of issuance.
True lifecycle management begins with process management that ensures:
- Discovery of every key and certificate within the organization
- Continuous monitoring of certificate issuance, established alert settings for certificate expiration and visibility to the status of every certificate across cloud and non-prem environments
- Assurance that every certificate is trusted, compliant and up-to-date without disruption to user and infrastructure productivity
- Replacement of manual, error-prone tasks with the introduction of automated key and certificate discovery, management and renewal capabilities
- Self-service API to enable DevOps teams
- Orchestrated certificate deployment across every cloud, on-premises, or onboard CA
Crypto-agility is key to keeping pace with evolving encryption standards. In the event a CA or algorithm is compromised it’s not enough to re-issue keys and certificates from a new CA. Whether you’re managing the process yourself or working with a vendor or partner, ensure that the process is:
- Non-disruptive to the business
- Attainable and aligns to mission-critical timeframes
- Achievable within ecosystems that potentially contain hundreds of thousands of certificates across distributed systems and applications.
ITSW Bureau: What steps can CISOs take to improve the traditional IAM practices?
Ted Shorter: Traditional IAM practices and approaches don’t prioritize machine identities – they’re focused on traditional human identities. The proliferation of digital keys, certificates and secrets means that IT and security leaders recognize the need for an enterprise-wide cryptography and machine identity management strategy.
ITSW Bureau: How can CISOs get their leadership team and CFO to invest in the latest cybersecurity solutions?
Ted Shorter: Industry experts and respected analysts have started building awareness around machine identities and the importance of machine identity management within enterprise-wide strategies. Recent research found that 55% of responding enterprise leaders are concerned about the increasing risk of key and certificate misconfiguration. Our reliance on machine identities and push to digital-first business growth means that tools and technology that support cybersecurity initiatives and mitigate risks isn’t just a nice to have – it’s a must have. At the c-level it comes down to quantifying and managing risk. The cost of tools investment that mitigate the risk of outages, breaches and failed audits are far more manageable than the costs and consequences that come with any of those scenarios.
Ted Shorter is the chief technology officer and co-founder at Keyfactor. Responsible for Keyfactor’s intellectual property development efforts, Ted helps align Keyfactor’s focus with the changing security landscape, ensuring clients understand the importance of crypto-agility. Ted has worked in the security arena for over 25 years, in the fields of cryptography, public key infrastructure (PKI), authentication and authorization and software vulnerability analysis. His past experience includes 10 years at the National Security Agency, a master’s degree in computer science from The Johns Hopkins University and an active CISSP certification.