Certificate management processes
Sometime between five to ten years ago, most where looking at certificates for the first time and thinking what is PKI (Public Key Infrastructure), however people are now thinking, how do we manage so many different certificates? Certificates are now used all of the time within the IT industry, and certificates confirm our websites identity, certificates are used to sign emails and certificates are even used to evidence code was developed by a specific business, so with many certificates, how should they be managed?
Lets start by recognising that along with a certificate, there’s also an associated life cycle, which often contains the following steps, which means they should be wrapped in a business process, or standard operating procedure.
For a handful of certificates this is likely something that can be managed without too much stress, but there is still the concern of security, so here’s a few quick wins and considerations on how to improve the certificate life cycle deployed in your business.
Distribution of certificates is highly important, because if done incorrectly it can lead to your certificate being intercepted. This is obviously bad, because if intercepted a malicious actor could pretend to be you and even be verified through the usage of the certificate. A great method for distribution, is to ensure that the certificate requires a passphrase, and to distribute the passphrase separately to the certificate. If the plan is to send it via email, zip it up, name it something different to “certificate” and password protect the zip file. Ideally send the certificate using only a secure email platform (encrypted email), and better again, don’t send it at all using a public facing system.
Storage of certificates and keys, is another important factor. Where and how should they be stored. Consider this heavily because doing so now, could save a lot of time in the future. Options that some businesses use, include storing on a none networked virtual machine, which is powered off unless required, and only accessible by certain members of staff. Other options, include storing on an encrypted USB key and locking in a fireproof safe (if you do this, don''t store the password for the USB key within the same safe), or perhaps dropping them in a directory, which has tightly controlled ACLs (access control lists), with auditing on the access.
Monitoring is another very important consideration. Certificates can be installed in hundreds of places, so how can they be kept track of? There is the obvious idea of logging each certificates details within an excel document but if it’s not actively reviewed, it could lead to a certificate expiring and problems occurring resulting in a reactive fix, rather than proactively replacing them. The best ideas in this arena, are automated. Using a solution such as PRTG or Zabbix, enables the ability to track lots of certificate related information. This tracking often means having a dashboard present in IT or email alerting when customised thresholds are met. A few example thresholds include...
- 60 days, to provide time for finance to approve.
- 28 days, to ensure the appropriate CA is found and used.
- 7 days, to ensure time is given for performing the technical change.
If your company would like any assistance with using certificates and the management process, feel free to get in touch, we’re always happy to get involved.
- The Essential Cyber Hygiene for your business
- Why do you need a SIEM?
- New Year cyber security recommendations
- How to uncover network vulnerabilities
- Protecting your identity online
- What is a VPN and why do you need one?
- Quick tips to improve your board’s cybersecurity
- Password Management Software
- How to make of your employees the best line of cyber defence against cyberattacks
- What is Phishing and what can you do to prevent it?
- Found malware, now what do you do?
- Data breaches and other scary 2019 events- Special Halloween post
- How to get your cyber security budget approved by the board
- The TechForce Sponsorships
- How to start a career in the security industry
- Protecting your business in the cyber security era
- Secure Your Supply Chain
- Case study: British Airways Fined £183.4million for Data Breach
- The Silver Bullet in Cyber Security
- Fake invoice email scams and Office 365
- How to apply for the Cyber Essentials Voucher Scheme
- What is Business Email Compromise (BEC) and how to stop it
- Everything you need to know about Cyber Essentials
- Cyber Essentials Demystified
- How to choose a Security Awareness Platform
- 6 Quick and Easy Email Security Tips for Dummies
- Hackers On Tour
- How to share passwords safely in your Small Business
- In the news - Warning. North Sea firms likely already attacked
- 10 Steps to Cyber Security
- 6 Top Tips to Prevent Cyber Attacks
The Essential Cyber Hygiene for your business
We hear about the Travelex, British Airways, Maersk and Equifax data breaches. Over 90% of these incidents can be prevented by following basic Cyber Hygiene for your businessMore
Why do you need a SIEM?
A SIEM is a security information event manager, which very simply means its software that manages events regarding information security, simple enough.More
New Year cyber security recommendations
In this blog post we give you some new year cyber security recommendations to protect your accounts and identityMore
How to uncover network vulnerabilities
If you are new in IT and want to know where to start finding vulnerabilities on the network you're managing this blog post might be for you.More
FOR LATEST UPDATES SUBSCRIBE HERE: