Don’t Let the CRACKS in Your Security Foundation Topple Your Digital Empire

Issue 2

Introduction

TSL/SSL certificates. Ugh, 2002’s technology. Last week’s news. Boring, right?

Not true. Let’s not discount TSL/SSL certificates just yet. These hardworking digital certificates are still very much the fundamental foundation for web security, authenticating users, enabling secure program to program and machine to machine communication, digital signature verification, and code signing, and are the basis for an estimated $360 Billion in online transactions alone in 20161.

We all know that TSL/SSL certificates enable secure web transactions by providing a protected, trusted connection between a given browser and a given website, basically verifying that a site is, in fact, what it claims to be. But in addition to these standard, well-known uses, there are several lesser known extended uses including granting users access to both networks and resources, code signing and authentication, to name a few. Let’s talk for a moment about code signing. This can be an exceptionally valuable feature as without it your users don’t know and can’t prove that a piece of code transmitted over the Internet is what it’s supposed to be, or claims to be. Centralized

certificate management becomes especially valuable when sharing certs and keys among a far-flung group of developers, resolving code signing errors, revoking or deleting certificates as well as more generalized certificate renewal issues.

As we all know, the Internet of Things is not just “coming soon to an environment near you,” it’s already here. Today. And if we stop to think about the new and potentially overwhelming need for device certificates, especially for new IoT devices in addition to existing servers, laptops, desktops, tablets and smartphones, we start to see that this one sector alone will bring with it an enormous need for new certificates.

When we add this to the fact that most organizations’ existing certificate management programs are at best barely keeping up with current demand and are at worst studies in abject failure, we see that there is a huge need for a robust, automated certificate management program. The truth of the matter is that certificates need to be carefully and thoughtfully managed. Too many companies neglect their certificate management needs, and run a serious risk in the process. To quote Gartner Research,

1Don’t Let the CRACKS in Your Security Foundation Topple Your Digital Empire

6Research from Gartner :Technology Insight for X.509 Certificate Management

13About Comodo

1Source US Census Bureau News - https://www.census.gov/retail/mrts/www/data/pdf/ec_current.pdf

2

Don’t Let the CRACKS in Your Security Foundation Topple Your Digital Empire is published by Comodo. Editorial content supplied by Comodo is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2016 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Comodo’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website.

“Gartner clients continue to cite X.509 certificate expiries as being a leading concern with respect to management of certificates.” In general, security is too often compromised by a lack of automated certificate management tools. Attempts to manually track and monitor multiple certificates from various vendors – usually relying primarily on spreadsheets and sticky notes, almost always result in error and mismanagement, leading to missed renewals and expired certificates, which generally leads to insecure connections, lack of trust, and a tarnished brand, if not bigger problems. Relying on almost stone-age technology to make sure that certificates are renewed on time, that validations are done and that certificate requests are handled appropriately, is a nearly fool-proof recipe for disaster.

HTTPS Adoption

Google has been enhancing search rankings for sites using HTTPS over HTTP. As HTTPS continues to become more common and widely known – and even expected – there will be another commensurate increase in demand for TSL/SSL certificates to make sure that the communication channel is, in fact, secured and encrypted, and to prove that these websites are safe and actually are who they claim to be. Along these lines, falling under the “Encrypt All The Things” movement, which, as its name implies is pushing to make the Internet a safer place using state of the art encryption, Google has a plan to start flagging non-secured HTTP sites with a red X over the browser window padlock through Google Chrome starting in January of 2017.

IoT

Now add the deluge of requests that the Internet of Things has already started to bring and you can remove that “nearly” in the above sentence altogether. In 2015 an expired certificate led to Google’s Gmail SMTP service being unavailable for several hours2. That same

year, Apple had a certificate issue as well that caused havoc within Apple’s developer community. This time it wasn’t an expired certificate but a certificate that was using a different algorithm that was to blame3. And these are just two examples of how large, well-managed companies with ample resources have been adversely affected by their lack of enterprise-grade certificate management.

How Then to Solve the Certificate Management Problem?

The obvious answer is by utilizing a robust integrated certificate management solution like Comodo Certificate Manager to automate the process and protect against data breaches, failed audits and costly unplanned downtime. When just one expired certificate can lead to major outages, potentially costing tens of thousands of dollars to remediate and damaging brand integrity, it definitely makes sense for organizations to protect themselves with CCM.

Created by the global leader in SSL Certificates, CCM is an industry-leading, fully integrated automated enterprise solution designed to simplify digital certificate issuance and lifecycle management. Through its advanced capabilities, CCM provides businesses the ability to self-administer, instantly provision, and control all SSL certificates throughout their organization. Comodo leads the SSL certificate industry not only in market share but also as an originator of the Certificate Authority/Browser (CA/B) Forum, a consortium of CAs and Internet browser providers that develop guidelines to govern the issuance and management of CAs. Comodo has been a pioneer in certificate management since the founding of the CA/B Forum in 2005 and issues more certificates than anyone else on earth, having surpassed Symantec (Verisign) in February, 2015, and has widened its lead over their nearest competitor by over 10% since then, currently holding over 40% of market share.

CCM’s Auto Discovery feature simplifies the formerly arduous and error-prone manual discovery process. Rather than logging into various vendor portals to monitor each certificate’s lifecycle (which may have been a viable approach in simpler times) and manually

2Source Computer World - http://www.computerworld.com/article/2906039/expired-google-certificate-temporarily-disrupts-gmail-service.html3Source Tech Crunch - https://techcrunch.com/2015/11/12/all-mac-store-apps-stopped-working-due-to-expired-security-certificate/

3

collecting detailed information on SSL certificates purchased at different times from different CAs, Comodo Certificate Manager automates the process. After conducting a comprehensive scan of external and internal networks to discover every certificate regardless of the issuer, CCM automatically imports all relevant information, bringing the entire certificate inventory under central control and offering a comprehensive view of all certificates. CCM’s Auto Discovery feature provides vital details about each certificate, including:

• The location of each SSL certificate

• The name of the CA that issued each SSL certificate

• The date each SSL certificate is set to expire

• Whether any certificates have weak keys (as of January 2014, keys must be 2048 bit or higher)

• Scheduling scans to run on a recurring basis.

• Providing the Signature Algorithm used to sign the certificate

• Identifying what ciphers are supported on the targets

Internal Certificate Authorities

When it comes to certificates, it really comes down to two possible scenarios: a company can have certificates issued by an Internal Certificate Authority such as Microsoft Certificate Services or it can have certificates issued by publicly trusted CAs, such as Comodo. With the ever-increasing need to issue more certificates for mobile devices, email and IoT, a number of companies are choosing internally signed certificate authorities such as Microsoft Certificate Services for internal applications. While this reduces the need to purchase publicly trusted certificates, all of these certificates still need to be managed. CCM’s Active Directory controller works as a proxy between the Comodo CA and Microsoft Active Directory. This direct integration provides discovery and information management of certificates issued by Microsoft Certificate Services. CCM will scan a Microsoft Active Directory environment to discover every certificate, regardless of type. CCM then classifies them based upon their Extended Key Usage (EKU) and imports them into a temporary staging area where administrators can more easily manage them.

Comodo Certificate Manager

All of these are excellent reasons why now is the time to deploy Comodo Certificate Manager. When compliance, website security and brand reputation are all on the line, and when IT departments are already spread dangerously thin, let CCM do the heavy lifting and keep your network, data and organization secure by not letting certificates lapse while managing every aspect of your organization’s

certificate lifecycle. For automated discovery of private and public CAs, automatic renewal and installation of certs (a.k.a. set and forget cert renewal), lower costs of certificate ownership, integration with MS AD and MS Certificate Server, and Support for IoT devices, choose CCM for full certificate lifecycle management.

WebTrust Certification

CCM is a proven, well-regarded and thoroughly trusted global solution for enterprise certificate management. Comodo’s CA infrastructure is WebTrust certified by Ernst & Young. CCM creates an efficient, productive and secure business environment that allows organizations to issue SSL certificates for use within internal and external networks, websites, and email systems.

Quick, Easy and Cost-Effective

CCM offers scaled discounts on Comodo’s already low SSL certificate pricing, enabling quick, easy and cost-effective fulfillment of multiple certificate requirements for distributed systems, email and devices.

Fast, Customer-Focused Rollout

CCM’s Software-as-a-Service (SaaS) architecture enables PKI management within hours. CCM significantly reduces administrative obstacles and time delays. SSL certificates can be issued immediately through a secure web console, thus enabling network servers, users, applications, objects and devices to be secured quickly. CCM also automates the enrollment process for requesting and issuing SSL, client authentication, code signing and S/MIME certificates.

Multiple Administrative Tiers

CCM provides 3 layers of delegated administration. This enables granular user management, enabling a master administrator to assign specific permissions to various personnel across the org chart. Business sectors can be delegated in such a way that the certificate asset management of a particular department, network, domain or subdomain can be assigned in whatever way is most beneficial to the organization, even to a specific person.

Maximize Certificate Management with Minimal Resource Expenditure

Comodo safeguards businesses against the interruptions associated with manual CA management. CCM discovers all certificates in the trust chain (root, intermediate and end-entity) and provides details of each individual certificate including its issuing authority and expiration date. In addition, CCM’s dashboard provides customizable at-a-glace information on expiring certificates, requested certificates, key strengths and more.

4

Automatic Installation and Renewal

CCM provides administrators the ability to manage and schedule automatic renewal and installation of certificates through both agent-based and agentless solutions. In the agent model, administrators install an agent where the certificate is installed. This agent monitors the certificate and at renewal time, generates a private key and certificate signing request. This request is submitted to CCM. Once the domain is validated, the certificate is issued and the agent downloads and installs it automatically. In the agentless model, an installation controller is installed on a central node with access to the targeted nodes via SSH.

Device Certificates

While the majority of companies now support BYOD in the workplace, few have been able to effectively manage the phenomenon, especially the need for so many new certificates, new security measures and necessary network improvements. Additional concerns are time to implementation and the costs of monitoring so many devices. Comodo provides hosting of private roots, enabling enterprises to generate private certificates. Enterprises can use these private certificates to authenticate users requiring access to internal networks from smartphones and tablets. These certs offer the fastest, most secure method for securing BYOD connectivity without the cost and complexity of installing agent software on employee mobile devices. CCM also provides API to access and use CCM as a Simple Certificate Enrollment Protocol (SCEP) server.*

Features

Certificate Lifecycle Administration - Extensive portfolio of SSL, Code-Signing, S/MIME and client authentication certificates allowing for the rapid enrollment, approval, issuance, revocation and renewal of all certificates.

Automatic Scheduled Renewal and Installation - Provides scheduled revalidation and installation of critical certificates; this set-and-forget functionality ensures that users never receive an expired certificate error and applies to all certificate types.

Internal and External Discovery Scanning - Administrators can track and see all the details of each certificate purchased from different vendors.

Secure, Multi-Tiered Administrative Web Interface - Flexible organizational alignment of administrative domains that easily adjusts to your business model.

Configurable Email Notifications - Allows the administrator to be notified about requests, approvals, expirations or revocations and enables certificate owners and administrators to receive expiration notices in advance.

Same-Day Expirations - Administrators control the term and expiration of all issued certificates.

Dashboard - Provides one common, intuitive dashboard to view.

Reporting - Produce detailed reports, certificate and administrative status, and activity logs.

Client Key Management Services - Escrow and recovery of private keys enable a protected, policy-driven, restoration of user encrypted data.

Automatic Deployment with Microsoft Active Directory or CSV File Upload - Rapid client certificate distribution and management achieves tight integration with a variety of directory-based employee/device management systems.

Automatic CSR Generation and Private Key Management - Escrow and recovery of private keys for SSL certificates in a secure and redundant way simplify key management and protects certificate assets from human error and data loss.

Device Certificates - Comodo provides private root hosting for enterprises, allowing those entities to generate private, trusted certificates for all devices.

API Access - Allows organizations with other device management and reporting solutions to access elements of CCM.

Self-Enrollment Web Interface - Provides a secure self-service workflow for SSL or client certificates, enabling easy certificate enrollment and distribution.

Customized Web Interfaces - Can be customized with your corporate logo and images to help maintain your brand identity.

Reliable OCSP - Comodo real-time Online Certificate Status Protocol (OCSP) is distributed worldwide to maintain high availability.

5

Code Signing on Demand - Rapid code-signing service lets enterprises give their development teams a centrally managed platform to sign their code. This allows them to manage which users can sign code, what code has been signed, and which code-signing certificate was used, as well as the status of those code-signing certificates. This can be done on-premises or in the cloud.

Two-Factor Authentication and/or IP Address Validation - Provides highly secure administrative account access protection.

Private CA - CCM’s ‘Private CA’ feature allows companies to seamlessly and expertly issue and manage privately trusted certificates without any of the usual associated setup and management costs, on-premises or in the cloud.

Assured Compliance - Comodo will automatically keep Private CAs in compliance with any changes to certificate regulations.

Web Service API’s - API’s are available for the enrollment, renewal and revocation of SSL and Client Certificates.

Quick Implementation and Setup - CCM features fast and efficient auto enrollment and auto installation.

Source: Comodo

6

Research from Gartner

Technology Insight for X.509 Certificate Management

Security leaders are often unaware of the scope or status of their X.509 certificate deployments until it’s too late. As the scope of certificates expands to devices, people and things, security leaders must establish formalized plans and, if necessary, leverage available tools to minimize impacts.

Key Findings

• Security leaders continue to struggle with the management of X.509 certificates, citing that a number of externally facing and internally facing system outages can be traced to unplanned X.509 certificate expiry.

• While several offerings exist to discover X.509 certificates, most organizations rely on spreadsheet-based tracking methods and manual processes to keep track of certificates, resulting in many undocumented installations and increased exposure to risks.

• When using discovery tools, security leaders are often surprised by the amount of unknown certificates, from multiple certificate authorities (CAs) that exist in their environment.

• Unknown and unmanaged X.509 certificates pose a security risk, as some may be based on deprecated cryptographic algorithms (such as Secure Hash Algorithm 1 [SHA-1]). Complicating this further are the growing use cases for X.509 certificates on devices, people and things.

• New sources of X.509 certificates, such as free Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates, increase the likelihood of rogue certificate use by internal parties, such as developers and DevOps.

Recommendations

• Use full life cycle management or discovery-centric tools to audit the number

of deployed X.509 certificates to identify potential risks from expiry.

• Use full life cycle certificate management tools when dealing with large, complex, multivendor certificate environments — especially, when dealing with multiple certificate-based enterprise use cases, such as mobile and the Internet of Things (IoT).

• Ensure that X.509 certificate operations and management align with the overall cybersecurity incident response plan.

Strategic Planning Assumption

By 2019, organizations that leverage X.509 certificate management tools will suffer 60% fewer certificate-related issues and will spend half the time managing these issues over organizations that use spreadsheet-based management methods.

Analysis

Organizations are reliant on digital communications secured using X.509 certificates for their day-to-day operations. Certificates are used for user and device authentication, secure communications using Transport Layer Security/Secure Sockets Layer (TLS/SSL; see Note 1), program-to-program and machine-to-machine communications (including IoT), digital signature, and code signing. Many unseen internal and external services performing their daily duties are authenticated and trusted based on a relatively simple process involving the verification that an issued certificate is still active.

Many organizations that have an unplanned certificate expiry typically focus on other systemic causes, such as hardware/software issues, long before they begin to consider an expired X.509 certificate as the source of troubles. This typically results in significant delays in identifying and resolving the root cause of a system outage. This research aims to educate security leaders on the role of X.509 certificate management technologies and tools.

Definition

X.509 certificate management tools arm organizations with critical insight, automation and management capabilities when dealing with digital certificates. If not managed properly, certificates can expire, triggering browser warning messages that can cause users to abandon transactions. To avoid issues associated with out-of-compliance certificates, certificate management tools offer discovery capabilities to locate and help populate the certificate inventory, and replace those that are faulty, corrupted or out of compliance. Certificate management system (CMS) software is used to discover, identify, track, notify, and ultimately automatically renew and audit the installation of X.509 certificates.

Description

While X.509 certificate management has been available for some time, a number of organizations continue to use spreadsheet and other manual methods to manage certificates. This might suffice for small, noncomplex environments; however, for many other organizations, X.509 certificates are quite pervasive and manual methods will no longer suffice. As the use cases for public-key infrastructure (PKI) and X.509 certificates increase to cover people, devices and things (IoT), certificate volumes, issuance velocity and diversity will also increase. In particular, the increased diversity of X.509 certificate types and attributes increases the complexity of certificate management.

Security leaders must account for and manage several critical certificate types and attributes, such as:

• Certificate Types: For example, device certificates, domain-validated (DV), organization-validated (OV) or extended validation (EV), Subject Alternative Name (SAN; see “Evaluating SSL/TLS for Certificates for E-Business”), and/or self-signed certificates for various use cases.

7

7

• Hashing, Key Length and Cryptographic Algorithms: Digital certificates are based on public-key cryptography, which relies on a number of cryptographic primitives. Due to ongoing threats (see the Risks section), these attributes need to be monitored and updated periodically.

• Expiry Dates: Certificates can cause systems to fail, in some cases unexpectedly, if not renewed according to policy.

• Certificate Usage and Owners: Who and how these certificates are used should also be monitored. Misuse or abuse of certificates can expose organizations to a number of security threats. For example, if a malicious actor were to gain access to a website SSL/TLS certificate (private key), it would be able to conduct phishing attacks that could leverage fake or false websites. Additionally, assigned ownership also needs to be managed as certificate owners typically change over time.

Overall, the complexity of X.509 certificate management will increase dramatically as the use cases and volume of certificates increase.

Functions of X.509 Certificate Management SolutionsDiscovery

Discovery is a primary function of a CMS. It scans the network, systems and applications; logs all instances of X.509 certificates; and may include all or some of the following: SSL/TLS, Secure Shell (SSH), Pretty Good Privacy (PGP) and others. Filters can be set to limit “noise” in discovery, but overall discovery should be able to support a deep-dive understanding of where cryptographic keys are stored, their strength, the issuer, validity period and expiry date. There is a potential problem with some discovery “crawlers” that may occasionally cause a target platform to malfunction. Further, some keys, such as those supporting Microsoft’s Encrypting File

System, are stored in the registry, meaning the discovery agent cannot access them unless the local user is logged on.

Ownership

Identify who the certificate owners are for a given certificate and the approval structure for the issuance and renewal. Billing and chargeback processes can also be associated for a certificate as part of this activity.

Validation

A CMS may have a feature that regularly checks certificates against certificate revocation lists (CRLs) and Online Certificate Status Protocol (OCSP) responders to recertify trust both inside and outside the context of a live interaction between servers, or between a browser and a server. In some cases, validation is a function of the client (such as a browser) but is not typically turned on for performance or other reasons.

Renewal/Provisioning

Some CMSs can support the automatic renewal of a certificate within a prescribed period prior to expiry. What is important to note is that the renewal process from most CAs or certificate issuers and PKI vendors typically favor their own brands, meaning that certificates slated for renewal will be renewed using only their own certificate authority.

Audit and Reporting

When a certificate is renewed, it is critically important to ensure that the new X.509 certificate itself was both installed and rendered active within the target system; otherwise the previous X.509 certificate can remain active even after a new certificate has been installed. Therefore, security leaders must verify the actual in-use certificates against those charged by a third party or an internal provider list. In addition, most X.509 certificate management tools provide some level of reporting, typically either in a web-based user interface, with the ability to export

reports in a variety of formats (for example, CSV)

Benefits and Uses

The benefit of X.509 certificate management technologies and tools can differ depending on the enabled use cases, volume, and velocity of digital certificates, and on the risk exposure and sensitivity of the organization. As security leaders enable use cases that require PKI, or X.509 certificates, such as mobile device authentication, website SSL/TLS, application-to-application and machine-to-machine (including IoT) security, comprehensive and intelligent X.509 certificate management will be required.

Uses

Holistic Management of X.509 Certificates: Enhancing Internal and External Enterprise PKI Certificate Management

A number of organizations and security teams use PKI systems to create an internal certificate authority with the aim of enabling a variety of internal use cases. Ultimately, these CAs typically issue X.509 certificates that are spread across systems, devices and applications.

Most importantly, some of these CAs, provide security leaders with the ability to issue, renew and revoke digital certificates. However, X.509 certificate visibility and management is typically only with the certificates issued by that particular CA.

As illustrated in Figure 1, each device contains three certificates from three CAs. In this case, security leaders would need to undertake the tedious task of accessing each CA in order to gain insight and control over each certificate. As devices and certificates grow and expand inside and outside of the organization, the complexity of managing these certificates increases dramatically.

8

X.509 certificate management systems and tools provide security leaders with the ability to gain insight and control over a wide variety of X.509 certificates that exist in their organization. This also includes the ability to locate and identify unknown or rogue certificates (see the Risks section).

In addition to gaining insight and control is the ability to enforce certificate policy. Specifically, with a number of certificate management systems, security leaders can provide enforcement of certificate policy on a wide variety of X.509 certificates. This is critically important where there is concern for unknown or rogue certificates (see the Risks section).

Overall, security leaders can gain holistic insight and management over a wide variety of internal and external uses of digital certificates when using X.509 certificate management technologies and tools.

Optimizing Management of External SSL/TLS certificates

X.509 certificates used for external use cases typically require public trust, or rather they are purchased from SSL/TLS CAs or certificate providers.

When purchasing these certificates, organizations need to ensure that they are optimizing their purchases. For some enterprises, managing certificates may also have to be done across a number of different certificate providers or CAs. Security leaders need to ensure that they are aware of and are managing some critical aspects such as:

• Certificate Authority: What certificate authority issued the certificate (for example, Comodo, Let’s Encrypt or Symantec)?

• Certificate Owners: Who acquired or purchased the certificate? What is the use of the certificate (that is, what website/application/service)?

• Certificate Validity and Expiration Date: What is the validity period, and when does the certificate expire?

• Security Vulnerabilities and Compliance: Are there known vulnerabilities with the certificate provider? Are the cryptographic primitives still in compliance? Does the certificate meet enterprise certificate policy? Is this a rogue certificate (see the Risks section)?

While much of the above can be managed with manual methods, such as using spreadsheets (see the Risks section), security leaders can optimize their approach to X.509 external certificate management with the use of a CMS. This can include reducing

time spent on the management of digital certificates, as well as direct cost savings by way of optimizing SSL/TLS purchases (that is, by eliminating unused certificates). Overall, if security leaders have several hundred certificates issued from multiple CAs, the use of CMSs and tools is highly advised.

Expanding Uses of PKI and X.509 CertificatesMobility

As organizations continue to expand their use of mobile devices, whether corporate issued or bring your own device (BYOD), device identity remains critical. While a number of technologies exist, provisioning X.509 certificates to mobile devices can

Source: Gartner (September 2016)

FIGURE 1Example of a Simplified Enterprise Certificate Environment Highlighting Visibility and Management Silos

9

9

provide security leaders with a strong and simple way to provide device identity and authentication. Furthermore, with X.509 certificates deployed on mobile devices, security leaders can enhance use cases such as Wi-Fi, VPN and secure email (Secure Multipurpose Internet Mail Exchange [S/MIME]; see Note 2).

All of these use cases not only add to enterprise certificate volumes, but also increase the dependency on X.509 certificates and PKI as well. Therefore, as security leaders consider X.509 certificate-based methods to secure and identify their mobile devices, they must ensure holistic and comprehensive full life cycle management of their X.509 certificates. Additionally, if multiple CAs are considered, then the complexity of certificate management increases dramatically. In this case, Gartner advises that clients assess the benefits of X.509 certificate management systems and tools.

Certificates and IoT Security

Of the many aspects that need to be considered as organizations embark on IoT initiatives, security leaders must ensure that they account for identity and authentication of IoT devices. While there are a number of methods that provide device identity and authentication, PKI and X.509 certificates (among other certificate types), are poised to play a critical role.

Ultimately, there are many details that will need to be accounted for; one of the most important will be scale. Manual identification and tracking processes will not scale, and therefore will not suffice in the realm of IoT. Security leaders, when considering certificate-based identity and authentication methods for IoT, should seek out solutions with embedded or interoperable certificate management systems.

While this is a new and emerging area, some security leaders may choose to deploy

purpose-built IoT platforms with tightly integrated PKI systems that come with built-in certificate management. These systems may be separate from corporate or internal PKI systems, and therefore may not fall under enterprise certificate management.

Alternatively, for organizations that desire to leverage and extend their current PKI platform, certificate management systems, tools and techniques will most certainly be required to enable certificate-based IoT initiatives and strategies.

RisksAs security leaders and their organizations rely on X.509 certificates to enable a wide variety of critical business applications, holistic management quickly becomes a requirement. Poor management of X.509 certificates can cause significant negative business impact, from system downtime and increased incident response costs, to possibly lost business and/or brand damage. Security leaders need to be aware of key areas of risk related to X.509 certificate management, such as:

System Downtime Due to Certificate Expiries

Gartner clients continue to cite X.509 certificate expiries as being a leading concern with respect to management of certificates. Specifically, security leaders are mainly concerned with web browser warnings, notifying consumers or website users that the website may not be secure due to an expired or out of compliance certificate. This typically causes users to escalate the issue to support, or to abandon web transactions with the site altogether.

Management of X.509 Certificate Vulnerabilities and Compliance

Due to the changing threat landscape, security technologies are constantly evolving. Attackers leverage ever-increasing computing power, so cryptography techniques, hashing algorithms and

key lengths all need to be enhanced. This requires that certificates be updated periodically (see Note 3).

Certificate Authority Compromises and Incident Response

Whether an internal CA or a publicly trusted CA is compromised, digital certificates can be created without permission or supervision (for example, in the case of DigiNotar, a fraudulent wildcard certificate was issued for the Google domain *.google.com).1 Overall, malicious actors use these fraudulent certificates to potentially enable trust on phishing sites and/or digitally sign malware. Security leaders should be aware that CA compromises can occur, and an incident response plan should be in place. Specifically, security leaders need to ensure that they have plans to deal with compromised CAs.

Unfortunately, many organizations scramble to remove a trusted root when a compromise takes place. Organizations need to understand their internal process for removing a trusted certificate or root from browsers and applications. While browsers are relatively easy to fix by waiting for the browser patch with the removed/deleted/revoked root, applications typically involve more work and, thus, more planning.

One of the first steps in identifying compromised certificates is to identify all certificates and evaluate each relying server for certificate validity. Overall, X.509 certificate management technologies and tools can help security leaders reduce complexity and time when responding to CA compromises.

Rogue and Unknown Certificates

Another challenge that security leaders must account for is gaining insight and managing unknown and rogue certificates. These certificates are typically generated by an individual or groups in the organization that acquire X.509 certificates without the knowledge or support from IT or security

10

teams (this is an example of “shadow IT”). A common example would be a developer that requires an SSL certificate for a business need, such as application testing. From this perspective, making matters worse, with free certificates from entities such as Let’s Encrypt, developers, DevOps and other internal consumers of digital certificates have minimal barriers to overcome in order to acquire certificates. Over time, these certificates can create a raft of issues, from system outages to released code/websites with out-of-compliance certificates. All of which are difficult to identify, track and trace without comprehensive and active certificate discovery and management.

Management by “Spreadsheet”

Organizations with roughly 200 or more X.509 certificates in use that are using manual processes typically need one full-time equivalent (FTE) to discover and manage certificates within their organizations.2

A limited number of certificates can be managed manually using a spreadsheet or other basic tools, but many features, such as discovery, will be missing. If this method is chosen, specific individuals or roles need to be assigned to managed certificates on groups of machines, and to scheduling reminders for certificate renewal before the installed certificates expire. Gartner clients should be advised that this method only accounts for known certificates. This potentially leaves security leaders with a number of unknown certificates (such as rogue certificates), exposing them to a number of issues such as unexpected certificate expiries and downtime. One vendor that provides a CMS pointed out that it typically observes clients that execute on a discovery process seeing five to 10 times more certificates in the environment than expected.

Security leaders should proceed with caution if management by spreadsheet is used. Gartner advises clients to conduct a periodic evaluation of certificate usages, volume and expected use-case expansion. If use cases increase along with certificate volumes,

then security leaders will need to consider leveraging a CMS (see the Recommendations section) over spreadsheet-based methods.

RecommendationsBelow are some additional recommendations for security leaders:

• Ensure that you understand at least the known number of entities of X.509 certificates in your environment. If this number exceeds 200, then CMS and other tools should be implemented to mitigate a variety of risks.

• Determine if the incumbent PKI or external SSL/TLS certificate providers offer X.509 certificate management solutions or tools. As a minimum, discovery tools should be used to determine the scope of the X.509 environment, covering both known and unknown certificates that exist in the environment (see Table 1 in the Representative Vendors section).

• Implement automated certificate discovery and renewal/management tools, which work to minimize the risk of unplanned expiry and ensure policies are met. Manual or automatic certificate management should be leveraged to attribute accountability and ownership of X.509 certificates within organizations. Security leaders must recognize that not all discovery solutions are perfect, and therefore some certificates might remain undiscovered.

• Consider full life cycle certificate management tools over discovery-centric tools when dealing with large, complex, multivendor certificate environments (see the Representative vendors section); especially when dealing with multiple certificate-based enterprise use cases, such as mobile and IoT. As security leaders formalize plans to add additional mission-critical use cases, formalized and more holistic X.509 certificate management will transition from a “nice to have” to a

“must.” As the dependency on X.509 certificates increases, so does the impact of an operations or security incident. Security leaders can increase operational efficiency and security by using full life cycle management tools for complex environments.

• Ensure that X.509 certificate operations and management align with the overall cybersecurity incident response plan, in order to better prepare for security incidents that relate to deprecated cryptographic algorithms and/or certificate authority comprise. Ultimately, this is to minimize the impact and downtime in the event of a certificate issuer compromise, critical vulnerability exposure, suspected compromise or attack.

Representative ProvidersX.509 certificate management tools can be segmented into two high-level categories:

• Discovery-Centric Tools: These tools may be offered by your current SSL/TLS provider. They are a great first step for security leaders and organizations that are new to certificate management. These tools help to identify and locate X.509 certificates. Reporting capabilities can vary, but overall, security leaders can gain valuable insight when compared to manual/spreadsheet-based methods. Some of these tools also provide the ability to auto renew and/or notify security leaders for manual renewals. From a cost perspective, Gartner clients state that these tools are typically much less expensive when compared to full life cycle management tools. Security leaders should leverage these tools, especially if they can get them for an attractive price (or in some cases, bundled in with certificate packages).

• Full Life Cycle Management Tools: These tools are generally for organizations and security leaders that deal with

11

11

large and/or complex X.509 certificate environments. They can provide advanced functionality, such as the ability to manage certificates from multiple certificate authorities or issuers, in addition to support and integration into other IT systems, such as load balancers, enterprise mobility management (EMM)/mobile device management (MDM) and IoT devices, among others. From a cost perspective, these solutions typically require a much greater level of investment over discovery-centric tools. Security leaders should consider these tools, when dealing with vast numbers of certificates across complex mission-critical systems and environments (see Table 1).

Vendors Full Certificate Life Cycle Management

Certificate Discovery

Multiple CA Full Life Cycle Support

Provides Public Trust Certificates and/or Enterprise PKI or PKI Tools

SSH Key Management Features

Amazon Web Services (AWS)

a* a— Certificates

AppViewX a a a a — PKI Tools a

CSS a a a a— PKI a**

Comodo a* a a — Certificates and PKI Tools

DigiCert a* a a — Certificates and PKI Tools

Entrust Datacard a* a a — Certificates and PKI

GlobalSign a* a a — Certificates and PKI Tools

SSH Communications Security

a** a** a** a** a

Symantec a* a a — Certificates and PKI

Venafi a a a a— PKI Tools a

Table 1. Sample List of X.509 Certificate Representative Providers

* Provides full life cycle management for certificates issued by vendor CA; specifically, only with its certificates. Most vendors here provide the ability to track and moni-tor other certificates but are typically limited when dealing with certificates from other CAs.** Provides capability via partners and/or OEM relationships.PKI Tools: Indicates that the vendor provides a variety of PKI enhancement tools, such as private CAs and/or other capabilities that enhance internal/external PKIs.Source: Gartner (September 2016)

Acronym Key and Glossary Terms

SSL – Secure Sockets Layer

TLS – Transport Layer Security

VPN – Virtual Private Network

PKI – Public-Key Infrastructure

Shadow IT – IT devices, software and services outside the ownership or control of the IT organizations (see “How CIOs Should Deal With Shadow IT”)

SHA-1 – Secure Hash Algorithm 1

SHA-2 – Secure Hash Algorithm 2; is seen as the successor to SHA-1

SHA-256 – A SHA-2 family member, specially designated with 256-bit hash value

CA – Certificate Authority

12

Evidence1 “Fraudulent Digital Certificates Could Allow Spoofing.” Microsoft Security TechCenter. 29 August 2011.

2 Based on conversations with Gartner clients and vendors offering certificate management solutions, organizations constantly underestimate the work needed to track and manage certificates. When they dig in and actually start doing the work, they are surprised by the amount of time it takes. On average, clients tell us it takes three to six hours to generate a key pair on a server (depending on location and access); export the public key; get it certified with a certificate authority so it is now in an X.509 certificate format; install it; verify it is active; and then returned to live operation. Additionally, organizations report that they need to take into account the time required for manually tracking down assets that have certificates, as well as the general maintenance of this list. This process itself can result in a significant effort. According to clients and CMS providers, organizations typically have several people managing different pools of certificates. Larger organizations with many hundreds or thousands of certificates have been known to have 10 or more people performing this manual activity part time for different groups of servers. When downtime occurs, the number of FTE hours can go up dramatically — obviously to address the issue.

Source: Gartner Research Note G00308940, David Anthony Mahdi, 23 September 2016

Note 1. Transport Layer Security (TLS) Versus Secure Sockets Layer (SSL)

It is important to note that the industry uses SSL and TLS interchangeably, and while SSL has been replaced with TLS, the industry generally uses SSL from a naming perspective. The Secure Sockets Layer protocol was developed in 1994 as a security mechanism built into Netscape’s Navigator browser. It is supported by virtually all browsers today. While the term “SSL” is commonly used, the industry accepts that SSL is now succeeded by TLS 1.0 or greater. This change was introduced due to security issues with SSL. Threats such as POODLE demonstrated that SSL is vulnerable. Attackers can exploit the vulnerability by decrypting and extracting information from inside a secured (encrypted) session. This nullifies one of the most common security layers — communication channel security via SSL. TLS was chosen by the Internet Engineering Task Force (IETF) as SSL’s successor. Therefore, when organizations purchase SSL certificates today, they are based on TLS.

Note 2. X.509 Certificate Mobility Use Cases

With X.509 certificates deployed on mobile devices, security leaders can enhance use cases such as, Wi-Fi, VPN and secure email (S/MIME):

• Wi-Fi: Allows for secure and seamless connectivity without have to share a single username and password. This can provide organizations with the ability to audit Wi-Fi access logs, and pinpoint specific devices with a stronger notion of nonrepudiation. That is in contrast with a basic username and password, and other potentially spoof-probable dynamic identifiers, such as IP and Media Access Control (MAC) address.

• VPN: By leveraging mobile device certificates, users can seamlessly and strongly access the corporate VPN with their mobile device. Similar to the Wi-Fi use case, by using an X.509 certificate, authentication security is enhanced over a basic username and password. Additionally, it is also much more user friendly from a UX perspective when compared to other authentication methods such as one-time password (OTP) soft or hard tokens.

• Secure Email (S/MIME): Email security, such as email encryption and digital signatures, on mobile devices can also be enabled with the use of X.509 certificates (see “Market Guide for Email Encryption”).

Note 3. SHA-1 to SHA-2 Migration

The industry, primarily browsers and certificate authorities, deemed that the issuance of SHA-1 based certificates be discontinued (see “Ballot 118 — SHA-1 Sunset [Passed]” from CA/Browser Forum) because the SHA-1 hashing algorithm is weaker than previously thought. With ever-increasing computational power and techniques, the economics for attackers to compromise an SHA-1-based certificate are much more achievable. Therefore, to reduce the risk to the online community, the best practice is to migrate from SHA-1 to SHA-2-based certificates. Google described its approach to the migration and sunsetting of SHA-1 in its online Security Blog, “Gradually Sunsetting SHA-1,” published 5 September 2014.

13

Comodo is a global innovator of cybersecurity solutions, protecting critical information across the digital landscape. Building on its unique position as the world’s largest certificate authority, Comodo authenticates, validates and secures networks and infrastructures from individuals, to mid-sized companies, to the world’s largest enterprises. Comodo provides complete end-to-end security solutions across the boundary, internal network and endpoint with innovative technologies solving the most advanced malware threats, both known and unknown. With global headquarters in Clifton, New Jersey and branch offices in Silicon Valley, Comodo has international offices in China, India, the United Kingdom, throughout Europe, as well as Central and East Asia.

Comodo and the Comodo brand are trademarks of the Comodo Group Inc. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The current list of Comodo trademarks and patents is available at comodo.com/repository.

About Comodo