As a core but often overlooked part of information security, Public Key Infrastructure (PKI) is a rapidly growing area that should (and hasn’t sufficiently yet) rely on automation. Organizations use digital certificates to prove identity, implement secure authentication methods and get rid of outdated authentication measures. Digital transformation is exponentially expanding the number of digital certificates that businesses manage. Accordingly, organizations need a way to manage their certificates so they can protect their customers and corporate information from digital attackers.
Organizations should think twice before passing on the opportunity to automate their PKI. The industry has evolved, after all; the lifecycle of public certificates has shortened. It used to be three years. Now TLS/SSL certificates are valid for just a year. There are also specific use cases where digital certificates last for just 24 hours. Beyond public TLS certificates, many PKI use cases for managing user and device identities and authentication demand short-lived certificates and the ability to swap them regularly. DevOps environments also need greater agility.
All of this helps to increase the security of an organization’s secrets. But it also complicates the task of manually managing digital certificates. For instance, an IT admin working 9–5 won’t be able to keep up with the workload of renewing their employer’s certificates if that organization uses thousands or even millions of certificates to secure its infrastructure. That assumes the IT admin has the means to track all of those certificates’ renewal dates, of course. It’s possible that human error could exert some influence and that the admin could simply forget about at least some of the certificates, thus creating an opportunity for a malicious actor to compromise those certificates, or leading to a massive shutdown of revenue-generating, costumer-facing services.
It’s important to remember that IT admins’ tenure is short as well. Most admins spend four to six years in a single job before moving on to a different organization. This makes it difficult for an organization to manually maintain a running inventory of their assets. PKI automation can help by maintaing a dynamic inventory regardless of who’s on payroll at that time.
Then there’s the task of responding to a certificate compromise. Mounting a manual response isn’t easy. If a certificate suffers a compromise, admins don’t have time to manually find where it’s located. Admins need to act quickly to remediate a compromise before a digital attacker uses it to gain access to other parts of an organization’s infrastructure. This is a problem — especially in distributed networks, where organizations rely on data centers that are located around the globe. Admins can’t manually locate a compromised certificate in that case; with automation, however, they can take care of the problem by writing a command and/or by clicking some buttons on the UI.
There’s also the issue of compliance. Publicly trusted certificates are always changing. In response to the growing digital threat landscape, the security community might demand that certificates adopt a new length, a new algorithm or a new implementation. Admins need a way to distrust those certificates quickly so that they can maintain their organizations’ compliance obligations. With automation, admins can create security policies that automatically request and install new certificates whenever a new compliance requirement enters into effect.
Notwithstanding the considerations discussed above, organizations have resisted the call to automate their PKI. Part of the reason for this is that some small players are misrepresenting how PKI automation solutions work. They’re creating a bad image for these types of tools that’s discouraging organizations from learning how they can use PKI automation to meet their digital security priorities. Simultaneously, lots of organizations have been happy with what they’ve been using to manage their certificates — even if that’s been nothing more than an Excel spreadsheet.
But the times have changed. Organizations are now looking for something bigger. They want integrations with load balancers and 24/7 support for their certificate management efforts, for instance. They also want something scalable that can continue to support them in the future.
In spite of those changes, many organizations still haven’t embraced automation. For some, this has been due to a lack of IT maturity. Most organizations want to solve IT problems for the next five to 20 years, not just for tomorrow. They also realize that they need to plan for this evolution. However, some might lack an IT strategy that stretches that far into the future. Absent concrete knowledge into what the future of their infrastructure will be, those organizations might freeze up and refrain from making any sweeping changes in the hope that the future will work itself out.
But it won’t. Not in the way they’re hoping, at least. Organizations need to be proactive about and have a strategy for their IT investments. It’s in reacting and playing catch-up where organizations commonly make mistakes, needlessly duplicate their resources and fail to capitalize on the moment that’s upon them.
Simultaneously, organizations have also been hesitant to automate their PKI to their fears concerning cost. They believe that the cost of automating certificates is high. Yet this belief contradicts research and real use cases. They might pay a higher cost up front, sure, but that price tag will be just a fraction of what organizations would end up paying in the event that attackers abused a vulnerability involving their digital certificates.
For organizations to consider automation without discovery is naive. They need to know what they have if they’re going to effectively automate their PKI. As part of that effort, organizations need to look to extend PKI automation to their broader infrastructure. The last thing organizations want is to have just a fraction of their infrastructure automated. If that happens, organizations might forget about the rest of their infrastructure. That sometimes happens.
Using a discovery solution, organizations can create an inventory of what they can and can’t automate. They can then use PKI automation for the assets that they can automate and move to newer models/technologies for what they can’t.
There is no wrong time for organizations to invest in PKI automation. Every single day presents organizations with the opportunity to automate. That’s especially the case in light of everything that happened in 2020. The pandemic proved that organizations can’t rely on people alone for their digital security; there are lots of unknowns that could prevent admins from getting to work. As such, organizations need the means to track their certificates regardless of who’s in the office.
That’s where DigiCert’s solutions come in. After talking to customers with many cases, the company has built upon its solutions over time to make them more scalable and flexible with respect to new workflows. As a result, DigiCert can now support even more use cases than in previous years as well as help customers with tens of thousands of endpoints to automate their systems within a matter of days.