I’ve just discovered this morning that I’m an illegal alien. My identity card (ID) expired two months ago, so I suppose technically I could be kicked out of the country where I’m currently resident.
For obvious reasons I don’t want to mention the country until I resolve this small matter. And if that wasn’t bad enough, my wife is also an illegal – probably the first ‘illegal’ thing she’s ever done, so domestic panic has just taken hold: “We’ll be kicked out, never to see family or friends again!” I don’t think she appreciated my comment that every cloud has a silver lining.
So how did this suddenly come about? Well it seems something fell through the administrative cracks. We should have received a reminder three months prior to expiry, telling us that we would need to renew our residence permit. But for whatever reason, nothing arrived through the post, and since we’re not in the habit of checking our ID cards on a regular basis, it never occurred to us.
The first port of call was to contact the department which has looked after this process for the last twenty-five years, only to find that this has all been changed! A new governmental department has been set up to look after the aliens! A visit to the appropriate website presents us with a twenty-six page questionnaire to be completed to renew our status – it used to be a one pager at the so-called ‘alien police’.
The similarities with the IT security world could not be more obvious. Daily, organisations are confronted with problems associated with the expiry of their encryption keys and certificates and almost always the problem is a result of the failure to properly implement best practices.
Most organisations, in spite of having policies and processes defined, regularly overlook encryption keys and certificates. They lose track of them, or someone else takes over responsibility and the result is that certificates expire because no one knew they are there.
It is not a trivial matter to track digital certificates because they are deployed in so many different locations and in such a variety of systems, and installed on systems that are managed by an army of IT teams. They are just like us aliens – we’re all over the place!
Tracking The ‘Aliens’
So the first step that this new government organization should have taken care of was to ensure that they collected every piece of information for every alien in the country. And the same applies to certificates. Start with the obvious source – the certificate authorities (CAs) that you know are being used. But don’t assume that once you have the information that you now have tracked all your ‘aliens’.
After all – even the ones you know about may have already left!
The next step should have been some kind of contact with every address in the country asking if there were any aliens resident. In the same way the next step in managing certificates should be a network discovery to find certificates that are present on a listening port such as HTTPS. Start by gathering your network address ranges and then collect a list of ports to check.
Now you are making progress because you can start to reconcile what you think you have with what you actually discover. And you will be surprised to find that not all certificates are issued by your certification authority. Like the aliens you may find aliens that are registered in other countries (also known as CAs)!
And finally a house-to-house search would have yielded results of those aliens who are ‘hiding’ from the system. In the same way as user certificates are not going to respond to a simple network query; a detailed search of each system will reveal those hidden certificates that only appear when someone specifically asks them to!
Many certificates are not discoverable via network ports, such as client-side certificates used for mutual authentication on SSL. Finding these certificates typically involves performing file system scans on server and client systems with a locally installed agent.
Now, no one is denying that discovering your aliens/certificates is not time consuming, and where possible automation should be used, but ultimately you cannot start managing aliens/certificates until you know where they are!
Managing The ‘Aliens’
Although it’s always good to have a snapshot of your certificates at a moment in time, certificates, like aliens, tend to move around. Open borders, like open IT infrastructures, mean that the situation can change on a daily basis. So continuous monitoring, and validating that everything is where it should be helps you maintain control. And more importantly you want to be notified if an alien-certificate suddenly appears
Continuous monitoring also prevents expirations, and to avoid perfectly good certificates from expiring, there needs to be notifications sent to the owners to warn them in plenty of time that action is required. In the same way that had some government apparatchik sent us a reminder we wouldn’t now be facing deportation.
But then when you rely on manual processes then mistakes happen, or as in the case of the government, they are on vacation celebrating some national holiday that is only known to the select few.
And finally, set up common sense processes for certificates to be renewed. Certainly don’t waste your money hiring expensive consultants who develop complex security practices that no one can understand, and which you can probably “google” if you spend five minutes.
Keep it simple, use compliance standards such as PCI which offer good practical advice, and wherever possible use automated methods to create certificates and install them. Establish standard practices that maximize reliability and repeatability; help ensure security and compliance to policy and minimise the load on your administrators.
Errors are inevitable when these steps are performed manually. Ensuring the security of the private key is very challenging when these operations are performed manually.
So as my wife and I sit down and contemplate a twenty six page questionnaire (EACH), in a foreign language which will be used to determine whether or not we can stay, I’m contemplating becoming an illegal alien and just bypassing the process – they’d probably never notice.
And if you don’t get your certificates under control, and provide common sense processes for your IT staff to get new ones or renew existing ones, you may just find that your environment will be end up being overrun with ‘illegal certificates’.