It has always been taken for granted that the entire IT security industry understands that, as part of digital certificate management, it is necessary to manage the private keys associated with those certificates.
A recent conversation with an analyst made it clear that this assumption was just that – an assumption. There were two reasons, he said: 1) very few people realise that managing certificates also requires the management of private keys, and 2) not many people understand how critical the security of private keys is in protecting sensitive data.
It has always been believed that, “the key is the data.” The point is that if you protect data by encrypting it with a certificate, the private key becomes the data or asset that has to be protected (i.e. that encrypted data is effectively useless without the key but if the wrong person gets that key, the data is at risk).
This can be related to a topic which many of us have already spent considerable time thinking about – symmetric keys. Let’s say, based on PCI or some other regulation, that an organisation decides to encrypt the columns that contain personally identifiable information (PII) on its database using symmetric keys.
What happens when you retrieve that data from the database? The database is going to decrypt the data using the symmetric key(s) and pass it across the network. So, assuming there is still a concern about the security of that data, how can that organisation ensure that the data is secure as it travels across the network? The answer is that it is encrypted using a certificate and private key. It is just common sense that any organization would want to implement the same security procedures for its private keys as it does for its symmetric keys.
There are, of course, objections that can be made to this approach: “We’re not subject to PCI because we don’t process credit cards.” That may well be the case but, what other types of data can be passed across a network and the Internet that you might want to assure is properly protected – based on the industry you are in? They would include:
- Bank account information
- Insurance information
- Patient healthcare records
- Employee salary and benefits information
- Corporate financial information
- Stock account information
- Corporate trade secrets
How are private keys generally managed today? Most organizations are doing it manually (with a spreadsheet and reminder notes) with no dual control. Here are the typical steps an administrator goes through to generate a key pair (which includes a private and public key) and get a certificate.
- Create a keystore, if one doesn’t already exist
- Assign that keystore a password to protect its contents, including the private key(s)
- Generate a key pair (public and private key)
- Generate a certificate signing request (CSR)
- Submit the CSR to the CA
- Retrieve the certificate from the CA
- Install needed CA certificate(s) in the keystore
- Install the certificate in the keystore
- Backup the private key (if deemed necessary)
- Extract the private key and certificate so they can be placed on other systems (e.g. for load balanced configurations)
How do typical organizations secure and manage their growing private key inventory—the keys required to encrypt data in transit? How are the keys protected against loss, misuse or theft? These become especially important questions given that, according to Gartner, the majority of data breaches are executed from inside organizations. In most cases, the private keys are not being protected.
The PCI DSS requirements for private key management cannot be accomplished in an IT environment that relies on manual processes. There are both security risks and operational challenges when administrators attempt to perform these steps manually.
The problem with administrators performing these steps manually is that it opens them up to a host of potential security problems, either because they are not following best practice or because they are malicious. Here are some security challenges that present themselves:
- Administrators normally use the same keystore password on multiple systems (sometimes hundreds) so it is easy to remember them.
- Administrators usually have to share keystore passwords with other administrators because they’re all sharing in the work managing a group of systems.
- Administrators rarely comply with corporate password rotation policies (e.g. change every 90 days) for keystore passwords and will often use the same password for years. (One administrator at a very large bank told me that they call keystore passwords “passphrases” so that they don’t have to comply with the corporate “password” rotation policy. If you can believe it, this practice actually got them in compliance with their auditors.)
- Administrators who have direct access to keystores and the passwords that protect them can make copies of private keys which can be used to decrypt the data you’re trying to protect. This is a big problem if those administrators leave the organization.
- Most organizations don’t make it a practice of replacing private keys when the administrators who have had access to them are reassigned to a different department or leave the organization.
Given the typical re-use of the same password across multiple systems, the fact that passwords aren’t changed for years and the sharing of passwords amongst multiple administrators, organizations are exposing themselves to massive risk.
If these challenges exist within your organization or department, here are some recommended best practices to better protect the private keys that safeguard critical corporate data:
- Automate: Use an automated key and certificate management system that removes the need for administrators to access keystores directly and the passwords that protect them
- Rotate Passwords: Change keystore passwords regularly
- Separate Duties and Roles: Have a different set of administrators manage keystore passwords than the administrators who manage the systems where the keystores reside
- Proactively Change Keys: Change private keys (and the corresponding certificates) each time an administrator who has had access is reassigned or leaves the organization
The management of private keys and certificates is central to the security of data. It is only by following best practice and not making assumptions that system administrators can be assured that data is safe. Without policy-based management capabilities in place, there will continue to be high-profile data breaches and system outages on mission-critical applications with increasing frequency and cost.