Upload
nickjplott
View
581
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
2012 Risk Audit Survey Findings
Enterprise Key and Certificate Management (EKCM)
February, 2012
© 2012 Venafi Proprietary and Confidential
2© 2012 Venafi Proprietary and Confidential
• Survey, analysis, potential risks and best practices developed in conjunction with Osterman Research
Michael Osterman – President and founder of Osterman Research
Osterman Research is a leading analyst firm with expertise in research and survey methodology, providing analysis, white papers and other services.
Jeff Hudson, CEO of Venafi
Venafi is the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions. Venafi solutions manage digital certificates and SSH, symmetric and asymmetric keys.
2012 EKCM Audit and Best PracticesKey Players
3© 2012 Venafi Proprietary and Confidential
Methodology Venafi and Osterman Research surveyed more than 174 IT and Infosecurity professionals
Survey Methodology
4© 2012 Venafi Proprietary and Confidential
• 54% acknowledge having an inaccurate or incomplete inventory of their SSL certificate population.
• 44% admit their digital certificates are manually managed with spread-sheets and reminder notes.
Survey Results
Unquantified and Unmanaged Risks
5© 2012 Venafi Proprietary and Confidential
Operational Risks
• 46% of respondents cannot generate a report to discover how many currently deployed SSL/digital certificates will expire during the next 30 days.
• 70% do not have a certificate management system integrated with their directory; such integration allows for automatic notification escalations in the case of non-response to notification.
Survey Results
6© 2012 Venafi Proprietary and Confidential
Security Risks
43% of respondents do not have a centralized corporate policy mandating:
Specific encryption-key• strengths• Lengths
Validity periodsPrivate-key management
• Rotation• separation of duties
Survey Results
Lack of policies and/or the ability to enforce them creates security vulnerabilities
7© 2012 Venafi Proprietary and Confidential
Audit and Compliance Risks
• 54% do not have an automated, repeatable and on-demand way of providing a senior manager, vice president or auditor with a report of exactly how many certificates are present in the entire environment.
• 62% do not have an
automated process for ensuring compliance of corporate policies.
Survey Results
8© 2012 Venafi Proprietary and Confidential
Certificate Authority (CA) Compromise Risk
• 72% do not have an automated process to replace compromised certificates if the Certificate Authority in use is compromised.
Survey Results
10
Human
in
terfa
ce
Authentication and Encryption Needs Expanding
© 2011 Venafi Proprietary and Confidential
Lack of knowledge is increasing
Requirement for key management is accelerating
Applications and data
cloudmobile
11© 2012 Venafi Proprietary and Confidential
1. Educate all stakeholders on the seriousness of certificate breaches and related problems.
2. Clearly articulate the role and use cases of encryption in security.
3. Define and make easily accessible clear encryption certificate and key-management policies, processes and procedures.
Industry Best Practices for Remediation
12© 2012 Venafi Proprietary and Confidential
4. Implement a central inventory and monitoring system; identify owners for each asset; ensure notifications are sent regarding impending expiration, errors and other issues.
5. Replace manual steps in the lifecycle management of certificates and keys with automation.
6. Dedicate sufficient staff to manage the implementation and maintenance of central encryption-key and certificate-management policies and technologies.
Best Practices Continued
© 2012 Venafi Proprietary and Confidential
Venafi Assessor™
14
Risk Self Diagnosis
• Do you know where all the digital certificates are deployed on your network and who installed them?
• Do you know when they are going to expire?• Do you separate access to public and private keys
for system access?• Do all your encryption keys and certificates conform
to policy?• How long would it take you to replace all your
certificates?
If target organizations cannot answer these questions they are going to experience a breach, an outage, or will fail an audit.
© 2012 Venafi Proprietary and Confidential
15
Quantify Your Risks
Where are all of our SSL certificates installed?
What date will certificates expire?
How many certificates do we have?
Which Certificate Authority(ies) issued these certificates?
What encryption key length is being used?
Are we in compliance?
?What algorithms are in use?
16
Venafi Assessor™
• What is Assessor?– Customer downloadable software– Ready to run – Fast and easy– Scans to find certificates and keys– Quantifies the certificate and key population present – 12 reports that identify type and severity of risks
• Installation and operation– Runs in a virtual machine– Preconfigured, no special expertise required– Doesn’t modify environment– Doesn’t “phone home”
• Assessor is available on February 22– www.venafi.com/Assessor
© 2012 Venafi Proprietary and Confidential
17
Enter addresses and run discovery
Getting Accurate Certificate DataThree Easy Steps
Download and deploy Assessor
© 2011 Venafi Proprietary and Confidential
12
View detailed reports
3
18
Turn Assumptions into Hard Data– Number of manageable certificates– Issuing certificate authorities – Expiration dates– Certificate validity periods– Key lengths– Signing algorithms
© 2012 Venafi Proprietary and Confidential
Assessor reports include indicated industry best-practice recommendations for remediation of issues discovered
What’s in Your Environment?
ignorance of the situation surrounding a critical security mechanism must be resolved
19
Certificate Days to ExpirationSample Assessor-generated Report
© 2012 Venafi Proprietary and Confidential
Rapid assessment of downtime risk due to
expiring certificates
20
Certificate Validity PeriodsSample Assessor-generated Report
© 2012 Venafi Proprietary and Confidential
Administrators turn over every year.
Validity periods >1 year create significant
security risk.
21© 2012 Venafi Proprietary and Confidential
Issuing Certificate Authorities Sample Assessor-generated Report
Unauthorized CAs create security and
operational risk
22
Encryption Key LengthsSample Assessor-generated Report
© 2012 Venafi Proprietary and Confidential
Weak keys open risk of attacker deriving the
key.
NIST now stipulates 2048 bit length
23
??? ?? ??
Discussion