Dealing with digital certificate vulnerabilities [Q&A]

While digital certificates are an essential part of day-to-day security they also present challenges. They can expire or be revoked, or even forged.

We spoke to Bert Kashyap, CEO of passwordless security platform SecureW2, to learn more about certificate-related vulnerabilities and what IT and security teams can do to deal with them effectively.

BN: What digital certificate-related vulnerabilities are often overlooked, and how can they be avoided?

BK: The biggest source of vulnerabilities is that many organizations lack a coherent certificate lifecycle management and visibility into a complete inventory of internal and external-facing certificates. The key to avoiding these issues is through automation platforms, and by setting up a direct connection between your PKI (Public-Key Infrastructure) and your Identity and Device Management systems. This ensures that certificates are revoked the moment devices are wiped/retired, or users leave the organization; ensures certificates are automatically renewed where necessary; and organizations have a single-pane dashboard to monitor usage.

BN: How does the volume and complexity of certificates across hybrid/multi-cloud environments complicate security efforts and would automating machine identity management (MIM) initiatives help?

BK: Cloud apps and services, DevOps practices, and distributed architectures have all contributed to the explosion of machine identities including certificates. You have certificates securing activity between microservices, serverless functions, containers, data transfers, and more -- often spanning multiple public clouds and private data centers. More users, more devices, more certificates to manage. Manual processes for tracking expiry dates, monitoring for misuse, avoiding outages from expired certs, etc. are overwhelming for enterprise IT teams -- not to mention their SMB counterparts who don’t have equivalent budgets, staff, or time.

Smaller organizations likely don't need all the bells and whistles of enterprises -- say they just use services focused on public trust certificates and web server needs -- but if they want to scale, to maintain security and uptime, an automated approach is really the only option.

BN: What are key considerations and steps to take if an organization wants to move away from credentials and toward passwordless authentication with certificates?

BK: The first thing an organization needs to assess is their internal capacity to setup or manage a Public Key Infrastructure (PKI). A PKI is the foundation for passwordless authentication. It issues, revokes, and renews certificates, and you can build your own in-house -- though many are turning toward a managed service for a cloud PKI. That’s why it's critical to assess internal capacity with help from experienced professionals. Not only do Managed PKI Services have the benefits of flexibility and cost-savings, but we see most organizations underestimate how much work goes into configuring and managing an in-house PKI with security best practices.

Users are notoriously wary about new processes and systems, so have a clear deployment strategy for installing certs across user devices, servers, apps and how they’ll integrate with existing identity and access management tools. Offer user training and best practices for both IT staff and end users. I recommend a phased migration, transitioning different user groups or systems gradually to limit potential issues of a full rollout. Most of SecureW2's customers start with technical teams, as they usually understand certificates and work with the highest-risk systems.

BN: For organizations that already use certificates, what best practices should they be following to get better visibility and control over their certificate inventory?

BK: There are several things they can do:

• Inventory every certificate in use -- across on-prem systems, clouds, DevOps pipelines, you name it. Map out ownership, associated applications, issuers, expiry dates, etc. Maintaining and managing a centralized certificate inventory prevents certificate sprawl and unintentional security oversights.
• Implement strict lifecycle management policies and processes. Automate certificate provisioning, renewal, and revocation based on least-privilege principles. For BYOD environments, automate onboarding so end users can easily configure their devices within a secure wireless network.
• Conduct regular audits and attestation reporting for air-tight audit trails.

BN: How do industry regulations and standards (e.g., NIST, PCI DSS, HIPAA) address security requirements around digital certificates, and what more could be done?

BK: Industry standards do a good job advocating for the use of certificates, but the guidance needed to practically implement PKI is missing. Take PCI DSS Version 4 for example -- in Section 4 the standard explicitly calls for establishing trust for encrypted transmissions using techniques like digital certificates to secure networks. But the language only goes a little bit into practices like certificate lifecycle management policies, controls for certificate issuance authorities, continuous monitoring for things like rogue certificates, etc. It’s good it advocates for certificates, but more around implementation and management would be great.

The NIST publication on Zero Trust Architecture is similar to the guidance provided by PCI DSS. Bringing attention to the foundational role Public Key Infrastructure provides for implementing Zero Trust was great. Customers often tell us that it’s the NIST recommendation that prompted them to adopt certificates. HIPAA is similar in requiring robust access controls and encrypted data transmissions, which certificates enable. However, they both leave the technical implementation details up to individual organizations.

BN: How can security teams integrate certificate monitoring and detection into their broader cybersecurity strategy?

BK: The biggest roadblock is organizational. Teams relying on legacy tooling that doesn't have strong certificate lifecycle and security support, or departmental silos, or just lacking the staffing to establish a robust approach. There are also a lot of misconceptions about how difficult PKI can be, as there have been significant strides in certificate automation and tooling developed in the past decade.

The first step is to get visibility into certificate assets and associated metadata -- issuers, expiration dates, key specs, approved uses, etc. Once that's established, the monitoring itself needs to account for unauthorized or rogue certificate issuance; suspicious certificate attribute changes; traffic interception attempts using untrusted certs; vulnerability exposures based on cert configs; and detecting/alerting when certificates are nearing expiration.

BN: What should we expect to see over the next year in terms of digital identity and zero trust?

BK: I think we'll see a rapid transformation in how organizations treat identity. Organizations will continue to migrate from legacy systems, whether on-premises PKI infrastructure or credential-based authentication, which continues to be a serious threat for all-sized organizations, and we'll see more 'trust nothing, encrypt everything' with true zero trust models.

Image Credit: maxkabakov / depositphotos.com