CIA: C and I, but where is A?
Cryptography, put into practical application through PKI (Public Key Infrastructure), fundamentally enables confidentiality through encryption and integrity through signing. The resulting crypto outputs demanded from the crypto machine tie into every value stream of the modern digital business.
Enterprise PKI can and should be regarded as critical infrastructure. As with any critical infrastructure, should it be running sub-optimally, it is a liability to the organization’s overall availability.
When availability is compromised, qualitative and quantitative losses are indicated. A PKI system can create an enormous amount of dependencies on its crypto outputs and yet relying parties whose use cases are not immediately apparent can undermine the ultimate security of the business through misuse and misunderstanding. The number of these use cases can scale to vast and yet invisible amounts.
Despite the integral nature of cryptographical systems in facilitating the security of value adding business workloads, availability is often overlooked. When availability is inadvertently negated because of confidentiality and integrity bias in design and operation, the business’ objectives and services may be negatively impacted.
Where do we begin?
Instead of advocating a tool or product to miraculously provide a turn-key solution for all PKI woes, it’s better to encourage a mindset of understanding and end-to-end ownership. Identifying the pain points and acknowledging the need for change can begin the journey of ongoing self-improvement which will be specific to your business’ needs.
An accurate and complete inventory is fundamental to availability, and not just for certificates. Stock must be taken of the people, processes and technology involved. Without knowing who these three are and how they interact, we cannot even begin to fathom dependencies and use cases. Spreadsheets have been the de facto industry standard for certificate management when they are in fact only the initial stirrings of sensemaking.
A limited aperture restricts the view on the greater issue. Automated tools deal with the technology (x509) but cannot completely account for the people and processes using these technologies, so they are no panacea. Without intelligible inventory data, the internal attack surface for an “availability compromise” is widened simply because the organization doesn’t know itself.
Through judicious application of the knowledge gained from the inventoried data, triaged monitoring can be put in place. Starting with the most critical of services, expiration monitoring should tactfully be employed.
Unmonitored certificate validity can lead to outages which will have rippling negative effects throughout the digital business. The 2018 outage in the core network of 02 UK caused by an expired certificate in Ericsson supplied software is a prime example of this. More recently the Google voice outage in 2021 also highlights that even the “big players” are vulnerable to PKI’s most prevalent threat.
Automation drives down the enterprise crypto system’s TCO and drives up the overall availability. A variety of tools and protocols exist in the enterprise crypto space to help accomplish automation, namely ACME and EST protocols automate the last mile of the enterprise crypto journey; the (re)enrollment process. Through automating the enrollment process, much manual work is eliminated and many potential outages mitigated. These are valuable components of a greater solution but should not be thought of in isolation. Business process and workflow logic must be addressed.
A full certificate life cycle management suite can provide such logic and workflows to bind many of the organisation’s crypto components together. These suites generally come with a hefty price tag and can appear disproportionately high in relation to the problem they are solving. However, if applied correctly, these suites can save oodles of cash by reducing overall FTE hours of those directly and indirectly involved in the organisation’s crypto system. They can also stave off potential public embarrassment (and subsequent brand damage) by avoiding outages.
PKI and digital certificates can be perplexing to those who do not work with the technology frequently. Often, most engineers only need the occasional certificate for a service that they must extract laboriously through red tape bureaucracy and sometimes even this process is obfuscated. Interactions with the crypto system from those not “in the know” tend to be a slow and error-prone process. This leads to a lot of re-work at best and at worst may trigger a dubious tendency to use alternatives such as using self-signed certificates, using un-sanctioned trust providers (e.g., Lets Encrypt) or simply turning off certificate validation.
A prime example of the latter is the 2017 Equifax breach when certificate validation was turned off for an expired certificate used for HTTPS inspection allowing attackers to circumnavigate detection for 76 days. Education and information sharing within the organization are often overlooked and can be detrimental to the various internal systems functioning well together for the ultimate good of business objectives. A simple, streamlined and open process can keep the certificates rolling off of the crypto assembly line and proceed to service the use cases that require it. This translates as a significant gain for the cost of some savvy internal PR.
A holistic understanding is needed of what the crypto machine’s strengths and weaknesses are and how they affect the modern digital business. The key is to first understand how dependent the organization is on the crypto machine’s outputs and then start with small incremental steps to remedy the situation in an iterative process.
Depending on the enterprise, the crypto value supply chain can stretch across many business silos which may cut across geographical, language and cultural boundaries and this is significant. Ownership and responsibility across business units must be made clear so that there is accountability and motivation to move forward.
Someone needs to champion the cause and Traxion is here to assist you in your crypto endeavours. Any questions? Traxion is happy to answer them or share our thoughts.
Sean Thomas is security consultant at Traxion, provider of Identity Centric Security Services in the Netherlands and Belgium with over 130 highly qualified professionals. Traxion is part of the Swiss IT Security Group.