This article describes from a CISO perspective how to manage and protect security assets in large organisations, i.e. the cryptographic keys and suggests adequate procedures and systems.
2/3 of organizations with public facing vulnerable to hacker attacks
The Heartbleed security vulnerability, publicised in March 2014, received an abundance of media attention as it exposed over 1 million web servers worldwide relying on OpenSSL version 1.0.1. The bug was corrected shortly after the leak with the release of OpenSSL v1.0.1g on April 7th 2014. However, estimates suggest that around 2/3 of organisations with public-facing systems are still vulnerable to the attack.
This is because even though the fix is known, completing the final steps of implementation is difficult. Simply put, the fix requires the affected web servers to upgrade their Open SSL library to stop the leak, and thereafter update the server's cryptographic key pair and corresponding SSL certificate as they could have been exposed. Yet, in practice, it is not that simple to renew cryptographic keys.
Why is it so difficult?
Many businesses tend to neglect that the security of most IT systems ultimately relies upon the safekeeping of cryptographic keys and that such keys need to be managed properly. When the key is asymmetric, it is accompanied with a certificate, but the security sensitive part remains the key itself.
Put yourself in the shoes of a CISO of a financial corporation. You must ensure the keys for your webservers (over a hundred in many cases) are managed to a certain standard for data protection purposes (PCI compliance and privacy protection), and also your payment applications, both on the issuance and authorisation side, must be managed to a much higher security grade to mitigate threats. That adds up to several hundreds if not thousands of symmetric and asymmetric keys used throughout your fragmented IT infrastructure and under the "control" of dozens of different application owners. Even if you had a unified overview of your cryptographic estate and key assets, the current procedures currently in place are likely to be very complex, time consuming and costly when implementing any updates or changes. In such context - how do you ensure that the right key is always at the right place at the right time? And how do you respond to disaster recovery scenarios in case of security flaws or breaches?
The answer is simple. You cannot effectively manage and protect your most valuable security assets, i.e. the keys, if you don´t have the adequate procedures and systems in place.
How to manage cryptographic keys across a large organisation
The first step is to get an overview of your keys to be able to realistically assess your in-house capacity for effectively managing keys throughout their life cycle, incl. possible DR scenarios.
At Cryptomathic, we have developed a key scanning tool, which scans the network and identifies the important information about the cryptographic key material being used - this helps you get a valuable overview of the crypto infrastructure to better manage your priorities.
The second step is to regain control over the keys spread throughout your environment and assign a small security team for managing these keys centrally, in a streamlined and efficient manner. Remember that there will possibly be hundreds if not thousands of keys, so setting up and enforcing policies, grouping keys in key sets and building automation and workflow for generating, approving, distributing and renewing keys is vital. To solve these issues, Cryptomathic provides the most advanced key management solution to effectively manage large numbers of cryptographic keys throughout their life cycle - whether the security target is a customer facing webserver or a back-end payment application.
The video above, briefly introduces how easy it is to manage and update keys and certificates for webservers, and virtually any other application, using Cryptomathic's Crypto Key Management System (CKMS).
For more reading on key management solutions from Cryptomathic visit: /products/key-management
Or contact us on firstname.lastname@example.org