Common PKI Certificate Management Mistakes and How to Avoid Them
As cyber attacks grow worse by every measure, effective data encryption becomes essential for organizations both large and small. Central to that effort is public key infrastructure (PKI): a way to secure electronic transfer of information through data encryption. PKI ensures that data is encrypted in the transit and only authorized parties can access the data.
PKI can be compromised and cause a data breach if not managed properly. The volume of digital certificates involved and the velocity of data changing hands make PKI vastly more complex than in years past. That said, the most common and consequential PKI certificate management mistakes trace back to human error and poor planning. That’s good news, ultimately, because it means that perfecting PKI doesn’t require a massive budget, a huge staff or sophisticated capabilities — it simply requires careful management.
Explore some of the most common PKI certificate management mistakes, which we have outlined below, followed by PKI security best practices. Preventing these mistakes is the most effective and economical way to make ironclad encryption the centerpiece of cybersecurity.
Common PKI Certificate Management Mistakes
Here is where internal certificate management frequently goes awry:
- Self-Issuance — In order to save time or money, organizations may issue their own certificates rather than acquire certificates through a third-party authority. Self-issued certificates are usually for internal use and not managed centrally. They’re also stored internally in locations that are vulnerable to compromise.
- Infrequent Rotation — Certificates and keys have a lifespan after which they lose their efficacy. Failing to rotate them frequently puts the network at extreme risk, however doing so consistently represents a major undertaking given the massive number of users and devices involved.
- Manual Processes — PKI that depends on manual processes and human input increases the likelihood of mistakes. The amount of work involved exceeds what any person or team can do efficiently, and the complexity of the work makes errors unavoidable.
PKI Security Best Practices
Most organizations practicing PKI will be familiar with the above mistakes from personal experience. Though they may be common, they’re not inevitable, if PKI security best practices apply to every activity. Follow these without exception:
- Design Carefully — Infrastructure that’s well-designed from the start is both easier to manage and less vulnerable to risk. Components to consider include certificates’ uses (now and later), which certificate authority will issue them and whether the PKI will live on-premises or in the cloud. Most importantly, if the organization lacks the internal expertise to build the infrastructure, seek it from an external source rather than compromising the design.
- Audit Extensively — As the number of certificates increases exponentially, companies must keep track of each one. That begins by auditing the IT ecosystem. Do so regularly and thoroughly — or enlist third-party help — to ensure that overlooked certificates do not result in catastrophic (but preventable) problems.
- Store Securely — As the core of PKI, the private keys of root and issuing certificate authorities require the greatest security. PKI security best practices dictate storing them on a hardware security module (HSM) for maximum protection. Alternately, best practices discourage storing them on devices connected to the internet.
- Automate Widely — Relying on automation to issue, revoke and renew certificates insulates these critical processes from human errors while ensuring they can run at the speed and scale required by modern enterprise. Automated PKI management solutions can also reduce the budget and staff required to manage certificates and keys.
- Rotate Regularly — A PKI is never static. Best practices recommend rotating certificates and keys out regularly. Proactive rotation can be a labor-intensive undertaking without assistance, but it ensures that outdated, compromised or otherwise vulnerable assets do not put the organization at risk.
Best PKI Management Solutions
Understanding what best practices to follow — and what pitfalls to expect otherwise — is an important first step. However, executing those best practices consistently and comprehensively is easier said than done.
PKI management software handles the heavy lifting to such an extent that any organization can use certificates and keys to secure its network. The best solutions offer a one-stop-shop model equipped to issue all types of certificates, along with a transparent and predictable pricing structure. Top options also rigorously abide by the PKI security best practices outlined above while basing all their claims in reality.
Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.)