Thales Blog

5 Needed Zero-Trust Answers on Taming Certificate Sprawl

November 3, 2022

Sol Cates Sol Cates | Principal Technologist, Data Protection More About This Author >

The exponential growth in the digital landscape and increased adoption of multiple cloud-based platforms and technologies have made trust more complicated than ever. IT and DevOps teams are finding it more difficult than ever to manage emerging risks and challenges using traditional tools and practices. Remote and hybrid workforces are making things harder to manage since security perimeters have become a moving target and digital identities are now the new corporate boundary to defend.

The challenges of certificate sprawl

Digital identities are closely associated with digital certificates. Hence, the number of certificates owned and administered by businesses have also skyrocketed. This certificate sprawl is moving in unchartered waters for cybersecurity. Mapping these certificates with owners – both human and connected machines – and functions requires resources. Having and maintaining visibility into your distributed infrastructure is essential to understand the impact on your security footprint.

However, these certificates have definite lifecycles, which are becoming shorter and shorter. Effectively managing the lifecycles of all these lifecycles can quickly become a nightmare if you consider that they are not uniform, turning security into a liability. Poor or weak certificate lifecycle management can become a direct weapon for any adversary seeking to disrupt operations or compromise sensitive and proprietary information.

These certificates are provisioned by trusted Certificate Authorities (CA), and businesses leverage the powers of Public Key Infrastructure (PKI) to manage their lifecycle. One consequence of technology and certificate sprawl is that businesses now rely on multiple CAs for their digital certificates, which makes certificate revocation a complex issue. How can you sustain a single pane of glass across your entire infrastructure?

Certificate revocation closely relates to another pressing topic: visibility. Every organization needs clear and consistent visibility into its certificate landscape – where these certificates are deployed and who the owners are. Visibility is also essential to detect potential vulnerabilities, rogue certificates, nearly expired ones, or weak cryptographic keys and algorithms. Once you have identified the vulnerabilities, it is easier to launch the required remediation controls by enforcing the standing corporate security policies.

Considerations for effective certificate management

When managing this diverse certificate landscape, organizations should consider the following points before they become a sore point:

  • Establish uniform security up to the edge of the technology stack to minimize complexities
  • Mitigate outside risks to your ecosystem, for example, because of a vulnerable code component or a flawed IoT device connected to your network
  • Effectively manage all third-party tools and vendors under a unified dashboard.

5 questions seeking an answer

Many businesses opt for deploying homegrown PKI solutions to manage all the certificates. However, practice has proved that DIY PKI does not allow you to scale and is certainly not built for certificate sprawl. Before deploying your internal PKI solution, you must consider several factors besides the cost and the resources required for maintaining this PKI, including:

  • Can you manage all the IoT certificates that are injected into your network?
  • Can you manage things like teleconferencing whiteboards that are deployed with certificates onboard?
  • Can you perform network scans and discover all these connected things, cloud workloads, and ephemeral instances that make up your environment?
  • How can you manage all the certificates and the associated cryptographic keys used to authenticate and verify all your machines?
  • Can you effectively manage the diverse lifespans of all your certificates?

Failure to provide answers to all these questions above may entail substantial implications. Expired certificates may result in devices stopping to work, service outages, and downtime. As a result, production could be hampered, revenue decreased, and customer experience damaged.

How to tame the certificate sprawl

The answer to these five questions is to invest in an enterprise, centralized certificate lifecycle management solution. This solution must provide five foundational functions, namely:

  • Asset and certificate discovery
  • Orchestration and comprehensive reporting
  • Early warning notification, integrated with enterprise workflows
  • Automation
  • Agility with CA integration

Besides the management of all your certificates everywhere, all the time, it is also important that you protect the associated cryptographic keys. Deploying a Hardware Security Module (HSM), such as the ones offered by Thales, allows you to create trust anchors that protect your cryptographic infrastructure by securely managing, processing, and storing all your crypto keys inside a hardened, tamper-resistant device.

By establishing a robust certificate lifecycle management strategy combined with tamper-proof protection of your encryption keys, you are taking the first steps toward a Zero Trust approach in your cybersecurity posture. What is more, you can control your security, achieve compliance with any regulatory framework and maintain digital sovereignty, which is especially important in the European Union and other countries as well.

If you want to learn more about this pressing and crucial topic, watch the webinar “Taming Identity, Device, and Certificate Sprawl”, hosted by Digicert, where I joined Brian Trzupek, Senior Vice President of Product at DigiCert for a fascinating chat.