SlideShare ist ein Scribd-Unternehmen logo

Five Must Haves to Prevent Encryption Disasters

Venafi
Venafi

Simple errors, old and weak cryptography, and alarming, malicious attacks are turning digital certificates and encryption keys into an expressway to downtime, targeted attacks, failed compliance, and data breaches. Fortunately, there are simple steps you can take to make sure your organization doesn’t fall victim. From online banking to the production line, thousands of certificates and keys in every enterprise are the difference between controlling success or failure. In this live webinar, learn how enterprises are using NIST and industry best practices to develop an effective Enterprise Key and Certificate Management strategy. Go to http://www.venafi.com/five-musts-ekcm/ to view the full On Demand Webinar.

BildungTechnologie
1 von 34
Downloaden Sie, um offline zu lesen
5 Must Haves to Prevent Encryption Disasters Prepared for: Intelligent People 1 © 2013 Venafi
Agenda • Brief review of major enterprise key and certificate management challenges • Best practices… – Preventing downtime – Increasing private key security – Preparing for and responding to CA compromise • Q&A 2 © 2013 Venafi
Certificate and Key Management Challenges Certificate Authorities 3 © 2013 Venafi
Setting Up for Success EKCM is Cross-Functional Auditor InfoSec • Internal Policies • Data Security • External Regulations • Policy Enforcement • Separation of Duties • Compliance Reporting • Compliance • Audit Readiness • Reporting Admin Datacenter CA Manager Manager Admin Admin App Owners IT Operations • System Availability Admin • Operational Efficiency • Best Practices Biz Units • Monitoring • SLAs • Management • Speed of Deployment • Config Automation • Reporting • Cost of Service 4
Roles/Stakeholders • PKI admin(s) • System administrators • Business application owners • Network team • Auditors • Executives • NOC • SOC • Help desk • … 5 © 2013 Venafi
Recipe for Disaster PKI Admin System Administrators 6 © 2013 Venafi
Preventing Downtime Due to Certificate Expirations 7 © 2013 Venafi
Causes of Downtime Operational causes: 1. Poor inventory, tracking, and management of certificates • End entity certificates • Intermediate roots Technical causes: • Roots • End entity certificate 2. Poor Execution expires • Correct administrators NOT • Intermediate root notified of impending certificate expires expiration • Root certificates not • Administrators notified but no updated on relying action taken parties • Renewed certificates not properly installed • Certificates installed but applications not restarted 8 © 2013 Venafi
High-level Steps for Preventing Downtime  Create an inventory  Check for certificates expiring imminently  Compile and maintain contact information for each certificate/key  Monitor for expiration and notify  Validate certificate/key installation and operation  Report 9
Establishing a Comprehensive Inventory Internal & Systems with External CAs 3 Agent-based Certificates Discovery Certificate Inventory A A Database 1 Import A from CAs A A 4 Individual Import A by Admins 2 Network A Discovery A A Network Discovery A - Agents Engines 10
Establishing Initial Ownership Notify Groups Certificate Authorities Certificate Inventory Database 5 4 1 Export Maintain Notify 3 Import Certificate Contact Turn into Certificate Contact 2 Logical www.abcd.com rex@abcd.com Groups www.abcd.com IT finance1.abcd.com ethel@abcd.com finance1.abcd.com Finance ecom.abcd.com rex@abcd.com Finance ecom.abcd.com IT mktg-4.abcd.com lester@abcd.com mktg-4.abcd.com Marketing IT hr1.abcd.com leroy@abcd.com hr1.abcd.com HR dmz-34.abcd.com rex@abcd.com HR dmz-34.abcd.com IT acctg.abcd.com ethel@abcd.com acctg.abcd.com Finance Marketing pr-fud.abcd.com lester@abcd.com pr-fud.abcd.com Marketing brain.abcd.com bubba@abcd.com ThinkTank brain.abcd.com ThinkTank cto.abcd.com bertha@abcd.com cto.abcd.com IT 11 © 2013 Venafi
Ongoing Ownership Management • System administrators are regularly reassigned • It is critical to have up-to-date ownership information for… – Expiration notifications – Notifications in case of compromise or algorithm breakage – Other communications • Invalid notification is worse than no notification at all Terminated Inventory system Reorg must enable System Admins to maintain ownership information 12 © 2013 Venafi
Notify on Expiration Reports Expiring < 15 days www.venafi.com 2/15/13 ecom.venafi.com 2/17/13 mktg.venafi.com 2/19/13 eng.venafi.com 2/29/13 Expiring <30 days srv1.venafi.com srv2.venafi.com 3/15/13 3/17/13 Emails Escalations srv3.venafi.com 3/19/13 srvi4.venafi.com 3/29/13 Yo! Career Expiring <90 days srv5.venafi.com 5/15/13 Whassup? limiting… srv6.venafi.com 6/17/13 90 60 30 15 10 5 Expired 13 © 2013 Venafi
Expiration Notifications Alone Don’t Cut It Cert in service Cert in (e.g. on network) keystore time 1. Steady 2. New Cert 3. New Cert 4. App Reset x. Old Cert State from CA Installed for New Cert Expires Old Cert. New Cert Application Renewal Window 14 © 2013 Venafi
Monitoring and Validation Onboard Validation Notifications Network Mismatch KeystoreMismatch Certificate Expiring Network Validation New Cert New Cert App Uses Old Cert from CA Installed New Cert Expires Old Cert. New Cert Application Cert Expiration Alerts … 90 60 30 days Keystore Mismatch Events Network Mismatch Events 15 © 2013 Venafi
Private Key Security 16 © 2013 Venafi
Putting Private Keys at Risk Same password used on multiple keystores. Private keys and Keystore 2 passwords are not Password = abc123 changed when admins Keystore leave the organization passwords are not changed regularly. Keystore 1 Password = abc123 Server Server Performance Monitoring Customer Experience Monitoring Admins manually manage private keys, Security Monitoring making it possible to copy them. Private keys are manually passed to other groups/admins for distribution. 17 © 2013 Venafi
Preventative Measures • Implement hardware security modules (HSMs) – Considerations: • Cost (initial and ongoing) • Application compatibility • Migration time • Intermediation (separate admins from keys) 18 © 2013 Venafi
Establishing EKCM Policies Eliminating Admin Access to Keys Ensure support for Remove direct administrator secure distribution access to private keys through across multiple automation. Maintain complete platforms and store audit log of all types. operations. Web Server Provide console for private key and certificate management. • Separate credentials for login • Granular access rights – separation of duties • No access to private keys unless required • Dual control (oversight) • Admin entitlement reporting • Audit trail of admin operations 19 © 2013 Venafi
Preparing for and Responding to CA Compromise …and other eventualities 20 © 2013 Venafi
CA Compromise and Fraudulent Certificate Scenarios Root CA Compromise: Hacker is able to issue fraudulent certificates from CA Key Theft: Stolen or E Root CA (via system or derived copy of CA private signing key compromise). D key is used to issue Root fraudulent certificates. CA CA System Compromise: Malware or other infiltration used to get fraudulent certificate signed by CA RA Compromise: CA (without getting copy Infiltrate RA or steal of CA private key). credentials and authorize fraudulent certificates. B C Impersonation: Trick RA into issuing RA a fraudulent certificate. A Subject Hacker 21 © 2013 Venafi
High Level Considerations • Preventing CA compromise – Use and maintain high security for CA(s) – Mandate regular audits • Detecting rogue certificates – Anomaly and fraud detection on all applications • Replacing certificates after a CA compromise… 22 © 2013 Venafi
Recent Public Certificate Authority & Counterfeit Certificate Incidents Year Incidents • VeriSign issues Microsoft Corporation code signing 2001 certificate to a non-Microsoft employee. • Thawte issues certificate for Live.com to non-Microsoft employee 2008 • Comodo issues mozilla.org certificate to Startcom • Organization forges VeriSign RapidSSL certificates • Comodo issues nine counterfeit certificates (Google, Yahoo, Live, etc.) when registration authority is compromised. • StartSSL CA compromised 2011 • DigiNotar compromised. 531 fraudulent certificates issued. Dutch government experiences major service outages. • Boeing CA compromised 2012 • Microsoft CA certificates forged by exploiting MD5 (Flame) 2013 • Buster Paper Comercial gets code signing certificate * Electronic Freedom Foundation uncovers many more unpublicized CA 23 incidents by analyzing CRLs from public CAs © 2013 Venafi
NIST Alert on CA Compromise http://csrc.nist.gov/publications/nistbul/july-2012_itl-bulletin.pdf These recent attacks on CAs make it imperative that organizations ensure they are using secure CAs and are prepared to respond to a CA compromise or issuance of a fraudulent certificates. - NIST, July 2012 24
CA Compromise & Counterfeit Certificate and Remediation Matrix Remove Root Revoke Cert from Counterfeit Revoke CA Replace All Relying Certificates Cert Certs from CA Parties A. Impersonation B. RA Compromise C. CA System Compromise D. CA Signing Key Compromise E. Root CA Compromise 25 © 2013 Venafi
Detailed Steps for Preparing for & Responding in the Venafi Best Practices Document Preparing for a CA Compromise Relying  a. Review CA Security and Communications: Once you have a complete list  a. Certificate Replacement Plan: If a CA is compromised, that CA’s certificate  a. Revocation Checking: Ensure that revocation checking is enabled and  Preparatory Steps  CA  Subject  Party  of all CAs in use in your environment—which may involve replacing  must be revoked and all of the certificates issued by the CA become invalid  mandatory (i.e. operations or transactions cannot proceed if the status of  a. Develop, Communicate, and Track Compliance with Certificate  certificates from unapproved CAs—review the security practices for each  and must be replaced. In environments with large numbers of active  the certificate cannot be checked due to an unavailable CRL or OCSP  Policies and Procedures : The installation and management of  CA (internal and external) to assure yourself that the CAs are minimizing  certificates, large‐scale replacements can be very disruptive and can cause  responder). All standard builds and images (e.g. operating systems and        certificates and private keys is generally very distributed within  the risks of compromise. Review how each CA is monitored for potential  operations to stop for extended periods of time. Therefore, it is critical to  applications) should have revocation checking enabled. In addition,  enterprises, where installation and oversight typically falls to the  compromise and the response and communication plans in place in case of  have a well‐defined plan for replacing certificates in a rapid yet orderly  wherever possible, application configuration management systems should  each administrator responsible for the machines and applications  a compromise. Ensure that the CA knows who within your organization to      fashion.   be used to ensure that revocation checking is not turned off.    where the certificates are deployed.  This increases the possibility  contact. It is important to review the security of your CAs (internal and          b. Overall Response Plan: Organizations must have an overall CA  that best practices will not be followed. Consequently, it is important  external) on a periodic basis.   An inventory and list of owners serve as the foundation for a rapid  to define, communicate, and educate personnel on clear policies and    compromise response plan. This plan must identify key points of contact  response by ensuring that all certificate owners can be contacted when a  procedures. Recommendations for these policies and procedures are  (who should be contacted first in case a compromise is detected),  Ensure that you are not using a root CA to issue end‐entity certificates. If a  compromise occurs. Certificate owners must also understand the steps for  provided in the preparation steps below as well as other best  delineate roles and responsibilities, provide a communications plan (to      root is being used to issue end‐entity certificates, replace those certificates  replacing certificates. However, since many certificate owners do not    Subjects, Relying Parties, executives, etc.), specify a certificate  practices from Venafi.  with certificates from an Intermediate CA.  perform certificate operations frequently, they will likely need assistance.        replacement plan, provide a CA migration plan, and support other  b. CA Transition Plan: If a CA is compromised, you must obtain certificates  It is therefore important to have a plan for staffing a help desk to handle  b. Establish and Maintain Certificate Inventory: An important step in  elements described in this document.  from another CA. It is best to have plans in place for the new CA before a  the large number of support requests as all certificates are replaced. If high  preparing for a CA compromise is building a comprehensive inventory  CA compromise occurs. For external CAs, it may good to maintain a  priority systems and certificates have been identified during the inventory  of the certificates and private keys deployed in your environment.    relationship with multiple CAs so that contractual relationships are in place  process, the replacement plan should also include steps for ensuring those  This includes tracking precisely which CAs are used by which        prior to a CA compromise event that requires you to move away from a  certificates are replaced early in the process.   platforms and applications so that appropriate action can be taken if  one of them is compromised. A comprehensive inventory also  vendor entirely. For internal CAs, implement a plan for rapidly establishing  Finally, it is important to have a method for monitoring the replacement of  enables you to identify all certificates that need to be replaced in the  a new CA in the event of a compromise.  certificates so that it is clear which systems are not safe, where problems  case of a compromise and to validate that they are actually replaced.   are occurring and when the process is complete. This monitoring and  c. Education: Responding to a CA compromise involves multiple stakeholders    tracking also makes it possible to report back to executives and other  and roles. A response will be more successful if individuals in each of those  stakeholders. A target timeframe should be set for the amount of time  A good first step in establishing an inventory is requesting a list of  roles are educated beforehand. Here are some examples:  required to replace certificates and get systems and business applications  issued certificates from your known CAs. However, this may not  a. CA Management Personnel: Provide education on monitoring for  back in operation.  account for all certificates in use in your environment, as some  compromise events and procedures for taking remedial action  systems might use other, unknown CAs or self‐signed certificates of  b. Root Inventory: Establish an inventory of all roots that are trusted in your  (including communication plans) if a compromise occurs.  organization and establish a plan for replacing them if necessary. This step  which you are not aware. It is often prudent to perform a manual        b. Certificate Owners (Subjects): Ensure that all certificate owners  is important in case a root CA is compromised and a root must no longer        inventory (asking all administrators to report the certificates they are  understand the consequences of a CA compromise and the  responsible for) or automated inventory (performing automated  be trusted.  importance of maintaining up‐to‐date contact information so that  network and/or file scans to discover certificates).   they can be notified in case of a compromise. In addition,            certificate owners should understand the steps they would take to  rapidly replace their certificate(s) if a compromise occurs.   While creating an inventory, it is critical to identify owners for each  c. Relying Parties: Ensure that all Relying Parties (i.e. owners of  certificate and contact information. This enables you to rapidly  systems that check certificates to authenticate or communicate  contact all appropriate owners if a compromise occurs so they can  with other systems) understand the importance of configuring all  take action. Because certificate deployments and owners change, it is  systems to check revocation status. These checks ensure that  important to implement a system for keeping inventory and  systems do not trust certificates that have been revoked by the  ownership information up to date.   issuing CA. If revocation checking is interfering with operations,    Relying Parties should notify the central PKI organization to  determine ways of addressing the issues without disabling the  You should periodically analyze the collected inventory data. Then  CA Key or System Impersonation RA Compromise Compromise Root CA Compromise Relying  Relying  Relying  Relying  Steps  CA  Subject  Party  Steps  CA  Subject  Party  Steps  CA  Subject  Party  Steps  CA  Subject  Party  a. Revoke the Fraudulent Certificate      a. Revoke the Fraudulent Certificate      a. Revoke the certificate of the compromised CA.      a. Revoke all non‐expired certificates issued from the CA and issue a            final CRL.    b. Notify the Subject of the Fraudulent Certificate      b. Revoke the credentials of the compromised RA (issuing new  b. Establish a point of contact or help desk to answer questions and            credentials if the RA will resume its duties).    provide support.    b. Establish a point of contact or help desk to answer questions and  c. Notify potential Relying Parties to ensure they are checking for  provide support.        revocation. This notification may be provided through direct      c. Carefully check all logs to ensure that all fraudulent certificates  c. Notify all Subjects who have been issued certificates from the    communication or public relations announcements.  have been identified and revoked.        compromised CA that their certificate will need to be replaced and  c. Notify all CAs that have been issued certificates from the root CA        provide instructions.  that those CAs are no longer valid. Ensure they contact the Subjects  d. Notify vendors of software or systems used by Relying Parties (e.g.  d. Notify the Subject(s) of the Fraudulent Certificate(s)            to whom they have issued certificates that those certificates are no    browsers). If the potential use of the fraudulent certificate will have  d. Notify potential Relying Parties to ensure they are checking for  longer valid and must be replaced.  a high impact, it may make sense for software and system vendors        e. Notify potential Relying Parties to ensure they are checking for  revocation. This notification may be provided through direct      to explicitly block the use of the fraudulent certificate.  revocation. This notification may be provided through direct          communication or public relations announcements.  d. Notify vendors of software or systems that include the certificate  communication or public relations announcements.  for the compromised root CA in their product trust stores that the  e. Ensure that revocation checking is enabled and mandatory (i.e.        e. Notify vendors of software or systems used by Relying Parties (e.g.  certificate must be removed.  operations or transactions cannot proceed if the status of the  f. Notify vendors of software or systems used by Relying Parties (e.g.  browsers). If the potential use of the fraudulent certificate will have  certificate cannot be checked due to an unavailable CRL or OCSP        browsers). If the potential use of the fraudulent certificate will have      e. Notify all Relying Parties to inform them that the root certificate for  a high impact, it may make sense for software and system vendors    responder).  a high impact, it may make sense for software and system vendors        to explicitly block the use of the fraudulent certificate.  the compromised root CA must be removed from their trust stores.  to explicitly block the use of the fraudulent certificate.  This notification may be provided through direct communication or          f. Replace all certificates from the compromised CA with new  public relations announcements.  g. Ensure that revocation checking is enabled and mandatory (i.e.  certificates from a different CA. For internal CAs, this may involve  operations or transactions cannot proceed if the status of the      f. Notify all Subjects who have been issued certificates from the  setting up a new CA. For external CAs, this may involve enrolling for    certificate cannot be checked due to an unavailable CRL or OCSP        new certificates.  compromised CA that their certificate will need to be replaced and      responder).    provide instructions.  g. Inform all potential Relying Parties of the new CA that will be used.           g. Replace all certificates from subordinates of the compromised root  h. If a new root is required to validate the new certificates, make it  CA with new certificates from different CAs. For internal CAs, this  available for secure distribution to all potential Relying Parties.        may involve setting up a new CA. For external CAs, this may involve        enrolling for new certificates from a different CA from the same  i. If a new root certificate is required to validate certificates, install      vendor or selecting a different vendor.  this root certificate in all necessary trust stores.    h. Inform all potential Relying Parties of the new CA that will be used.       j. Ensure that revocation checking is enabled and mandatory (i.e.    operations or transactions cannot proceed if the status of the  i. If a new root CA is established, make the root certificate for the  certificate cannot be checked due to the unavailability of the CRL or        new CA available for secure distribution to all potential Relying      OCSP responder.)     Parties.  k. Track the replacement of certificates through the completion of the  j. If a new root certificate is required to validate certificates, install  process.         this root certificate in all necessary trust stores.          k. As an ongoing precaution, ensure that revocation checking is  enabled and mandatory (i.e. operations or transactions cannot        proceed if the status of the certificate cannot be checked due to the  26 © 2013 Venafi
Preparing for a CA Compromise Document Clear Ensure only Approved A Certificate Roots are Trusted K Policies Inventory Root CAs that are Trusted on Create CA Relying Party Systems J B Compromise Response Plan Enforce Revocation Checking on Relying I Educate all C Stakeholders Party Systems Systems Trusting CAs Certificates D (Relying Parties) Review CA Security and Systems Where E Communications Policies Certificates are F Establish Installed (Subjects) Inventory Backup CA Server-side Plans G and Client- Certificate Verify that side Certs Owners only Approved H CAs are used. Identify Cert Owners (Subjects) and Relying Parties 27 © 2013 Venafi
Responding to a CA Compromise Validate That Revocation Validate Checking is Enabled on Cert & Root Establish Clear Relying Party Systems G H Understanding of Replacement A What Occurred (What Type of Compromise, etc.) B Activate Help Desk Track and I Report on Remove/ F Progress Replace Root Certificates Replace E Revoke Certificates C Certificates & Establish New CA(s) D Notify Subjects, Relying Parties, and Vendors 28 © 2013 Venafi
The Threat is Evolving Stuxnet CA Compromises Adobe Duqu Flame Buster Attackers stole private Attackers Attackers exploited keys from two compromise or dupe MD5 to create a face Taiwanese companies certificate authorities Microsoft CA and Adobe to sign to issue fraudulent certificate and then code. certificates for further sign code. attacks. Hackers are increasingly targeting public key infrastructure for attacks because it is a broadly used security mechanism. Poor certificate management practices put you at risk. 29 © 2013 Venafi
Diagram of PKI Ecosystem Root CA Issuing CA Certificate Issuing CACA Registration CRL Authority CRL OCSP Responder End Entity Certificate CRL Distribution Subject Point Root Relying Certificate Party 30 © 2013 Venafi
Certificate and Key Management Challenges Certificate Authorities 31 © 2013 Venafi
Summary of Best Practices • Create an inventory • Analyze the inventory and policy compliance • Compile and maintain ownership information for each certificate/key • Monitor, validate, and notify • Manage enrollment • Optimize and secure provisioning – Private Key Management • Educate all stakeholders 32
Next Steps • Attend the third part of this webinar series: “Establishing EKCM policies and Ensuring Today’s Presentation Compliance” Mar 21, 11am EST, 8am PST, 4pm GMT • Download NIST’s ITL Bulletin: “Preparing for and Responding to CA Compromise” NIST ITL Bulletin www.venafi.com/NIST • Questions? – Paul Turner 33 info@venafi.com © 2013 Venafi. All rights reserved.
Unpublished Work of Venafi, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. 34 © 2013 Venafi

Empfohlen

Four Must Know Certificate and Key Management Threats That Can Bring Down You...
Four Must Know Certificate and Key Management Threats That Can Bring Down You...Four Must Know Certificate and Key Management Threats That Can Bring Down You...
Four Must Know Certificate and Key Management Threats That Can Bring Down You...Venafi
 
Adding intelligence to your dcim solution rf code
Adding intelligence to your dcim solution rf codeAdding intelligence to your dcim solution rf code
Adding intelligence to your dcim solution rf codeAFCOM
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Declarative security-oes
Declarative security-oesDeclarative security-oes
Declarative security-oesOracleIDM
 
Session Delivery Networks for the Enterprise
Session Delivery Networks for the EnterpriseSession Delivery Networks for the Enterprise
Session Delivery Networks for the EnterpriseAcmePacket
 
Novell Identity Manager Troubleshooting
Novell Identity Manager TroubleshootingNovell Identity Manager Troubleshooting
Novell Identity Manager TroubleshootingNovell
 
Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityLayer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityCA API Management
 
Layer 7 SecureSpan Solution
Layer 7 SecureSpan SolutionLayer 7 SecureSpan Solution
Layer 7 SecureSpan SolutionCA API Management
 

Empfohlen

Four Must Know Certificate and Key Management Threats That Can Bring Down You...
Four Must Know Certificate and Key Management Threats That Can Bring Down You...Four Must Know Certificate and Key Management Threats That Can Bring Down You...
Four Must Know Certificate and Key Management Threats That Can Bring Down You...Venafi
 
Adding intelligence to your dcim solution rf code
Adding intelligence to your dcim solution rf codeAdding intelligence to your dcim solution rf code
Adding intelligence to your dcim solution rf codeAFCOM
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Declarative security-oes
Declarative security-oesDeclarative security-oes
Declarative security-oesOracleIDM
 
Session Delivery Networks for the Enterprise
Session Delivery Networks for the EnterpriseSession Delivery Networks for the Enterprise
Session Delivery Networks for the EnterpriseAcmePacket
 
Novell Identity Manager Troubleshooting
Novell Identity Manager TroubleshootingNovell Identity Manager Troubleshooting
Novell Identity Manager TroubleshootingNovell
 
Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityLayer 7: The Importance of Standards for Enterprise SOA and Cloud Security
Layer 7: The Importance of Standards for Enterprise SOA and Cloud SecurityCA API Management
 
Layer 7 SecureSpan Solution
Layer 7 SecureSpan SolutionLayer 7 SecureSpan Solution
Layer 7 SecureSpan SolutionCA API Management
 
Pki enabling applications and mca implementation in tcs
Pki enabling applications and mca implementation in tcsPki enabling applications and mca implementation in tcs
Pki enabling applications and mca implementation in tcsH9460730008
 
Hh 2012-mberman-sds2
Hh 2012-mberman-sds2Hh 2012-mberman-sds2
Hh 2012-mberman-sds2Michael Berman
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Securitydkaya
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 
NCR Hosting Services
NCR Hosting ServicesNCR Hosting Services
NCR Hosting Serviceswebhostingguy
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
Technical Cyber Defense Strategies Explained!
Technical Cyber Defense Strategies Explained!Technical Cyber Defense Strategies Explained!
Technical Cyber Defense Strategies Explained!Microsoft TechNet - Belgium and Luxembourg
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practicesSergey Kucherenko
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formulaOracleIDM
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec
 
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...Venafi
 
Symantec Infogrphic - SSL Certificate Management
Symantec Infogrphic - SSL Certificate ManagementSymantec Infogrphic - SSL Certificate Management
Symantec Infogrphic - SSL Certificate ManagementDavid Martin
 
Business Critical SSL Certificate Management - Infographic
Business Critical SSL Certificate Management - InfographicBusiness Critical SSL Certificate Management - Infographic
Business Critical SSL Certificate Management - InfographicCheapest SSLs
 
Ponemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksPonemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksVenafi
 
Presentation2 certificate farce
Presentation2 certificate farcePresentation2 certificate farce
Presentation2 certificate farceSandra (Sandy) Dunn
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL PracticesBrian A. McHenry
 
Mindshare Managed It Services Intro V.1
Mindshare Managed It Services Intro V.1Mindshare Managed It Services Intro V.1
Mindshare Managed It Services Intro V.1M INTERGRAPH SYSTEMS PRIVATE LIMITED
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryProlifics
 
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!Kaseya
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec
 
Security Risk Management- moeshesh
Security Risk Management- moesheshSecurity Risk Management- moeshesh
Security Risk Management- moesheshMohamed Shishtawy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Pki enabling applications and mca implementation in tcs
Pki enabling applications and mca implementation in tcsPki enabling applications and mca implementation in tcs
Pki enabling applications and mca implementation in tcsH9460730008
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Securitydkaya
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 
NCR Hosting Services
NCR Hosting ServicesNCR Hosting Services
NCR Hosting Serviceswebhostingguy
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at ScaleCloudIDSummit
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formulaOracleIDM
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec
 

Was ist angesagt? (11)

Pki enabling applications and mca implementation in tcs
Pki enabling applications and mca implementation in tcsPki enabling applications and mca implementation in tcs
Pki enabling applications and mca implementation in tcs
 
Hh 2012-mberman-sds2
Hh 2012-mberman-sds2Hh 2012-mberman-sds2
Hh 2012-mberman-sds2
 
Microsoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 SecurityMicrosoft Days 09 Windows 2008 Security
Microsoft Days 09 Windows 2008 Security
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
 
NCR Hosting Services
NCR Hosting ServicesNCR Hosting Services
NCR Hosting Services
 
CIS13: Identity at Scale
CIS13: Identity at ScaleCIS13: Identity at Scale
CIS13: Identity at Scale
 
Technical Cyber Defense Strategies Explained!
Technical Cyber Defense Strategies Explained!Technical Cyber Defense Strategies Explained!
Technical Cyber Defense Strategies Explained!
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
 
PIW ISE best practices
PIW ISE best practicesPIW ISE best practices
PIW ISE best practices
 
Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formula
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012
 

Andere mochten auch

SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...Venafi
 
Symantec Infogrphic - SSL Certificate Management
Symantec Infogrphic - SSL Certificate ManagementSymantec Infogrphic - SSL Certificate Management
Symantec Infogrphic - SSL Certificate ManagementDavid Martin
 
Business Critical SSL Certificate Management - Infographic
Business Critical SSL Certificate Management - InfographicBusiness Critical SSL Certificate Management - Infographic
Business Critical SSL Certificate Management - InfographicCheapest SSLs
 
Ponemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksPonemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksVenafi
 

Andere mochten auch (6)

SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
SANS 20 Critical Security Control 17 Requirements for SSL/TLS Security and Ma...
 
Symantec Infogrphic - SSL Certificate Management
Symantec Infogrphic - SSL Certificate ManagementSymantec Infogrphic - SSL Certificate Management
Symantec Infogrphic - SSL Certificate Management
 
Business Critical SSL Certificate Management - Infographic
Business Critical SSL Certificate Management - InfographicBusiness Critical SSL Certificate Management - Infographic
Business Critical SSL Certificate Management - Infographic
 
Ponemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and AttacksPonemon - Cost of Failed Trust: Threats and Attacks
Ponemon - Cost of Failed Trust: Threats and Attacks
 
Presentation2 certificate farce
Presentation2 certificate farcePresentation2 certificate farce
Presentation2 certificate farce
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 

Ähnlich wie Five Must Haves to Prevent Encryption Disasters

Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryProlifics
 
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!Kaseya
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec
 
Security Risk Management- moeshesh
Security Risk Management- moesheshSecurity Risk Management- moeshesh
Security Risk Management- moesheshMohamed Shishtawy
 
Creating a Full Privileged User Solution with Novell Privileged User Manager,...
Creating a Full Privileged User Solution with Novell Privileged User Manager,...Creating a Full Privileged User Solution with Novell Privileged User Manager,...
Creating a Full Privileged User Solution with Novell Privileged User Manager,...Novell
 
Why do Hand-picked Cherries... (2009)
Why do Hand-picked Cherries... (2009)Why do Hand-picked Cherries... (2009)
Why do Hand-picked Cherries... (2009)Marc Jadoul
 
Symantec control compliance suite
Symantec control compliance suiteSymantec control compliance suite
Symantec control compliance suiteSymantec
 
Oracle Quality of Service Management - Meeting SLAs in a Grid Environment
Oracle Quality of Service Management - Meeting SLAs in a Grid EnvironmentOracle Quality of Service Management - Meeting SLAs in a Grid Environment
Oracle Quality of Service Management - Meeting SLAs in a Grid EnvironmentAris Prassinos
 
Pre-TechEd EMEA 2012 - SCOM 2012 Down in the cloud
Pre-TechEd EMEA 2012 - SCOM 2012 Down in the cloudPre-TechEd EMEA 2012 - SCOM 2012 Down in the cloud
Pre-TechEd EMEA 2012 - SCOM 2012 Down in the cloudwwwally
 
Oracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcastOracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcastOracleIDM
 
Entitlement and Compliance Management: Trends and 2012 Vision
Entitlement and Compliance Management: Trends and 2012 VisionEntitlement and Compliance Management: Trends and 2012 Vision
Entitlement and Compliance Management: Trends and 2012 VisionFlexera
 
Top 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryTop 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryNetwrix Corporation
 
Wallix AdminBastion - Privileged User Management &amp; Access Control
Wallix AdminBastion - Privileged User Management &amp; Access ControlWallix AdminBastion - Privileged User Management &amp; Access Control
Wallix AdminBastion - Privileged User Management &amp; Access Controlzayedalji
 
Netax presentation web
Netax presentation webNetax presentation web
Netax presentation webVicky Kathuria
 
Overview of Identity and Access Management Product Line
Overview of Identity and Access Management Product LineOverview of Identity and Access Management Product Line
Overview of Identity and Access Management Product LineNovell
 
The Evolution of Customer License Management
The Evolution of Customer License ManagementThe Evolution of Customer License Management
The Evolution of Customer License ManagementFlexera
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloudInterop
 

Ähnlich wie Five Must Haves to Prevent Encryption Disasters (20)

Mindshare Managed It Services Intro V.1
Mindshare Managed It Services Intro V.1Mindshare Managed It Services Intro V.1
Mindshare Managed It Services Intro V.1
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities Industry
 
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
Feb. 28 - 5 Best Practices for Network Discovery & Management in 2013!
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012
 
Security Risk Management- moeshesh
Security Risk Management- moesheshSecurity Risk Management- moeshesh
Security Risk Management- moeshesh
 
Creating a Full Privileged User Solution with Novell Privileged User Manager,...
Creating a Full Privileged User Solution with Novell Privileged User Manager,...Creating a Full Privileged User Solution with Novell Privileged User Manager,...
Creating a Full Privileged User Solution with Novell Privileged User Manager,...
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 
Why do Hand-picked Cherries... (2009)
Why do Hand-picked Cherries... (2009)Why do Hand-picked Cherries... (2009)
Why do Hand-picked Cherries... (2009)
 
Symantec control compliance suite
Symantec control compliance suiteSymantec control compliance suite
Symantec control compliance suite
 
Oracle Quality of Service Management - Meeting SLAs in a Grid Environment
Oracle Quality of Service Management - Meeting SLAs in a Grid EnvironmentOracle Quality of Service Management - Meeting SLAs in a Grid Environment
Oracle Quality of Service Management - Meeting SLAs in a Grid Environment
 
Pre-TechEd EMEA 2012 - SCOM 2012 Down in the cloud
Pre-TechEd EMEA 2012 - SCOM 2012 Down in the cloudPre-TechEd EMEA 2012 - SCOM 2012 Down in the cloud
Pre-TechEd EMEA 2012 - SCOM 2012 Down in the cloud
 
Oracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcastOracle_Cisco identity platform approach_webcast
Oracle_Cisco identity platform approach_webcast
 
Entitlement and Compliance Management: Trends and 2012 Vision
Entitlement and Compliance Management: Trends and 2012 VisionEntitlement and Compliance Management: Trends and 2012 Vision
Entitlement and Compliance Management: Trends and 2012 Vision
 
Top 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryTop 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directory
 
Wallix AdminBastion - Privileged User Management &amp; Access Control
Wallix AdminBastion - Privileged User Management &amp; Access ControlWallix AdminBastion - Privileged User Management &amp; Access Control
Wallix AdminBastion - Privileged User Management &amp; Access Control
 
What is AgentCubed?
What is AgentCubed?What is AgentCubed?
What is AgentCubed?
 
Netax presentation web
Netax presentation webNetax presentation web
Netax presentation web
 
Overview of Identity and Access Management Product Line
Overview of Identity and Access Management Product LineOverview of Identity and Access Management Product Line
Overview of Identity and Access Management Product Line
 
The Evolution of Customer License Management
The Evolution of Customer License ManagementThe Evolution of Customer License Management
The Evolution of Customer License Management
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloud
 

Mehr von Venafi

Where Are My SSH Keys?
Where Are My SSH Keys?Where Are My SSH Keys?
Where Are My SSH Keys?Venafi
 
When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?Venafi
 
Ponemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose CustomersPonemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose CustomersVenafi
 
Trust Online is at the Breaking Point
Trust Online is at the Breaking PointTrust Online is at the Breaking Point
Trust Online is at the Breaking PointVenafi
 
How an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security ControlsHow an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security ControlsVenafi
 
Breaching the NSA Graphic
Breaching the NSA GraphicBreaching the NSA Graphic
Breaching the NSA GraphicVenafi
 
Breaching the NSA
Breaching the NSABreaching the NSA
Breaching the NSAVenafi
 
The Evolution of Cyber Attacks
The Evolution of Cyber AttacksThe Evolution of Cyber Attacks
The Evolution of Cyber AttacksVenafi
 
RSAC2013 CME Group case study
RSAC2013 CME Group case studyRSAC2013 CME Group case study
RSAC2013 CME Group case studyVenafi
 
What is-flame-miniflame
What is-flame-miniflameWhat is-flame-miniflame
What is-flame-miniflameVenafi
 

Mehr von Venafi (10)

Where Are My SSH Keys?
Where Are My SSH Keys?Where Are My SSH Keys?
Where Are My SSH Keys?
 
When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?When a Certificate Authority Fails, How Quickly Can You Restore Trust?
When a Certificate Authority Fails, How Quickly Can You Restore Trust?
 
Ponemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose CustomersPonemon Report: When Trust Online Breaks, Businesses Lose Customers
Ponemon Report: When Trust Online Breaks, Businesses Lose Customers
 
Trust Online is at the Breaking Point
Trust Online is at the Breaking PointTrust Online is at the Breaking Point
Trust Online is at the Breaking Point
 
How an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security ControlsHow an Attack by a Cyber-espionage Operator Bypassed Security Controls
How an Attack by a Cyber-espionage Operator Bypassed Security Controls
 
Breaching the NSA Graphic
Breaching the NSA GraphicBreaching the NSA Graphic
Breaching the NSA Graphic
 
Breaching the NSA
Breaching the NSABreaching the NSA
Breaching the NSA
 
The Evolution of Cyber Attacks
The Evolution of Cyber AttacksThe Evolution of Cyber Attacks
The Evolution of Cyber Attacks
 
RSAC2013 CME Group case study
RSAC2013 CME Group case studyRSAC2013 CME Group case study
RSAC2013 CME Group case study
 
What is-flame-miniflame
What is-flame-miniflameWhat is-flame-miniflame
What is-flame-miniflame
 

Kürzlich hochgeladen

The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfUmakantAnnand
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 

Kürzlich hochgeladen (20)

The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 

Five Must Haves to Prevent Encryption Disasters

  • 1. 5 Must Haves to Prevent Encryption Disasters Prepared for: Intelligent People 1 © 2013 Venafi
  • 2. Agenda • Brief review of major enterprise key and certificate management challenges • Best practices… – Preventing downtime – Increasing private key security – Preparing for and responding to CA compromise • Q&A 2 © 2013 Venafi
  • 3. Certificate and Key Management Challenges Certificate Authorities 3 © 2013 Venafi
  • 4. Setting Up for Success EKCM is Cross-Functional Auditor InfoSec • Internal Policies • Data Security • External Regulations • Policy Enforcement • Separation of Duties • Compliance Reporting • Compliance • Audit Readiness • Reporting Admin Datacenter CA Manager Manager Admin Admin App Owners IT Operations • System Availability Admin • Operational Efficiency • Best Practices Biz Units • Monitoring • SLAs • Management • Speed of Deployment • Config Automation • Reporting • Cost of Service 4
  • 5. Roles/Stakeholders • PKI admin(s) • System administrators • Business application owners • Network team • Auditors • Executives • NOC • SOC • Help desk • … 5 © 2013 Venafi
  • 6. Recipe for Disaster PKI Admin System Administrators 6 © 2013 Venafi
  • 7. Preventing Downtime Due to Certificate Expirations 7 © 2013 Venafi
  • 8. Causes of Downtime Operational causes: 1. Poor inventory, tracking, and management of certificates • End entity certificates • Intermediate roots Technical causes: • Roots • End entity certificate 2. Poor Execution expires • Correct administrators NOT • Intermediate root notified of impending certificate expires expiration • Root certificates not • Administrators notified but no updated on relying action taken parties • Renewed certificates not properly installed • Certificates installed but applications not restarted 8 © 2013 Venafi
  • 9. High-level Steps for Preventing Downtime  Create an inventory  Check for certificates expiring imminently  Compile and maintain contact information for each certificate/key  Monitor for expiration and notify  Validate certificate/key installation and operation  Report 9
  • 10. Establishing a Comprehensive Inventory Internal & Systems with External CAs 3 Agent-based Certificates Discovery Certificate Inventory A A Database 1 Import A from CAs A A 4 Individual Import A by Admins 2 Network A Discovery A A Network Discovery A - Agents Engines 10
  • 11. Establishing Initial Ownership Notify Groups Certificate Authorities Certificate Inventory Database 5 4 1 Export Maintain Notify 3 Import Certificate Contact Turn into Certificate Contact 2 Logical www.abcd.com rex@abcd.com Groups www.abcd.com IT finance1.abcd.com ethel@abcd.com finance1.abcd.com Finance ecom.abcd.com rex@abcd.com Finance ecom.abcd.com IT mktg-4.abcd.com lester@abcd.com mktg-4.abcd.com Marketing IT hr1.abcd.com leroy@abcd.com hr1.abcd.com HR dmz-34.abcd.com rex@abcd.com HR dmz-34.abcd.com IT acctg.abcd.com ethel@abcd.com acctg.abcd.com Finance Marketing pr-fud.abcd.com lester@abcd.com pr-fud.abcd.com Marketing brain.abcd.com bubba@abcd.com ThinkTank brain.abcd.com ThinkTank cto.abcd.com bertha@abcd.com cto.abcd.com IT 11 © 2013 Venafi
  • 12. Ongoing Ownership Management • System administrators are regularly reassigned • It is critical to have up-to-date ownership information for… – Expiration notifications – Notifications in case of compromise or algorithm breakage – Other communications • Invalid notification is worse than no notification at all Terminated Inventory system Reorg must enable System Admins to maintain ownership information 12 © 2013 Venafi
  • 13. Notify on Expiration Reports Expiring < 15 days www.venafi.com 2/15/13 ecom.venafi.com 2/17/13 mktg.venafi.com 2/19/13 eng.venafi.com 2/29/13 Expiring <30 days srv1.venafi.com srv2.venafi.com 3/15/13 3/17/13 Emails Escalations srv3.venafi.com 3/19/13 srvi4.venafi.com 3/29/13 Yo! Career Expiring <90 days srv5.venafi.com 5/15/13 Whassup? limiting… srv6.venafi.com 6/17/13 90 60 30 15 10 5 Expired 13 © 2013 Venafi
  • 14. Expiration Notifications Alone Don’t Cut It Cert in service Cert in (e.g. on network) keystore time 1. Steady 2. New Cert 3. New Cert 4. App Reset x. Old Cert State from CA Installed for New Cert Expires Old Cert. New Cert Application Renewal Window 14 © 2013 Venafi
  • 15. Monitoring and Validation Onboard Validation Notifications Network Mismatch KeystoreMismatch Certificate Expiring Network Validation New Cert New Cert App Uses Old Cert from CA Installed New Cert Expires Old Cert. New Cert Application Cert Expiration Alerts … 90 60 30 days Keystore Mismatch Events Network Mismatch Events 15 © 2013 Venafi
  • 16. Private Key Security 16 © 2013 Venafi
  • 17. Putting Private Keys at Risk Same password used on multiple keystores. Private keys and Keystore 2 passwords are not Password = abc123 changed when admins Keystore leave the organization passwords are not changed regularly. Keystore 1 Password = abc123 Server Server Performance Monitoring Customer Experience Monitoring Admins manually manage private keys, Security Monitoring making it possible to copy them. Private keys are manually passed to other groups/admins for distribution. 17 © 2013 Venafi
  • 18. Preventative Measures • Implement hardware security modules (HSMs) – Considerations: • Cost (initial and ongoing) • Application compatibility • Migration time • Intermediation (separate admins from keys) 18 © 2013 Venafi
  • 19. Establishing EKCM Policies Eliminating Admin Access to Keys Ensure support for Remove direct administrator secure distribution access to private keys through across multiple automation. Maintain complete platforms and store audit log of all types. operations. Web Server Provide console for private key and certificate management. • Separate credentials for login • Granular access rights – separation of duties • No access to private keys unless required • Dual control (oversight) • Admin entitlement reporting • Audit trail of admin operations 19 © 2013 Venafi
  • 20. Preparing for and Responding to CA Compromise …and other eventualities 20 © 2013 Venafi
  • 21. CA Compromise and Fraudulent Certificate Scenarios Root CA Compromise: Hacker is able to issue fraudulent certificates from CA Key Theft: Stolen or E Root CA (via system or derived copy of CA private signing key compromise). D key is used to issue Root fraudulent certificates. CA CA System Compromise: Malware or other infiltration used to get fraudulent certificate signed by CA RA Compromise: CA (without getting copy Infiltrate RA or steal of CA private key). credentials and authorize fraudulent certificates. B C Impersonation: Trick RA into issuing RA a fraudulent certificate. A Subject Hacker 21 © 2013 Venafi
  • 22. High Level Considerations • Preventing CA compromise – Use and maintain high security for CA(s) – Mandate regular audits • Detecting rogue certificates – Anomaly and fraud detection on all applications • Replacing certificates after a CA compromise… 22 © 2013 Venafi
  • 23. Recent Public Certificate Authority & Counterfeit Certificate Incidents Year Incidents • VeriSign issues Microsoft Corporation code signing 2001 certificate to a non-Microsoft employee. • Thawte issues certificate for Live.com to non-Microsoft employee 2008 • Comodo issues mozilla.org certificate to Startcom • Organization forges VeriSign RapidSSL certificates • Comodo issues nine counterfeit certificates (Google, Yahoo, Live, etc.) when registration authority is compromised. • StartSSL CA compromised 2011 • DigiNotar compromised. 531 fraudulent certificates issued. Dutch government experiences major service outages. • Boeing CA compromised 2012 • Microsoft CA certificates forged by exploiting MD5 (Flame) 2013 • Buster Paper Comercial gets code signing certificate * Electronic Freedom Foundation uncovers many more unpublicized CA 23 incidents by analyzing CRLs from public CAs © 2013 Venafi
  • 24. NIST Alert on CA Compromise http://csrc.nist.gov/publications/nistbul/july-2012_itl-bulletin.pdf These recent attacks on CAs make it imperative that organizations ensure they are using secure CAs and are prepared to respond to a CA compromise or issuance of a fraudulent certificates. - NIST, July 2012 24
  • 25. CA Compromise & Counterfeit Certificate and Remediation Matrix Remove Root Revoke Cert from Counterfeit Revoke CA Replace All Relying Certificates Cert Certs from CA Parties A. Impersonation B. RA Compromise C. CA System Compromise D. CA Signing Key Compromise E. Root CA Compromise 25 © 2013 Venafi
  • 26. Detailed Steps for Preparing for & Responding in the Venafi Best Practices Document Preparing for a CA Compromise Relying  a. Review CA Security and Communications: Once you have a complete list  a. Certificate Replacement Plan: If a CA is compromised, that CA’s certificate  a. Revocation Checking: Ensure that revocation checking is enabled and  Preparatory Steps  CA  Subject  Party  of all CAs in use in your environment—which may involve replacing  must be revoked and all of the certificates issued by the CA become invalid  mandatory (i.e. operations or transactions cannot proceed if the status of  a. Develop, Communicate, and Track Compliance with Certificate  certificates from unapproved CAs—review the security practices for each  and must be replaced. In environments with large numbers of active  the certificate cannot be checked due to an unavailable CRL or OCSP  Policies and Procedures : The installation and management of  CA (internal and external) to assure yourself that the CAs are minimizing  certificates, large‐scale replacements can be very disruptive and can cause  responder). All standard builds and images (e.g. operating systems and        certificates and private keys is generally very distributed within  the risks of compromise. Review how each CA is monitored for potential  operations to stop for extended periods of time. Therefore, it is critical to  applications) should have revocation checking enabled. In addition,  enterprises, where installation and oversight typically falls to the  compromise and the response and communication plans in place in case of  have a well‐defined plan for replacing certificates in a rapid yet orderly  wherever possible, application configuration management systems should  each administrator responsible for the machines and applications  a compromise. Ensure that the CA knows who within your organization to      fashion.   be used to ensure that revocation checking is not turned off.    where the certificates are deployed.  This increases the possibility  contact. It is important to review the security of your CAs (internal and          b. Overall Response Plan: Organizations must have an overall CA  that best practices will not be followed. Consequently, it is important  external) on a periodic basis.   An inventory and list of owners serve as the foundation for a rapid  to define, communicate, and educate personnel on clear policies and    compromise response plan. This plan must identify key points of contact  response by ensuring that all certificate owners can be contacted when a  procedures. Recommendations for these policies and procedures are  (who should be contacted first in case a compromise is detected),  Ensure that you are not using a root CA to issue end‐entity certificates. If a  compromise occurs. Certificate owners must also understand the steps for  provided in the preparation steps below as well as other best  delineate roles and responsibilities, provide a communications plan (to      root is being used to issue end‐entity certificates, replace those certificates  replacing certificates. However, since many certificate owners do not    Subjects, Relying Parties, executives, etc.), specify a certificate  practices from Venafi.  with certificates from an Intermediate CA.  perform certificate operations frequently, they will likely need assistance.        replacement plan, provide a CA migration plan, and support other  b. CA Transition Plan: If a CA is compromised, you must obtain certificates  It is therefore important to have a plan for staffing a help desk to handle  b. Establish and Maintain Certificate Inventory: An important step in  elements described in this document.  from another CA. It is best to have plans in place for the new CA before a  the large number of support requests as all certificates are replaced. If high  preparing for a CA compromise is building a comprehensive inventory  CA compromise occurs. For external CAs, it may good to maintain a  priority systems and certificates have been identified during the inventory  of the certificates and private keys deployed in your environment.    relationship with multiple CAs so that contractual relationships are in place  process, the replacement plan should also include steps for ensuring those  This includes tracking precisely which CAs are used by which        prior to a CA compromise event that requires you to move away from a  certificates are replaced early in the process.   platforms and applications so that appropriate action can be taken if  one of them is compromised. A comprehensive inventory also  vendor entirely. For internal CAs, implement a plan for rapidly establishing  Finally, it is important to have a method for monitoring the replacement of  enables you to identify all certificates that need to be replaced in the  a new CA in the event of a compromise.  certificates so that it is clear which systems are not safe, where problems  case of a compromise and to validate that they are actually replaced.   are occurring and when the process is complete. This monitoring and  c. Education: Responding to a CA compromise involves multiple stakeholders    tracking also makes it possible to report back to executives and other  and roles. A response will be more successful if individuals in each of those  stakeholders. A target timeframe should be set for the amount of time  A good first step in establishing an inventory is requesting a list of  roles are educated beforehand. Here are some examples:  required to replace certificates and get systems and business applications  issued certificates from your known CAs. However, this may not  a. CA Management Personnel: Provide education on monitoring for  back in operation.  account for all certificates in use in your environment, as some  compromise events and procedures for taking remedial action  systems might use other, unknown CAs or self‐signed certificates of  b. Root Inventory: Establish an inventory of all roots that are trusted in your  (including communication plans) if a compromise occurs.  organization and establish a plan for replacing them if necessary. This step  which you are not aware. It is often prudent to perform a manual        b. Certificate Owners (Subjects): Ensure that all certificate owners  is important in case a root CA is compromised and a root must no longer        inventory (asking all administrators to report the certificates they are  understand the consequences of a CA compromise and the  responsible for) or automated inventory (performing automated  be trusted.  importance of maintaining up‐to‐date contact information so that  network and/or file scans to discover certificates).   they can be notified in case of a compromise. In addition,            certificate owners should understand the steps they would take to  rapidly replace their certificate(s) if a compromise occurs.   While creating an inventory, it is critical to identify owners for each  c. Relying Parties: Ensure that all Relying Parties (i.e. owners of  certificate and contact information. This enables you to rapidly  systems that check certificates to authenticate or communicate  contact all appropriate owners if a compromise occurs so they can  with other systems) understand the importance of configuring all  take action. Because certificate deployments and owners change, it is  systems to check revocation status. These checks ensure that  important to implement a system for keeping inventory and  systems do not trust certificates that have been revoked by the  ownership information up to date.   issuing CA. If revocation checking is interfering with operations,    Relying Parties should notify the central PKI organization to  determine ways of addressing the issues without disabling the  You should periodically analyze the collected inventory data. Then  CA Key or System Impersonation RA Compromise Compromise Root CA Compromise Relying  Relying  Relying  Relying  Steps  CA  Subject  Party  Steps  CA  Subject  Party  Steps  CA  Subject  Party  Steps  CA  Subject  Party  a. Revoke the Fraudulent Certificate      a. Revoke the Fraudulent Certificate      a. Revoke the certificate of the compromised CA.      a. Revoke all non‐expired certificates issued from the CA and issue a            final CRL.    b. Notify the Subject of the Fraudulent Certificate      b. Revoke the credentials of the compromised RA (issuing new  b. Establish a point of contact or help desk to answer questions and            credentials if the RA will resume its duties).    provide support.    b. Establish a point of contact or help desk to answer questions and  c. Notify potential Relying Parties to ensure they are checking for  provide support.        revocation. This notification may be provided through direct      c. Carefully check all logs to ensure that all fraudulent certificates  c. Notify all Subjects who have been issued certificates from the    communication or public relations announcements.  have been identified and revoked.        compromised CA that their certificate will need to be replaced and  c. Notify all CAs that have been issued certificates from the root CA        provide instructions.  that those CAs are no longer valid. Ensure they contact the Subjects  d. Notify vendors of software or systems used by Relying Parties (e.g.  d. Notify the Subject(s) of the Fraudulent Certificate(s)            to whom they have issued certificates that those certificates are no    browsers). If the potential use of the fraudulent certificate will have  d. Notify potential Relying Parties to ensure they are checking for  longer valid and must be replaced.  a high impact, it may make sense for software and system vendors        e. Notify potential Relying Parties to ensure they are checking for  revocation. This notification may be provided through direct      to explicitly block the use of the fraudulent certificate.  revocation. This notification may be provided through direct          communication or public relations announcements.  d. Notify vendors of software or systems that include the certificate  communication or public relations announcements.  for the compromised root CA in their product trust stores that the  e. Ensure that revocation checking is enabled and mandatory (i.e.        e. Notify vendors of software or systems used by Relying Parties (e.g.  certificate must be removed.  operations or transactions cannot proceed if the status of the  f. Notify vendors of software or systems used by Relying Parties (e.g.  browsers). If the potential use of the fraudulent certificate will have  certificate cannot be checked due to an unavailable CRL or OCSP        browsers). If the potential use of the fraudulent certificate will have      e. Notify all Relying Parties to inform them that the root certificate for  a high impact, it may make sense for software and system vendors    responder).  a high impact, it may make sense for software and system vendors        to explicitly block the use of the fraudulent certificate.  the compromised root CA must be removed from their trust stores.  to explicitly block the use of the fraudulent certificate.  This notification may be provided through direct communication or          f. Replace all certificates from the compromised CA with new  public relations announcements.  g. Ensure that revocation checking is enabled and mandatory (i.e.  certificates from a different CA. For internal CAs, this may involve  operations or transactions cannot proceed if the status of the      f. Notify all Subjects who have been issued certificates from the  setting up a new CA. For external CAs, this may involve enrolling for    certificate cannot be checked due to an unavailable CRL or OCSP        new certificates.  compromised CA that their certificate will need to be replaced and      responder).    provide instructions.  g. Inform all potential Relying Parties of the new CA that will be used.           g. Replace all certificates from subordinates of the compromised root  h. If a new root is required to validate the new certificates, make it  CA with new certificates from different CAs. For internal CAs, this  available for secure distribution to all potential Relying Parties.        may involve setting up a new CA. For external CAs, this may involve        enrolling for new certificates from a different CA from the same  i. If a new root certificate is required to validate certificates, install      vendor or selecting a different vendor.  this root certificate in all necessary trust stores.    h. Inform all potential Relying Parties of the new CA that will be used.       j. Ensure that revocation checking is enabled and mandatory (i.e.    operations or transactions cannot proceed if the status of the  i. If a new root CA is established, make the root certificate for the  certificate cannot be checked due to the unavailability of the CRL or        new CA available for secure distribution to all potential Relying      OCSP responder.)     Parties.  k. Track the replacement of certificates through the completion of the  j. If a new root certificate is required to validate certificates, install  process.         this root certificate in all necessary trust stores.          k. As an ongoing precaution, ensure that revocation checking is  enabled and mandatory (i.e. operations or transactions cannot        proceed if the status of the certificate cannot be checked due to the  26 © 2013 Venafi
  • 27. Preparing for a CA Compromise Document Clear Ensure only Approved A Certificate Roots are Trusted K Policies Inventory Root CAs that are Trusted on Create CA Relying Party Systems J B Compromise Response Plan Enforce Revocation Checking on Relying I Educate all C Stakeholders Party Systems Systems Trusting CAs Certificates D (Relying Parties) Review CA Security and Systems Where E Communications Policies Certificates are F Establish Installed (Subjects) Inventory Backup CA Server-side Plans G and Client- Certificate Verify that side Certs Owners only Approved H CAs are used. Identify Cert Owners (Subjects) and Relying Parties 27 © 2013 Venafi
  • 28. Responding to a CA Compromise Validate That Revocation Validate Checking is Enabled on Cert & Root Establish Clear Relying Party Systems G H Understanding of Replacement A What Occurred (What Type of Compromise, etc.) B Activate Help Desk Track and I Report on Remove/ F Progress Replace Root Certificates Replace E Revoke Certificates C Certificates & Establish New CA(s) D Notify Subjects, Relying Parties, and Vendors 28 © 2013 Venafi
  • 29. The Threat is Evolving Stuxnet CA Compromises Adobe Duqu Flame Buster Attackers stole private Attackers Attackers exploited keys from two compromise or dupe MD5 to create a face Taiwanese companies certificate authorities Microsoft CA and Adobe to sign to issue fraudulent certificate and then code. certificates for further sign code. attacks. Hackers are increasingly targeting public key infrastructure for attacks because it is a broadly used security mechanism. Poor certificate management practices put you at risk. 29 © 2013 Venafi
  • 30. Diagram of PKI Ecosystem Root CA Issuing CA Certificate Issuing CACA Registration CRL Authority CRL OCSP Responder End Entity Certificate CRL Distribution Subject Point Root Relying Certificate Party 30 © 2013 Venafi
  • 31. Certificate and Key Management Challenges Certificate Authorities 31 © 2013 Venafi
  • 32. Summary of Best Practices • Create an inventory • Analyze the inventory and policy compliance • Compile and maintain ownership information for each certificate/key • Monitor, validate, and notify • Manage enrollment • Optimize and secure provisioning – Private Key Management • Educate all stakeholders 32
  • 33. Next Steps • Attend the third part of this webinar series: “Establishing EKCM policies and Ensuring Today’s Presentation Compliance” Mar 21, 11am EST, 8am PST, 4pm GMT • Download NIST’s ITL Bulletin: “Preparing for and Responding to CA Compromise” NIST ITL Bulletin www.venafi.com/NIST • Questions? – Paul Turner 33 info@venafi.com © 2013 Venafi. All rights reserved.
  • 34. Unpublished Work of Venafi, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. 34 © 2013 Venafi