Organisations rely on strong authentication as a capability to provide access to their corporate assets. For many years Public Key Infrastructure (PKI) and SSH Keys have been at the forefront of these types of critical security controls.
However, with the relatively recent introduction of Cloud, DevOps, Automation and Micro-Service Architectures the ability of certificates and keys to be generated autonomously has created an organisational problem.
Suboptimal management coupled with a lack of visibility of ALL certificates and keys creates a significant security exposure – many examples are available explaining how bad actors are reusing trusted certificates to ‘sign’ their malware – effectively making their software totally trusted to run within your organisation.
You cannot manage what you do not know you have and you cannot demonstrate effective assurance to your regulators if you do not have total visibility of ALL certificates and keys across your organisations.
The problem is most organisations do not know how many certificates and/or keys across their organisation they actually have, how well those keys are being managed or should a compromise occur – how quickly those ‘unknown’ certificates and keys can be revoked, rekeyed and redeployed.
Oftentimes, this problem lies unmanaged and it is not until a certificate or key becomes repurposed and used nefariously against your organisation that the problem is seen as needing to be fixed. In our experience this remediation programme is costly and never truly identifies every type of certificate and key across your organisation. This means that the problem becomes half fixed – which is clearly not sufficient to reduce the organisational risk exposure.
However, there is a much better way. A way that will enable you at the push of a button to centrally identify and manage ALL types of certificates and keys – including all the ones you do not know about, residing deep inside file systems across your production and non-production systems right across your entire organisation. This solution enables you to identify and change ALL broken algorithms centrally – imagine the time, effort and cost it would save within your budget to identify and remediate all instances of SHA-1 across your entire organisation in a matter of minutes – not months.
Cybersec Innovation Partners are positive that our solution will save you time, effort and costs pre-breach and that it will improve your organisational compliance position through demonstrable due care and real-time evidence based due diligence and improved assurance.
Do not leave an unmanaged security risk exposure within your organisation that will negatively affect your P&L, brand, share price and legal/regulatory compliance position should one of your own certificates or keys be used as a weapon to successfully attack your organisation.
Contact CIP now to talk to our experts and to arrange a no-obligation demonstration of Whitethorn®.