About Keys and Certificates
A security certificate, as well as a digital key, is a small file that binds a cryptographic cypher to an organization’s detail. A cryptographic algorithm uses certificates to encrypt or sign data producing security messages unique for its users. A WEB Server uses an SSL certificate to establish an encrypted channel between named URL and WEB site users. Developers use code signing certificates to digitally sign code distributed to their users. Computers use keys instead of passwords to authenticate users when they login. From a user’s perspective keys and certificates are secret files that unlock some valuable resource or are used as proof of the identity of the user, organization or software.
A typical organization has many certificates. Mergers and acquisitions as well as numerous internal software services require unique certificates and keys bound to multiple domains, computers and end points. In most cases i’s hard or impractical to consolidate these certificates. Also, too much consolidation leads to more security risks in cases when one key provides access to too many resources. It’s hard to control role based access to resources and, losing or compromising a certificate becomes a major network issue.
Storage for Keys
With so many certificates or keys to store the question is where to store them? The storage should ideally provide role based access to certificates, allow sharing them inside the organization and include audit trail logs covering permission and access related events. The storage should have some form of encryption on the back end too.
However, the typical state of certificate handling involves storing these keys in a network folder open for everybody or in a mail server where they end up after many forwards by users who cannot access this folder but still need them. Designating one person to keep watch on these keys also seems like a poor solution. In this case these certs will most likely end up on this person’s laptop and sharing is still a problem. Even just a slight improvement upon this situation would better the handling of company security and identity.
This article will analyze several options to store digital keys and certificates that are realistic to implement without investing too many resources and without sacrificing even more security.
Options for the Storage
Content Management System
Compared with storing certificates on a laptop hard drive, Content Management System (CMS) sounds like an upgrade. Both an on-premises (Microsoft SharePoint) or cloud (Google Drive, Office 365 or Box.net) solution will do the job. Modern WEB based CMS can provide central storage, secure remote WEB access, item level permissions, metadata associated with certificates, search and logs for the audit.
Many organizations already have CMS implemented for content workflow. It simplifies their adoption as certificate storage.
Identity vault is a specialized content management system to store passwords, keys and certificates. In addition to the benefits provided by CMS, identity vaults can encrypt data in the back end storage, generate additional logging and implement field level permissions. Also, identity vaults usually include special API to access certificates in the places that need them, like code signing or computer access. It improves overall system security because some users can initiate or use the process that requires a certificate from the storage without actually accessing the certificate itself. The process will retrieve the certificate when needed instead.
CyberArk, Thycotic and Manage Engine are examples of the vendors distributing enterprise class identity vaults.
In addition to the benefits provided by identity managers, session manager can establish access to a remote computer using the certificate from the vault. It solves the problem of exposing the certificate to the user. Not all certificates are used as keys to access remote computers but those that are could benefit from using session managers.
CyberArk, BeyondTrust and Xton Tech are examples of the vendors building session management solutions on top of their identity vaults. Session managers used to be complex and hard to implement. They often require agent software on client computers as well on servers. However, these days look for the affordable agentless solution with simple implementation and licensing options.
Xton Access Manager is an agentless, cross-platform privileged access management solution with unlimited licensing model built from the ground up with an enterprise feature set. Simple to implement, without your typical enterprise cost and effort.
Xton Access Manager is now available for download. Please fill out this form to receive a download link to get started today, even on your current desktop or laptop. Documentation is available to help or you can email or call us to request a trial extension, discuss questions and share your feedback. We would love to talk to you.