Who looks after the keys to your organization’s building? Most employees know the answer – it’s a facilities or on-site operations team. These days doors are unlocked at most businesses using a proximity card that can be programmed to open certain doors, or all doors, across the organization’s various sites. If a business expands, even a new business unit knows where to go to get their doors locked and maintain the physical security of their assets within the new site.
But what about your organization’s cryptographic keys? You may have one or more certificate authorities(CA) within your organization and the IT team likely uses at least one such system for issuing certificates to corporate devices to provide access to the corporate network. So who is responsible for crypto across the organization, and what does this responsibility entail?
To get to the root of the question, we should understand the risk we are trying to manage. There is a reason that Gartner labels cryptography as critical infrastructure. The digital identities within an organization determine how your devices, applications and users trust each other. When you think about that for a second, you might start to understand what is at risk. If a business application’s certificate expires, that application goes offline − and pretty much all business applications are now secured using certificates. If a crypto vulnerability is allowed to go unpatched, your intellectual property and personal information are at risk.
So what does it mean to manage cryptography? First, let’s think about how digital identities are issued. Any kind of credential is only as strong as the process and verification at the point of issuance. You should know who or what is receiving a digital identity, meaning you should have policies in place for the issuance of digital certificates. Furthermore, you shouldn’t allow business units to stand up application specific CAs unless they fall under this policy. And the policy should also cover the full lifecycle of the identity: how it is stored, what it can be used for, and when it should be revoked.
Once you have a governance structure in place, you also need to uncover any vulnerabilities and rogue certificates within your organization. This requires scanning your assets, both at a network layer and on local file systems, as well as within the binaries of your applications. This critical step verifies that the crypto protecting your organization is compliant with your corporate policies and best practice.
The challenge is that these are not a core business functions for most organizations. That’s why many enterprises seeking to build a center of excellence in cryptography for their organization are turning to experts like Entrust for Cryptographic Center of Excellence (CryptoCoE) services. Entrust has decades of experience developing, deploying, running and supporting cryptographic systems – and the ability to share this experience with our customers to help them manage crypto as critical infrastructure. And when your enterprise is looking to expand securely, your teams will know who to call.
For more information on Entrust’s CryptoCoE solutions, visit our website: https://www.entrust.com/digital-security/certificate-solutions/c/introducing-entrust-cryptographic-center-of-excellence
*** This is a Security Bloggers Network syndicated blog from Entrust Blog authored by Brenda Vinkemeier. Read the original post at: https://blog.entrust.com/2020/12/who-looks-after-the-keys/