Drawing from its experience in the field of digital identity, Wavestone is publishing its first edition of the CIdO Radar in 2024. This radar follows the same methodology as the CISO Radar published by the firm for the past 10 years and offers an in-depth look at the underlying trends driving the digital identity ecosystem.

In this article, we invite you to explore some impactful and structuring topics for the IAM landscape, with two currently trending  subjects (passwordless and CLM) and moving towards the future topics they foreshadow in the emerging section of the radar (respectively predictive anti-fraud and post-quantum cryptography).

Passwordless, a major evolution not so simple to achieve

For decades, the password has been the central authentication factor for users (and often still is). Passwords have then been complemented into multi-factor authentication strategies to compensate for the inherent weaknesses of this authentication method (low complexity, reuse, phishing risks, etc.). New tools have thus been added to the user authentication process: OTP via SMS or email, push notifications, soft and hard tokens, etc. Despite the increased security level provided by the addition of these new authentication factors, the password remains both a weakness if discovered (it remains reusable on an account without MFA where it is enrolled) and a burden for the user’s experience, as they must remember it and securely store it.

All these reasons have led vendors to imagine secure authentication methods not relying on the use of a password. Eliminating the password allows companies to improve the user experience for their employees, enhance authentication security by reducing the attack surface, and benefit from a positive image in the market. The user finds themselves in an environment where they no longer need to remember a multitude of complex passwords and where they are no longer at risk of having their account stolen through phishing attacks. The use of FIDO2 (Fast Identity Online 2) technology is based on asymmetric cryptography which is currently the most widespread alternative to passwords. This technology is driven by the FIDO Alliance (Google, Microsoft, Amazon, Apple, etc.) and, relies on the use of physical security keys locally storing the private key associated with each service. Ultimately, this  allows a user to log into all their accounts without a password, their login, or email address (simply by using the physical key they possess and a second factor such as biometrics).

However, implementing passwordless authentication comes with significant organizational questions for a structure. How to manage account recovery if this account does not rely on a password? If an employee loses their security key, how can access to their account be restored without being able to use the associated private key? This major issue of “credentials recovery” is inseparable from any passwordless policy and assumes that an organization has anticipated each step of it,  such as: purchasing and distributing authentication media, managing their loss/theft/destruction, obsolete media rotation processes, account backup solutions, double enrolment for critical accounts and management of employee departures, etc.

Passwordless authentication is a trending topic and is being deployed in many organizations. For many, the next step involves establishing fraud detection capabilities before they occur (also called “predictive anti-fraud”).

Predictive anti-fraud, how to prevent fraud before it occurs?

Predictive Anti-Fraud corresponds to proactive monitoring of systems aimed at identifying and stopping fraud before it occurs, rather than relying solely on post analysis of malicious activities that have already happened. These surveillance capabilities are particularly relevant for securing online business activities involving money transfers (such as pooling funds, loyalty accounts, online payments, etc.) in sectors like retail or luxury for instance (as they are often less mature on this subject than banks). We are currently witnessing an increase in phishing attacks aimed at stealing customer account data to misuse their contents (loyalty card fraud, for example, is a real concern for players in the retail sector).

Access management solutions are increasingly capable of detecting fraud patterns and halting illicit activities before completion. All these capabilities rely on machine learning (involving a training phase for the tools) and involve three key stages:

• Detection: Systems can detect behaviours deviating from typical user/customer journeys and as well as sequences of suspicious actions. Detection relies on the customer context (browser used, network, cookies, etc.), the dynamic context (IP address, device used, user behaviour, typing speed, strength of authentication performed, etc.), and the business context (type of requested transaction, amounts, modifications of sensitive information, etc.).
• Analysis: Automatic analysis is conducted with the assignment of a confidence score to the current user profile.
• Response: Response rules are defined to best address alert triggers, with automatic responses for obvious or critical situations (e.g., additional authentication factor, session termination), or manual responses for cases requiring human decision-making.

The main challenge of predictive anti-fraud is the correct  calibration of machine learning tools and their adaptation to the specific business context. Placing too much emphasis on security could cause a disproportionate amount of  negative impact on the service: a high number of false positives affecting user experience and an increase in service complexity and slowdowns (captcha, step-up authentication, significant network consumption, longer processing times). The definition of relevant security and detection rules must be accompanied by a model based on machine learning, as specific as possible to the use case. Given the increasing complexity of attacks, the key to an effective predictive anti-fraud strategy lies in the solutions’ ability to detect and correlate weak signals. For example, some vendors are now capable of detecting fraud attempts during false customer service calls by correlating the users’ actions with whether they are on a phone call.

Certificate Lifecycle Management (CLM), a new market for an old issue

Many companies are currently facing an explosion in the number of electronic certificates within their IT systems. These certificates (and associated cryptographic keys) serve various purposes such as machine-to-machine authentication, user authentication, data signing and encryption, websites security, application micro-services, etc. This increase in the number of electronic certificates significantly increases the workload for the teams in charge of their management. The lifecycle of an electronic certificate includes several stages such as:

1. Requesting the certificate from a PKI (Public Key Infrastructure)
2. Receiving the certificate and associated keys
3. Deploying the certificate within its scope (either as a replacement for an expiring certificate or on a new scope)
4. Decommissioning and revoking the old certificate (if applicable)
5. Continuously monitoring the certificate and its future expiration date
6. Reproducing this process for each certificate before its expiration.

Manual management of tens (or even hundreds) of thousands of electronic certificates poses numerous challenges. This type of management is highly resource-intensive, relies on repetitive tasks, and is prone to human errors. It is not uncommon for certificates to slip through the cracks of teams and go unrenewed, or simply remain undeclared within the IT system (shadow IT). For all these reasons, an organization with a large fleet of electronic certificates should consider adopting a CLM solution.

CLM solutions offer many features to facilitate and ensure the reliability of certificate lifecycle management. Some of these features include:

• Certificate discovery tools, allowing a company to have a comprehensive view of its certificate fleet (even for undeclared certificates).
• The use of protocols automating all certificate-related actions (mentioned above).
• Numerous connectors enabling clients to seamlessly integrate these solutions within their IT systems.
• Governance and rights management modules for certificates.
• Alerting capabilities serving as a safety net for teams.

The “Zero Trust” philosophy, often requiring securing communications between services through mutual authentication using electronic certificates (with the increasingly frequent use of microservices architectures, the explosion of non-human accounts, etc.), tends to increase the number of electronic certificates within organizations. Utilizing dedicated certificate lifecycle management tools rather than manual tracking can reduce certificate-related incidents by 90% and decrease incident processing time by 50%, according to Gartner[2].

For more details on CLM solutions, you can read Wavestone’s article dedicated to this subject here.

The implementation of a CLM solution signifies a step forward in securing infrastructures, but more importantly, it can be leveraged towards crypto agility (the ability to quickly replace or update encryption algorithms or protocols to address evolving threats). Crypto agility is a theme that we should expect to encounter more and more frequently in the medium term, largely due to the development of quantum computers.

And what’s next? Technological challenges ahead, such as post-quantum cryptography

While organizations strive to adopt robust IAM strategies, considering current technological threats is no longer sufficient. The impending topic of quantum computing (even if it seems still a few years away from now) is set to disrupt all our encryption practices, necessitating early anticipation of measures to be implemented for the 2030 decade. The use of quantum computers and their famous qubits (which can simultaneously take on values of 0 or 1) already allows for much more efficient cryptographic calculations than traditional computers.

It is important to note that symmetric cryptography is not as much at risk from quantum threats, and increasing the size of encryption keys will allow this encryption mode to resist quite effectively. However, classic RSA and Elliptic Curve asymmetric cryptography is truly threatened: key exchange, authentication, and digital signature which rely on that classic asymmetric cryptography are already at risk for specific use cases. The Shor’s algorithm could enable a quantum computer to break RSA 2048-based encryption in a matter of hours.

Post-quantum cryptography is currently focusing on solutions to adapt encryption to the future capabilities of quantum computers. ‘Store Now, Decrypt Later’ which means that we can decrypt in 10 years what is captured now, even encrypted, or the capability to modify (in 10 years) the author or the content of a digital signature are risks that should already be considered today, especially with the time needed to handle the migration to post-quantum algorithm. In 2022,  NIST published a list of 4 such encryption algorithms, resistant to quantum computers: CRYSTALS-Kyber for general encryption, CRYSTALS-Dilithium, FALCON, and SPHINCS+ for electronic signature. These algorithm should be confirmed during 2024.

The main current recommendation to ensure the transition to post-quantum encryption is to perform hybrid encryption, i.e., to use both classical and post-quantum encryption algorithms to secure communications. While this issue is not yet at the heart of current IAM challenges, it is important to monitor its evolution, especially since some major vendors are already entering the market and introducing a new term: QCaaS (Quantum Computing as a Service).

Cet article 2024 CIdO Radar est apparu en premier sur RiskInsight.

The use of digital certificates on information systems has been around for over 20 years. It is a proven practice based on standardised technologies and regulations governing several of its use cases. A digital certificate can be considered as a “digital” identity card of its owner, using asymmetric cryptography to authenticate its owner and enable them to perform data encryption and digital signature operations. A digital certificate may belong to several types of holders and serve to cover various use-cases.

Historically, digital certificates were used in limited areas within an information system, mainly for two reasons:

• First, the use of cryptography, particularly asymmetric, reduces equipment performance (primarily using computing capacity).
• Secondly, the level of cyber threats in the past was relatively low compared to the current level.

Thus, the use of digital certificates was not always justified regarding information system security challenges and the hardware resources required to avoid performance degradation.

For several years, technological developments have significantly improved the performance of computers, thereby enabling the use of digital certificates for an increasing number of holder types, and to cover increasingly diverse use cases to address the growing level of cyber threats and protection needs. At the same time, there is also improvement in maturity of technologies associated with the use of digital certificates, such as PKI systems that issue digital certificates, cryptographic hardware to secure private keys (e.g. Hardware Security Module (HSM), smartcards, etc.), or even more specific software to better manage certain use cases (e.g. Card Management System (CMS), Key Management System (KMS) etc.).

The emergence of Certificate Lifecycle Management (CLM) products

The growth of both usage and the number of digital certificates in recent years have highlighted new issues for several stakeholders within an organization: operations teams, who deploy digital certificates on infrastructure components or business applications and manage their lifecycle; security teams and architects, who are responsible for defining and enforcing digital certificate usage policies within the organization and preventing deviations; and the business units that use certificates on their applications, which may experience availability issue if certificates are expired. These issues are exacerbated by current strong evolution in technological environment, that challenges the maturity of existing infrastructures (particularly PKI) and gives rise to a new family of products, the “Certificate Lifecycle Management” tools, to complement existing products in this area.

The following three chapters detail the issues and difficulties that CLM solutions attempt to address.

The difficulty of managing digital certificates

Let’s take an example of an operations team in charge of several servers or applications. To obtain a digital certificate for a server, this team has to create a request to their organization’s PKI following associated processes, and then install it on the relevant equipment. For every 1 to 3 years, they have to remember to renew it before it expires by repeating the certificate request process with the PKI. Multiply this by the thousands of infrastructure digital certificates that may exist within large organizations, and there will be following consequences:

• Teams spending a lot of time requesting and installing digital certificates on equipment, especially if the processes require multiple approvals to meet internal or external compliance requirements.
• Teams not well trained with the usage of digital certificate , with a high risk of error in installed certificates, at best delaying service implementation and at worst introducing security vulnerabilities to target equipment.
• A very high risk of forgetting to renew a certificate before it expires, causing a disruption to the related service. The level of impact will depend on the service and can potentially reach the highest level for an organization.

Based on our experience working with our clients, the risk of forgetting to renew certificates is very common. For example, Microsoft forgot to renew a certificate for Microsoft Teams in 2020, causing service downtime for about 3 hours⁽¹⁾.

Cyber risk associated with improper use of digital certificates

Security teams and architects define and implement compliance rules regarding the use of digital certificates and associated processes. To comply with these rules, operations teams may find managing the lifecycle time-consuming, thus they may not always follow the certificate request processes from their organization’s PKI:

• Either by bypassing them to obtain certificates from the “official” PKI in a sneaky way, with fewer security checks on the legitimacy of the request, and fewer traceability elements for audit purposes;
• Or by installing “rogue” certificates, self-signed or obtained from a “non-official” PKI/Certification Authority, with the risk of introducing technical vulnerabilities to the information system that could be exploited by an attacker.

During our audit assignments for our clients, we often discover the use of “unofficial” certificates that are very difficult to identify exhaustively. This lack of control over digital certificates used in an information system represents a challenge for security teams to manage cyber risk and deploy appropriate security solutions.

A fast-evolving technological environment

As mentioned earlier in this article, for several years now the use of digital certificates has become more widespread, and the products on the market have become more matured. The regulatory framework (e.g. eIDAS⁽²⁾) has followed this trend by regulating several trust services based on the use of digital certificates (e.g. electronic signature, timestamping etc.).

Today, some more recent technological trends are making the use of digital certificates even more essential, while introducing new constraints:

• The increasing use of microservices architectures, especially in “Zero Trust” deployments, requires securing communications between these services using mutual authentication with digital certificates. The number of these certificates therefore continues to grow within information systems, which increases the difficulties outlined in the previous two chapters.
• Continuous Integration/Continuous Development (CI/CD) practices and the automation of deployments using “DevOps” tools are also increasingly adopted by information system departments. These approaches require end-to-end automation of service deployment, including certificate installation. To address this constraint, it is essential to rely on technologies that automate the certificates lifecycle management and interface with PKI solutions.

With these findings in mind, CLM solution is here to help saving time for teams managing digital certificates, improving efficiency, enhancing the security level of the information system, reducing service interruptions on business applications and offering innovation opportunities to development teams.

Services provided by CLM products

To address these issues and the growing demand for effective certificate lifecycle management, several vendors have developed so-called CLM (Certificate Lifecycle Management) solutions. A CLM solution is a software designed to help organizations automating the lifecycle of their fleet of certificates. These solutions first provide tools to discover digital certificates deployed on the information system and provide effective reporting in a unified interface. This feature is very useful for discovering “unofficial” certificates. CLM solutions can also interact with numerous PKI environments to consolidate certificate management under a single tool. They offer various dashboards and features enabling organizations to have an overview of their certificates, to handle them (e.g. applying renewal and automation policies, alerts on non-compliant certificates etc.), and they use connectors to integrate themselves into organizations’ existing needs and workflows (DevOps, ticketing, etc.). CLM solutions, therefore, position themselves at the centre of the IS to achieve maximum efficiency on tracking digital certificates.

Using dedicated management tools, rather than manual tracking, for certificate lifecycle management can reduce certificate-related incidents by 90% and reduce incident processing time by 50%, according to Gartner⁽³⁾.

To choose the most suitable CLM solution for an organization, as they do not offer the same functional coverage, the following four areas must be evaluated:

• Certificate discovery: any use of a CLM solution begins with the discovery of certificates present on the organization’s information systems. These discoveries have several objectives: gathering of all an organization’s certificates in a common interface regardless of the issuing certification authority, discovering unknown certificates that were not previously tracked, collecting information on each certificate to identify the proportions of compliant and non-compliant certificates, and visualising the certificate fleet in the form of dashboards highlighting all important information (e.g. number of certificates, upcoming expirations, compliance with chosen security rules etc.). The discovery of server certificates can be done in two ways to adapt to the potential security measures implemented within an IT system: a centralized discovery scan from the CLM solution with incoming network flows into the organization’s servers, or a decentralized discovery scan relying on the installation by an employee on each server that will perform a local search and report data back to the CLM solution (outgoing network flows from servers only).
• Automation and connectors: the main goal of a CLM solution is to allow its users to avoid manual management of certificates, as it is time-consuming, resource-consuming, and prone to human errors. Once discovery scans are completed, an organization can use various tools to create workflows that automate the certificate lifecycle. For example, it is possible to automatically renew all certificates from a chosen certification authority by replacing them with certificates issued by another authority, which would be very useful during a PKI migration. CLM solutions can also automate certificate revocation at the end of their lifecycle, as well as the request and installation of the next certificate. The automated management of a large fleet of certificates necessarily involves a configuration phase that can take time, but the benefits in saving time, resource, and enhancing security justify this investment. To achieve this, CLM solutions integrate via connectors with many PKIs on the market, infrastructure components using digital certificates, or CMDBs. Connectors also enable CLM solutions to interact with ticketing tools, MDM or UEM solutions for terminal management, and to manage certificates in DevOps environments (e.g. Terraform, Kubernetes, Docker etc.).
• Governance: organizations can create compliance rules regarding certificates and their issuance modes. These rules aim to control future certificate issuance and help identifying existing certificates that do not comply with them (e.g. self-signed certificates, small key size, untrusted certification authority etc.). All these rules are fully customizable. CLM solutions also allow segregation of rights according to roles (administrators, users, auditors, etc.), geographic zones, teams, or any other attribute.
• Alerting: This is an important aspect of CLM solutions because automating a fleet of certificates takes several months (or even years). Alerting allows certificates with workflows not yet automated to be processed and thus serves as a safety net in case of renewal is forgotten. Alerts can take different forms, for example notifications within the solution, emails sent to administrators, notifications on Teams/Slack, opening tickets on ServiceNow or Jira. To identify the recipient of alerts, solutions can rely on the information collected by the PKI during the initial request for certificates, cross-reference certificate information with that of a CMDB, or use AI features to “guess” the team or person to notify when precise information cannot be found in available data sources.

The CLM solutions market is growing rapidly, with the new features being added regularly, and more areas being covered. It would not be surprising if this type of solution were to manage the cryptographic key lifecycle in general, beyond just digital certificates, and thus complete the current KMS solutions as they do today with PKI solutions.

The CLM solutions market is currently experiencing significant growth

The CLM solutions market consists of both historical players (often already being active in areas such as PKI or machine identities and offering a wide range of services outside of CLM solutions) and emerging players that can be classified as pure players, who have started to develop their CLM service in recent years and for whom this segment represents most of their activities. Below is a list of actors that are often found on the market (presented in alphabetical order):

Appviewx: an American company founded in 2004 based in New York. In addition to its CERT+ certificate lifecycle management solution, Appviewx offers a Cloud PKI and IAM service.

DigiCert : an American company created in 2003 based in Lehi, Utah. Digicert is a public certification authority that provides electronic certificates and PKI services to organizations. To complement its PKI offering, Digicert has launched its certificate lifecycle management solution: CertCentral.

Digitalberry: a French company founded in 2014 based in Marseille. The company’s CLM solution, Berrycert, was released in 2021. Digitalberry also offers a data traceability solution based on the blockchain and a security key management solution. Digitalberry is part of the 2020⁽⁴⁾ and 2021⁽⁵⁾ French cybersecurity start-up radar developed by Wavestone in collaboration with Bpifrance.

Entrust: an American company founded in 1994 based in Minneapolis, Entrust is a historical player in the PKI field. Entrust’s Certificate Hub is a solution dedicated to certificate lifecycle management. This solution is added to other digital security solutions available on-premise and as a Service: PKI, HSM, KMS, IAM; and also to Entrust’s physical and digital passport and identity document issuance solutions.

Evertrust: a French company founded in 2017 based in Paris, Evertrust released the first version of its CLM solution called Horizon in 2018. They also offer an internal certification authority (Stream) and an OCSP responder services. Evertrust is part of the 2021⁽⁵⁾ and 2022⁽⁶⁾ French cybersecurity start-up radar developed by Wavestone in collaboration with Bpifrance.

Keyfactor: an American company founded in 2001 based in Cleveland. Keyfactor left its PKI consulting segment in 2014 to become a solution provider, including Keyfactor Command which is the company’s CLM solution. In 2021, Keyfactor acquired Primekey to complement its offer with a PKI solution.

Sectigo: an American company created in 1998 based in Roseland, New Jersey. Sectigo is a public certification authority that provides certificates and PKI services to organizations. Sectigo has developed its CLM solution called Sectigo Certificate Manager to offer complementary services to its PKI business.

Venafi: an American company founded in 2000 based in Salt Lake City. Venafi offers the TLS Protect solution to manage an organization’s certificate lifecycle. Venafi also offers PKI, KMS, and code signing services.

Conclusion

Regardless of the industry, any organization reaching a certain size will face the increasing number of digital certificates to manage and the associated risks in terms of management and security.

It is therefore important to address this issue as soon as possible in order to evaluate how to take advantage of a CLM solution, to improve the security level of its information system and to simplify the day-to-day work of its teams, as shown by Wavestone’s CISO radar which highlights the use of these products in the “trending” category⁽⁷⁾.

Bibliography

⁽¹⁾ https://www.theverge.com/2020/2/3/21120248/microsoft-teams-down-outage-certificate-issue-status

⁽²⁾ https://www.riskinsight-wavestone.com/2016/10/eidas-route-vers-europe-de-confiance-numerique/

⁽³⁾ https://www.gartner.com/en/documents/3969998

⁽⁴⁾ https://www.wavestone.com/fr/insight/radar-2020-startups-cybersecurite-francaises/

⁽⁵⁾ https://www.wavestone.com/fr/insight/radar-startups-cybersecurite-2021/

⁽⁶⁾ https://www.wavestone.com/fr/insight/radar-startups-cybersecurite-2022/

⁽⁷⁾ https://www.wavestone.com/fr/insight/radar-rssi-2023/

Cet article Lifecycle management of digital certificates: what are the challenges and how to address them? est apparu en premier sur RiskInsight.