Join the PKI automation party
Certificate Lifecycle Management (CLM) and Public Key Infrastructure (PKI) are terms that can make even the most seasoned IT veteran’s eyes roll into the back of their head. At GlobalSign, we know this to be true because we discuss CLM and PKI on a regular basis and we see it all the time. PKI is what we do – if we’re being honest, we’re lousy at a cocktail party, but like with a case-obsessed attorney or an overly bookish accountant – that’s what makes us good at what we do.
Besides, we’re not asking to come to your party, we’re here to help you streamline and automate your PKI – like we’ve been doing for over 25 years.
Everyone wants to be self-sufficient to a point. But if your car has problems, you call a mechanic. Early on in our careers, we may attempt to do our taxes on our own but as our finances grow more complicated, we seek out an accountant.
Public Key Infrastructure (PKI) has never been as widely leveraged, nor as complex, as it is right now. So why would an organization, especially an enterprise, attempt to manage it all on their own? It’s critical to know when to seek out expertise.
GlobalSign’s Auto-Enrollment Gateway (AEG) is a certificate lifecycle automation omni-tool that can reach out across an organization’s entire network, to any endpoint that needs digital certificates and automate the management of their entire lifecycle.
Now, we realize that’s one hell of a run-on sentence with a lot to unpack. So in this blog we’ll talk about the changing state of the PKI landscape, the effect this will have on organizations and take a look AEG in more detail – including, how it can make an organization’s network more secure, efficient and agile.
The Current State of the PKI Landscape
When we say that PKI has never been more leveraged and complex, what we mean is that organizations have never had to manage more digital certificates than they’re managing right now.
The most commonly known PKI use case is SSL/TLS. Every website that wants to be viewable by modern web browsers now requires an SSL/TLS certificate issued by a publicly-trusted Certificate Authority (CA). But beyond secure connections between web servers and clients, PKI is also used:
- To encrypt and authenticate email
- To digitally sign documents and code
- For multi-factor authentication
- To verify employee and machine identities
- To secure internal network connections
- To facilitate Smart card logins
When you think about the way we work following Covid-19 – increasingly in remote and hybrid work environments, PKI is quickly becoming the backbone of the digital workplace, helping to secure network access while facilitating authentication and encryption in multiple contexts. But beyond this, there are two major external factors driving the current explosion in PKI certificate usage.
Shortened Certificate Validity
The CA/Browser Forum determines the baseline requirements that all publicly-trusted CAs must follow. It consists of several working groups that constantly seek to improve the security standards of digital certificates. Over the past decade the lifespan, or validity, of these certificates has been steadily reduced as a result of various security incidents, as well as concerns about how long the information contained in them can be trusted. These changes started with SSL/TLS certificates, where validity has been reduced to just 397 days (13 months), before applying to other certificate types like S/MIME and Code Signing. Nowadays, the best practice is to replace digital certificates at least once per year, with many organizations choosing to do it more frequently at every six months.
Obviously, shorter validity means an increase in task frequency to issue new certificates to replace the old ones and installing them across all necessary end points. Doing it once every few years was already a burden, doing it yearly adds a significant workload for your IT staff, especially if dates are staggered throughout the year.
Extended Key Usage
Extended Key Usage (EKUs) are another area the CA/B Forum has been refining. In the simplest terms possible, EKUs refer to the types of cryptographic functions a given key or certificate pair can perform. In years past, organizations could issue digital certificates to their employees that could perform multiple functions. For instance, you could use them to perform client authentication, sign and encrypt email, and sign documents all in one. Unfortunately, with the convenience that came from having multiple EKUs, there was also a risk. A compromised key is far more dangerous when it can be used for multiple things than just a single purpose. So moving forward, the various CA/B Forum working groups are mandating each certificate to have just a single EKU.
In practice, that means when a new employee comes onboard you can’t just issue them a multi-purpose digital certificate to it all. You will need to issue three distinct certificates with the proper EKU.
To complicate matters even more…
Your IT Team Probably Doesn’t Have the Bandwidth or Expertise to Manage PKI at Scale
At present, there is a major skills gap in the cybersecurity industry. A 2023 study by (ISC)2 found that the shortage surrounding cybersecurity talent grew by 26% in 2022. And if your organization is one of the 43% actively seeking IT/Cybersecurity talent – you’re acutely aware of this.
Security teams are overworked as is, and according to Gartner, the average enterprise is running and managing between 50-70 different programs, and with organizations so desperate to find talent, PKI, which is already somewhat niche, becomes a “like-to-have” skillset, not a “need-to-have” one. But that doesn’t change the fact that PKI is critical to daily operations and the workload only grows as your organization does. As difficult as good security talent is to find and hire, according to the (ISC)2 study, it’s just a difficult to keep.
If you’re not automating certificate management and reducing the workload and tedium, you may as well install a revolving door in your IT office because the number one reason security workers leave is because of too many tedious emails and tasks.
But on top that, there’s also…
The Cost Factor of Managing Your Own PKI
Beyond the problems we’ve just discussed with an increase in workload and the struggle to find the right personnel to manage it all, there’s also the issue of the costs that come with managing your own PKI. But that’s a whole other topic of conversation, so much so we wrote a whole eBook on it – why not check it out below?
AEG is a Certificate Automation Engine
Now that we’ve scoped out the problem, let’s talk about the solution: AEG.
The Auto-Enrollment Gateway connects into your organization’s Active Directory and uses a range of protocols and integrations, with various Mobile Device Management (MDM) platforms, to reach out across your entire network and manage digital certificates at all end-points.
End-points include:
- Client and machine identities
- Secure email certificates (S/MIME)
- Digital signing
- SSL/TLS
- Multi-factor Authentication (MFA)
- Key cards
Everything is managed through an easy-to-use dashboard where the entire certificate lifecycle for each and every endpoint on your network can be scripted and monitored from a single location.
AEG is powered by Atlas, GlobalSign’s digital identity platform, designed to give you the flexibility to issue private certificates off a dedicated intermediate root, or to issue publicly trusted digital certificates – this is one of the biggest reasons to work directly with a trusted CA. With over 25 years of PKI experience and the global leader in digital signing, GlobalSign can supply the certificates. Other third-party vendors can offer a framework for managing digital certificates but you still need to have a CA pipeline to issue them all, especially SSL/TLS and S/MIME. That adds cost and complexity.
Not only does AEG provide the framework to manage your portfolio of digital certificates, it’s also the pipeline.
What’s more, we’re proud to announce we’ve just released version 7.9!
What’s New in AEG 7.9?
One of the biggest challenges facing organizations in the modern day is Bring Your Own Device (BYOD). More and more employees are accessing company networks using mobile devices, tablets, personal computers, etc. While many companies have a strict policy against this, it’s becoming a harder line to hold.
In AEG 7.9, we are now fully integrated with Microsoft InTune, allowing keys and certificates to be used with mobile devices. This means employees can securely access network assets and read encrypted emails on their mobile devices without adding even more certificates. In previous releases, we’d already integrated with JAMF, giving AEG the complete ability to manage digital certificates on any mobile device type, be it iOS, Android or Windows.
Additionally, we’ve improved the user experience and given administrators better visibility over their PKI implementation by adding regularly scheduled reporting. While manual reporting was already available via the dashboard, reports can now be scripted to run at regular intervals and will be sent to the relevant admins.
AEG has the tools to provide powerful support to managing your PKI, and automation has never been so desperately needed. Automating PKI saves organizations considerable costs, reduces workload and improves crypto-agility and security posture. Best of all, you’re partnering with GlobalSign, a global PKI leader, publicly-trusted CA, qualified trust service provider.
Still not convinced?
Read our eBook on the hidden cost of AEG.
Dive into our datasheet for more details.
Or get in touch to tell us what you need to do and we’ll show you how AEG helps you do it.