10 PKI pitfalls & tips to secure your enterprise

Aug. 26, 2021
The traditional network firewall no longer provides sufficient protection.

By Tim Callan, chief compliance officer with Sectigo

The traditional network firewall no longer provides sufficient protection. We know workers access enterprise networks from an increasing web of connected devices which spans laptops, BYOD mobile devices, IoT devices, and more. Today, securing identities is of greater importance than securing a network perimeter, placing more pressure than ever on IT teams to secure digital identities across the entire enterprise.

Today’s technology businesses, from startups to international enterprises, need to secure all their connected devices—be they manufacturing assembly lines or server farms or laptops and smartphones.

To authenticate every user, device and application credential, enterprises are increasingly turning to Public Key Infrastructure (PKI). There is no stronger, easier-to-use authentication and encryption solution than the digital-identity certificates provided by PKI. Put simply, PKI-based digital certificates provide greater convenience, increased security, support for Zero Trust network architectures and continuous authentication without the use of static passwords.

Yet, digital certificates are only as strong as the processes and tools behind them. Just as with any other security protocol, mistakes made with PKI can have devastating consequences. Consider this high-profile example of blundered use of PKI—when the state of California recently underreported coronavirus cases by as much as 300,000 due to a problem with a certificate.

Failure to follow PKI security best practices may result in creating vulnerabilities rather than protecting against them. Here are 10 PKI pitfalls, grouped in five categories, that IT and security teams may encounter.

Category: Certificate problems

One of the most preventable sources of certificate problems is issuing certificates that rely on poor or outdated configurations.

Pitfall #1: WEAK KEYS. Administrators commonly opt for system defaults without thinking about certificate definition. Weak keys based on key length of less than 2048 bits make it easier for malicious actors to decrypt and steal information.

Pitfall #2: OUTDATED CRYPTOGRAPHIC ALGORITHMS. Using outdated hashing algorithms like SHA-1, which was officially deprecated by the National Institute of Standards and Technology in 2011, increases the risk of man-in-the-middle attacks and other malicious efforts to expose critical business systems.

Category: Security problems

Organizations must ensure the security of the entire PKI system, not just certificates.

Pitfall #3: IMPROPER PROTECTION OF PRIVATE KEYS. Improperly storing a private key is akin to locking your house but leaving the key in plain sight. It’s critical to store private keys using mobile device enclaves or hardware trusted-platform modules (TPMs).

Pitfall #4: FAILURE TO APPLY PATCHES AND RESPOND TO VULNERABILITIES. For organizations running their own certificate authority (CA), it is imperative to have the bandwidth and internal knowledge to apply system patches and updates to quickly remediate vulnerabilities when alert notifications occur.

Category: Deployment problems

The improper issuance and installation of certificates can make PKI systems unwieldy and difficult to manage.

Pitfall #5: FAILURE TO AUTOMATE CERTIFICATE RENEWAL. Relying on tracking spreadsheets and easily missed email notifications renders enterprises vulnerable to catastrophic service interruptions. An expired certificate not only creates a public-trust failure due to browser warnings, but also can result in widespread system outages.

Pitfall #6: MAINTAINING AN UNNECESSARY MICROSOFT CERTIFICATE AUTHORITY. Microsoft CA likely will not be able to handle all of an enterprise’s needs. As organizations undergo digital transformation, migrate to the cloud, or begin to employ DevOps, a more modern PKI system is needed to support non-Microsoft devices and environments. Maintaining a Microsoft CA exclusively for your Windows stack and using another private CA for other organizational needs without a centralized certificate-management dashboard creates unnecessary certificate-management overhead for already overworked IT teams. Run it all on your own private CA.

Category: Governance problems

Enterprises should establish a clear set of documented policies to guide the governance of PKI.

Pitfall #7: LACK OF GOVERNANCE, POLICY, AND CONSISTENCY. Enterprises need rules, policies and consistency with PKI to minimize self-inflicted errors. To counter any noncompliance, enterprises need documented policies and strict governance to create a culture of security adherence and prevent against a host of risks. Policies and governance for PKI must be documented to reflect an organization’s specific needs in a certificate-practice statement (CPS) to avoid vulnerabilities in generating, distributing and administering certificates.

Pitfall #8: USING PUBLIC CERTIFICATES WHERE PRIVATE WOULD BE BETTER, AND VICE-VERSA. There is widespread familiarity with the publicly trusted SSL certificate. That’s why organizations often use public certificates where a private one would be better suited. On the other hand, some organizations might be using private certificates when they need interoperability with systems outside the network that is offered by a public certificate. When the use case isn’t driving the decision to go public or private, enterprises can end up with unsanctioned or unconventional certificate uses.

Category: Visibility problems

Despite the critical nature of PKI in the enterprise, many IT teams remain unaware of what’s operating in their systems.

Pitfall #9: ROGUE CERTIFICATES. A lack of visibility into all certificates operating in your environment undermines enterprise security. Rogue certificates exist and operate invisibly—until an issue arises: for example, an outage stemming from an expired certificate which then leaves IT teams scrambling to locate the source of the outage.

Pitfall #10: FAILURE TO PLAN FOR THE FUTURE. Enterprises must make PKI decisions that prepare for the challenges of the evolving threat landscape as well as their own potential growth and development, rather than focusing exclusively on solving problems in the here and now. Without a third-party digital certificate and certificate-lifecycle-management provider to automate PKI, enterprises are unlikely to stay current on evolving and changing cryptographic algorithms. It’s a failure that can render enterprises vulnerable to a host of security risks, especially considering the imminent availability of quantum-computing capabilities.

Expert guidance can steer you clear of EVERY PKI pitfall

Digital certifications are a foundational technology for an enterprise’s cybersecurity strategy. The threats posed by cyber-attackers continue to grow. Protecting against malware, ransomware, data loss and other cyber-threats is an ongoing battle and requires companies stay up to date with the latest vulnerabilities and attack vectors.

PKI and device identity continues to play a key role, enabling Zero Trust network access security strategies and ensuring all access to company data and systems is properly authenticated. While digital certificates and PKI are established technologies that provide high levels of security, proper implementation is key.

Using a trusted digital certificate and automated certificate lifecycle-management platform can help to avoid all these PKI pitfalls and can future-proof organizations against issues that might develop down the road.