SlideShare a Scribd company logo

Easing the Pains of Certificate Management

Entrust Datacard, profile picture
Entrust Datacard

The document discusses the importance and challenges of managing SSL certificates in organizational security, particularly following several notable breaches that tested trust in certificate authorities. It highlights the increasing complexity of SSL management due to the diversity of certificate types and sources, as well as the potential consequences of mismanagement, such as lost business due to invalid certificates. The paper emphasizes the need for improved best practices and presents Entrust's certificate management service as a potential solution to these challenges.

Technology
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
50 Years of Growth, Innovation and Leadership Easing the Pains of Certificate Management: An Overview of Entrust, the No. 2 Provider of SSL Certificates in the Market A Frost & Sullivan White Paper www.frost.com
Frost & Sullivan Executive Summary ......................................................................................... 3 Introduction .................................................................................................... 4 What are Certificate Authorities and How are SSL Certificates Issued? .................................................................... 5 Privacy and Trust ............................................................................................. 6 The Increasing Need for SSL .......................................................................... 7 Information Security Best Practices and Digital Certificates ......................... 8 The Creation of Best Practices with Digital Certificates ................................. 8 Customer Challenges Managing SSL Certificates ........................................... 9 Multiple Certificate Sources ........................................................................... 9 Managing a Broad Array of Certificates .......................................................... 9 Certificates in an Environment ........................................................................ 9 Unexpected Expiration of Certificates ............................................................ 10 Maintaining Required Encryption Levels ......................................................... 10 Complying with Security Policy or Regulations ............................................... 10 Risk of Data Breach ........................................................................................ 10 Selecting a Certificate Authority—Balancing Value and Trust .......................... 11 Entrust Meets Today’s Challenges.................................................................... 11 Comprehensive Management Platform and Discovery Solutions ..................... 12 Flexible Deployment and Subscription Model ................................................. 13 Personalized Sales and Service ........................................................................ 14 Trusted Security Brand .................................................................................... 14 The Final Word ................................................................................................ 14 CONTENTS
Easing the Pains of Certificate Management EXECUTIVE SUMMARY Digital certificates are an essential piece of an organization’s security infrastructure. The need to secure multiple lines of data transfer is at an all-time high as organizations face the ever-changing methods criminals use to breach an organization. Consumers and end users have always relied on a trusted relation between themselves and the organization providing the content. End users have assumed that a secure line of communication exists. This is achieved through the installation of a digital certificate in the form of a Secure Socket Layer (SSL) digital certificate. SSL certificates, cryptographic protocols that allow for the secure transmission of data over the Internet, are only as strong as the verification process the Certificate Authority performs to authenticate the organization. In 2011, that implicit trust was tested by the attacks and breaches of multiple certificate authorities. While industry participants have gone to great lengths to assure customers that trust has not been affected, the industry has been forced to re-evaluate how business is done. The reliance on Domain Validated certificates, approximately 39 percent of all SSL certificates globally, has been heavily called into question as the means to verify the authenticity of the organization. The need to further authenticate the organization is becoming a required aspect of the trust framework between the organization and the user. This increased authentication is leading more organizations to use Organization Validated and Extended Validated certificates, which as of 2011 were approximately 45 percent and 16 percent, respectively, of all certificates issued globally. SSL is only one type of digital certificate that organizations implement. Other flavors of digital certificates also include code signing, Adobe CDS, and user and managed PKI certificates. All these certificates can be found scattered throughout an organization’s IT environment, leaving administrators with the daunting task of managing all of them. While implementing a certificate in an environment is the first step in securing lines of transfer, it is not enough. Organizations face many challenges after the implementation of a certificate. However, the challenges are not with the certificate itself. One challenge comes from managing all the certificates in an enterprise environment. It is not uncommon for a customer/user to come across an alert warning them of an unsecure site due to being incapable of verifying the validity of the certificate in place. Not only can this disrupt day-to-day operations, but it also can create customer/user confusion on whether to bypass the warning or exit the site, leading to either loss of confidence in the organization or loss of business revenue. Finding and managing multiple certificate types from multiple sources is also a major challenge. This can also become burdensome when an administrator in charge of certificates leaves the company or changes roles. Without a detailed inventory of these certificates, it is more difficult for organizations to manage encryption levels on the certificates, replace non-compliant certificates to comply with security policy or regulations, or assure there are no expired or rogue certificates in the environment. frost.com 3
Frost & Sullivan This paper analyzes SSL certificates and the growing need for SSL implementation and management. In addition, it identifies many challenges customers face with the management of certificates and the risks that come with improper certificate management. The latest baseline standards created by the Certificate Authority (CA)/Browser forum are also examined with a discussion around why these standards are important. Finally, this paper will present Entrust’s Certificate Management Service (CMS), a solution that Frost & Sullivan believes provides many advantages for organizations’ information security infrastructure. INTRODUCTION IT administrators have long struggled with managing their certificates. The challenge does not come just from the implementation of the technology, but from the management of the certificates after they have been implemented. Imagine being an administrator in a large enterprise in charge of thousands of digital certificates without a proper database to know what certificates are available/being used, where they are, what they contain, and when they expire. The threat of stopping business operations due to a rogue or expired certificate can be costly. Whether it is due to change in management or change of responsibilities, the management of digital certificates can become a headache for any IT administrator. Regardless of the size of the organization, the inability to manage hundreds of certificates can result in unexpected expiration of certificates. In realizing this problem, some Certificate Authorities (CAs), such as Entrust, have developed certificate management systems and discovery solutions to scan for and manage all the certificates in a network. In 2011, a hacker named “Comodohacker” claimed responsibility for the breaches of Comodo and DigiNotar. In the case of Comodo, the certificate authority, the hacker spoofed digital certificates for prominent websites through the use of a CA reseller account. With the DigiNotar case, the hacker accessed DigiNotar’s systems, issuing multiple fraudulent certificates. As the certificate authority in charge of the Dutch government’s public key infrastructure, the government was put on full alert of investigating the attack. The company was subsequently shut down. In addition to these attacks, the hacker threatened the possibility of compromising other CAs, which would be a huge blow to the SSL certificate industry. This hit CAs at the core value—trust. These breaches signify that even security vendors can be susceptible to breaches if the proper steps are not in place to proactively safeguard their systems or have a best-practice methodology in place. 4 frost.com
Easing the Pains of Certificate Management WHAT ARE CERTIFICATE AUTHORITIES AND HOW ARE SSL CERTIFICATES ISSUED? The most common digital certificate process consists of vendors and CAs who issue SSL certificates to secure an organization’s or individual’s website and Web server. As defined by the CA/Browser forum, a CA is a trusted third party that issues digital certificates and is the organization responsible for the creation, issuance, revocation, and management of those certificates. 1 CAs manage security credentials and public keys of these certificates. As the authority, CAs are responsible for completing the process of properly validating organizations prior to issuing a certificate. Once ownership of a website is validated, the certificate requested is issued. High-assurance certificates, which are organization and extended validated certificates, may contain information such as: • The name and information identifying the organization issued the certificate • The organization’s public key to encrypt sensitive information • The name of the CA who issued the certificate • A serial number • The certificate’s validity period A SSL certificate is an encryption technology installed on Web servers that allows transmission of sensitive data through an encrypted connection in a browser. SSL certificates ensure any transmission of data will not be compromised or captured by hackers and criminals. When a user makes a request and wants to send sensitive information to the Web server, the browser will access the server’s SSL certificate to obtain its public key to encrypt the data. With its private key, only the server can decrypt the information being sent, which keeps the information confidential and tamper proof. 1 “Frequently Asked Questions - Extended Validation SSL.” CA/Browser Forum. 10 January 2012. http://www.cabforum.org/faq.html frost.com 5
Frost & Sullivan Figure 1—SSL Transmission Process SSL Transmission ProcessSSL Transmission Process Request of secure page Public key and certificate is sent Certificate check—encryption Private key decryption—requested data sent Perhaps more important than the encryption of the channel, SSL certificates also provide various levels of identity assurance to site visitors. According to Frost & Sullivan’s market research, Domain Validated, Organization Validated, and Extended validation certificates accounted for 39 percent, 45 percent and 16 percent, respectively, of certificates issued. 2 DV certificates, the lowest assurance level of SSL certificates, only require the authentication of ownership of a domain in order to be issued, which has led to rapid adoption. However, the issue within the security industry regarding DV certificates is the lack of thoroughly validating the certificate requester. Within the CA breaches of 2011, the types of certificates issued were DV certificates. Entrust, along with many within the market, firmly believe that DV does not offer sufficient authentication. There is much effort put into validating a certificate requester for OV and EV certificates. At minimum, OV certificates require validation of the organization and ownership of the domain. EV certificates require validation of everything from the organization, location of the organization, rights to the domain, to the person requesting the certificate. Before 2011, only EV certificates had associated baseline standards, which were created by the CA/Browser forum. Privacy and Trust The need to secure lines of data transfer and provide identity assurance continues to be a top priority of organizations. As more organizational services and transactions migrate online, organizations must keep sensitive data private and secure. And to ensure site visitors leverage those online services, assuring them of the organizational 2 Martinez, Richard. “Analysis of the SSL Certificate Market.” Frost & Sullivan (1 November 2011): 20. 6 frost.com
Easing the Pains of Certificate Management identity is equally critical. In addition, as enterprises and governments rely more and more on SSL, the number of certificates in use is growing dramatically. Many organizations have multiple providers due to a decentralized purchasing process, which worked when they were dealing with smaller volumes and infrequent requests, but is no longer manageable at current volumes. Trust is a key factor for customers due to issues ranging from breaches to the concern about CAs lacking secure infrastructures/partner resellers. This has made customers take a closer look at which CA they will partner with. One assuring characteristic customers look for is that a CA is WebTrust certified. WebTrust is an independent organization whose certification process is intended to reduce certain business risks and provide a level of assurance to customers. 3 CAs that address principles in regards to security, availability, processing integrity, confidentiality, and privacy receive a WebTrust seal on their SSL Web page, identifying them as trusted vendors. Entrust is recognized as the first CA certified by WebTrust, which resulted in some of their processes and policies becoming the foundation of WebTrust certification. THE INCREASING NEED FOR SSL With businesses relying heavily on online data transactions, criminal efforts are continuing to gain steam. For example, according to McAfee Threats Report: Third Quarter 2011, malware attacks were expected to exceed 70 million samples by the end of 2011. The persistent threats are not slowing down. Through malware exploitation, an external agent can capture data through what is thought of as a secure line. This can occur if either a SSL certificate is not in place or does not have the proper encryption strength in place. Man-in-the-Middle (MitM) attacks were highlighted when valid certificates were issued by Comodo and DigiNotar for prominent domains, such as google.com, and used by criminals. Phishing attacks also continue to be a popular method criminals use to deceive users. In Q3 2011, McAfee reported an average of 2,700 phishing URLs per day. In addition, McAfee reported its findings of 3,500 new sites delivering malware are created per day. MitM attacks are predicted to be a top cybercrime trend in 2012. 4 Overall, it is important to note that in most cases, it is not just one type of attack that occurs in a single attack. Multiple types of attacks build upon each other to steal data or commit fraud. 3 McAfee. “McAfee Threats Report: Third Quarter 2011.” Intel (January 2012): 1-23. 4 RSA, The Security Division of EMC. “RSA 2012 Cybercrime Trends Report: The Current State of Cybercrime and What to Expect in 2012,” EMC Corporation (January 2012): 1-8. frost.com 7
Frost & Sullivan INFORMATION SECURITY BEST PRACTICES AND DIGITAL CERTIFICATES Trust is the core characteristic of the relationship between CAs, digital certificates, organizations and users. For example, organizations rely on SSL certificates to assure users that when they access the organization’s site with an installed certificate, they are visiting the correct site and any information transmitted will be encrypted and safely transmitted. The SSL market was shaken by reports of breaches of several CAs. The CA/Browser forum realized that the lack of regulation of all certificate issuance processes needed to be reviewed. The CA/Browser Forum is a voluntary organization of leading certification authorities and vendors of Internet browser software and other applications. 5 The Creation of Best Practices with Digital Certificates Beginning in July 2012, the CA/Browser forum’s “Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates” will take effect. These requirements are for the operation of certification authorities issuing SSL/TLS digital certificates. After the breaches of 2011, the call for best practices/baseline requirements grew louder within the security community and consumers, alike. The baseline requirements provide clear standards for CAs, including external sub-CAs and registration authorities, on: Entrust is an active participant within the • Verification of identity CA/Browser forum, driving many • Certificate content and profiles initiatives to improve the practice of issuing • CA security digital certificates. • Revocation mechanisms Dr. Tim Moses, an Entrust senior • Use of algorithms and key sizes director, is currently the chairman of the • Audit requirements CA/Browser forum. • Liability, privacy and confidentiality, and delegation Frost & Sullivan applauds the creation of the new baseline requirements created by the CA/Browser forum. As the efforts of hackers continue to become more sophisticated and complex, the business need for baseline requirements to create a best practice methodology is crystal clear. All parties will be positively affected by 5 “CA/Browser Forum Home Page.” CA/Browser Forum. 10 January 2012. http://www.cabforum.org/forum.html 8 frost.com
Easing the Pains of Certificate Management this new methodology. CAs will be safeguarded by the new requirements of business operation, and organizations, especially those with prominent websites, can be assured that criminals trying to create a phishing page or a MitM attack using a certificate will be audited and denied. CUSTOMER CHALLENGES MANAGING SSL CERTIFICATES Accessing a website and getting an error message warning that the connection may not be secure can be confusing for users. There is the question of whether the certificate/website is valid. To a user that is not familiar with the certificate process and life cycle, they will either opt to forgo the website or ignore and bypass the warning. In the case that a user bypasses the warning and the website is in fact a phishing site, a user’s sensitive data can be captured and used by criminals. This is a problem that has plagued organizations. Making matters worse, keeping up with what certificates are in place, where, and how many are installed can be a daunting task for IT administrators if certificates have not been properly documented. Multiple Certificate Sources It is not uncommon for an organization to purchase multiple digital certificates from multiple vendors. However, a problem that many organizations have is keeping track of the expiry date of each certificate. While purchasing certificates from one CA offers the advantage of easily being able to view when a certificate was purchased, this can get cumbersome when working with multiple CAs. Whether it is due to company mergers/acquisitions, better value at a particular time, or the role of an administrator handling the certificate changes, reaching out to multiple CAs to attempt to retrieve information about certificates purchased can become a headache for organizations, leaving room for mistakes. Managing a Broad Array of Certificates In line with managing multiple certificates from multiple CAs, managing the type of certificates in an organization’s environment is very important. As discussed earlier, there are three types of SSL certificates available. Depending on Web page/server specifications laid out, an organization may opt for an OV certificate in one page and an EV certificate in another. As websites develop over time, these requirements could change and more/different types of certificates may be required. In addition, administrators often have more than SSL certificates to manage. Administrators often need to manage code signing certificates, Adobe CDS certificates, user certificates, and managed PKI certificates in addition to SSL certificates. Certificates in an Environment A perk that many organizations take advantage of is purchasing certificates in bulk, rather than buying a certificate just when they need one. In fact, this is a suggested working practice at larger organizations and government entities. The only drawback is frost.com 9
Frost & Sullivan accounting for those certificates. How long has a certificate been deployed? Where is it deployed? Has it been copied to multiple servers? When is its expiration date? How many certificates are left? What is its crypto-strength? These are all questions administrators have when trying to figure out what certificates are in their environment. Unexpected Expiration of Certificates In cases where a digital certificate can stop business operations, a question that comes to mind is, “How could this slip by?” A prime example of a mishap like this occurred in 2010, when the Target.com gift-card site was shut down because it gave a warning that the connection was not trusted. 6 The cause of this incident was an expired certificate. The problem, however, is challenging to avoid since in the absence of a failsafe process to renew a certificate (deploy a new certificate to replace the expiring certificate), the incumbent certificate will expire and potentially cause an outage. Maintaining Required Encryption Levels The strength of encryption in a SSL certificate can be broken up into two categories. A session key is created in the process of a user requesting information from a Web server. Public/private encryption strength is determined when the certificate signing request (CSR) and private key are created. 7 Depending on the level of sensitive data being accessed or processed, an administrator will have to change the encryption strength. However, effective December 31, 2013, 2048-bit key strength will be mandatory for publicly trusted SSL certificates. Complying with Security Policy or Regulations As legislative regulations and company security policies evolve, the need to make these changes in a timely manner is crucial to avoid potential fines or outages. For example, if the encryption levels of certificates on several servers need to be increased on a certain date due to a change in policy, having a tool that automatically sends a notification to administrators of when the change is needed and where the certificates reside helps to ensure organizational compliance. Risk of Data Breach The possibility of a data breach is always on the minds of IT administrators. In addition, a customer accessing an organization’s encrypted website expects that any data entered and transmitted will be safeguarded with proper encryption levels. If the encryption levels of certificates in place do not meet required levels, they can be targeted and cracked by criminals. 6 Schuman, Evan. "Target.com Blocked, SSL Certs Blamed." Web. 10 February 2012. http://storefrontbacktalk.com/securityfraud/target-com-blocked-ssl-certs-blamed 7 “SSL Details.” SSL Shopper. 10 January 2012. http://www.sslshopper.com/ssl-details.html 10 frost.com
Easing the Pains of Certificate Management Selecting a Certificate Authority—Balancing Value and Trust Based on the size of a potential customer and budget limitations, customers are not only looking for the best bang for their buck. They are also looking for a company with a reputable track record with high-assurance certificate offerings. Trust is critical when choosing a CA. For example, if an organization needs switch out of their certificates due to a trust issue with a CA, the expense of certificates, the manpower and the time involved to transition makes this a painful process for organizations. With the talks of commoditization in the SSL certificate market, CAs are relying on their track record and the facts behind that reputation to win over customers. While price points are a major topic of discussion, value features such as types of certificates, helpful tools, and customer service also come into play when a customer makes a decision on choosing a CA provider. ENTRUST MEETS TODAY’S CHALLENGES Entrust is a highly respected certificate authority that focuses on offering only high- assurance SSL certificates, OV and EV, at the enterprise level. With a focus on the enterprise, Entrust is aware of and develops solutions for enterprise-class business needs. This has earned the company a reputation as a highly respected certificate authority and garnered sales in the market. As a result, Entrust currently has the second-largest market share in the total CA market and in the issuance of high-assurance certificates. Figure 2—High-Assurance (Organization and Extended Validated) Certificates Issued Market Share 8 High-Assurance (Organization and Extended Validated) Certificates Issued Market Share 8 8% Symantec 28% Entrust Others* 64% *Others category includes more than 10 other companies that issue high-assurance certificates 8 Ibid., p. 7. frost.com 11
Frost & Sullivan Comprehensive Management Platform and Discovery Solutions Given the challenges that its customers face when it comes to managing all types of certificates, Entrust has raised the bar to develop a comprehensive solution that has the ability to discover and manage all certificate types. The cloud-based CMS enables organizations to efficiently manage their Entrust certificates through: • Administrative delegation and workflow • On-demand services • Audit and reporting tools • A strong verification process • A flexible subscription model Entrust CMS includes a discovery component that eases some of the pain of knowing what certificates are in an organization’s environment. This enables organizations to effectively create an inventory list of their certificates, regardless of certificate type or vendor, but it does not allow management of the certificates. A separate solution, called Entrust Discovery, takes certificate discovery a step further. Entrust Discovery provides organizations with the ability to manage certificate life cycles, regardless of certificate type or vendor, through expiration notifications, inventory lists and policy alerts. This avoids compliance problems, application outages, and management headaches. Figure 3—Certificates Found with Entrust Discovery 9 Certificates Found with Entrust Discovery 9 Miscellaneous CAPI Certificates Certificates Code-Signing Laptop MS CAPI Other—Cold Backups Desktop MS CAPI Entrust Discovery Server All Certificates • Email expiry notifications Certificate Types SSL Server • Policy violations MS CA • Reporting Any CA • Custom data • Single Certificate Interface Source: Entrust 9 “Entrust Certificate Discovery.” Entrust. 10 January 2012. http://www.entrust.net/discovery/index.htm 12 frost.com
Easing the Pains of Certificate Management Flexible Deployment and Subscription Model Entrust offers CMS and Discovery as SaaS cloud solutions, enabling immediate deployment, automatic updates, high availability, excellent performance, and included silver-level support. Entrust also offers an Enterprise model that allows organizations to host the Discovery component on-premise with complete control over their data and application version. The two Discovery deployment models provide an organization with the flexibility and security that fits them best. Figure 4—Entrust Discovery Deployment Models 10 Entrust Discovery Deployment Models10 Service Model Enterprise Model • Immediate Single • Customer deployment E-mail Expiry Certificate premises Notifications Interface • Automatic • Complete manager control updates Policy Custom over data Violations Data • Deployment • Application in secure version environment Reporting control Source: Entrust Entrust also provides its customers the choice of pooling concurrent licenses or non-pooling subscription models. Pooling provides organizations the ability to purchase concurrent licenses and revoke a certificate, returning it to the license repository, with the ability to re-purpose the license as long as the certificate is valid. Non-pooling gives organizations the ability to purchase certificates in terms of unit years. This gives organizations control over certificate purchases, depending on business needs and budget requirements. 10 Ibid., p. 12. frost.com 13
Frost & Sullivan Personalized Sales and Service Entrust has proven in competitive situations that it can offer enterprises high-level certificates to effectively secure their lines of data transfer. Entrust CMS resolves the problems of finding where and what certificates are in an organization’s environment, effectively managing certificate term periods, and offers a compelling balance of value and trust. With a customer renewal rate above 98 percent and best-in-class customer support, Entrust has continuously proven to be a trusted security brand. Trusted Security Brand With approximately 40 percent of Fortune 500 companies using Entrust’s solutions, the company has built a reputation of developing around the needs of the enterprise and addressing those needs efficiently and effectively. The company provides competitively priced solutions without sacrificing quality. Entrust understands that trust is at the core of any security technology, and with consistent 30 percent year-over-year growth, Entrust’s solutions and services are clearly valued by its customers and the security industry. THE FINAL WORD As the methods criminals use to create breaches continue to grow, organizations must be able to secure all lines of data transfer. While it is fairly simple to implement a certificate into an organization’s environment, managing hundreds to thousands of certificates can be difficult. If an application outage occurs due to an expired certificate, the resulting loss of traffic can cost an organization hundreds of thousands to millions of dollars. The need to know where all certificates are implemented, the ability to change encryption levels to comply with regulations, and the ability to manage those certificates must be done efficiently. A comprehensive solution from a trusted vendor with a focus on delivering best-in-class digital certificates is ideal for organizations facing these challenges. Entrust has proven to be a top-ranked certificate authority that focuses on the needs of the enterprise. The company’s continued efforts in developing solutions for enterprise business needs led to the creation of Entrust CMS. Frost & Sullivan believes Entrust CMS is a complete solution that provides customers with a high-value service without a high price tag. 14 frost.com
Silicon Valley San Antonio London 331 E. Evelyn Ave. Suite 100 7550 West Interstate 10, 4, Grosvenor Gardens, Mountain View, CA 94041 Suite 400, London SWIW ODH,UK Tel 650.475.4500 San Antonio, Texas 78229-5616 Tel 44(0)20 7730 3438 Fax 650.475.1570 Tel 210.348.1000 Fax 44(0)20 7730 3343 Fax 210.348.1003 877.GoFrost • myfrost@frost.com http://www.frost.com ABOUT ENTRUST: Entrust provides identity-based security solutions that empower enterprises, consumers, citizens and websites in more than 4,000 organizations spanning 60 countries. Entrust's identity-based approach offers the right balance between affordability, expertise and service. With more than 125 patents granted and pending, these world-class solutions include strong authentication, physical and logical access, credentialing, mobile security, fraud detection, digital certificates, SSL and PKI. www.entrust.net ABOUT FROST & SULLIVAN Frost & Sullivan, the Growth Partnership Company, partners with clients to accelerate their growth. The company's TEAM Research, Growth Consulting, and Growth Team Membership™ empower clients to create a growth-focused culture that generates, evaluates, and implements effective growth strategies. Frost & Sullivan employs over 50 years of experience in partnering with Global 1000 companies, emerging businesses, and the investment community from more than 40 offices on six continents. For more information about Frost & Sullivan’s Growth Partnership Services, visit http://www.frost.com. For information regarding permission, write: Frost & Sullivan 331 E. Evelyn Ave. Suite 100 Mountain View, CA 94041 Auckland Dubai Mumbai Sophia Antipolis Bangkok Frankfurt Manhattan Sydney Beijing Hong Kong Oxford Taipei Bengaluru Istanbul Paris Tel Aviv Bogotá Jakarta Rockville Centre Tokyo Buenos Aires Kolkata San Antonio Toronto Cape Town Kuala Lumpur São Paulo Warsaw Chennai London Seoul Washington, DC Colombo Mexico City Shanghai Delhi / NCR Milan Silicon Valley Dhaka Moscow Singapore

More Related Content

PDF
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
PDF
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...
IJNSA Journal
 
PDF
2020 KringleCon HolidayHack Report - Brazzell
Curtis Brazzell
 
PDF
Symantec-CWS_Brochure
Justyna Majek
 
PPTX
Isaca e symposium understanding your data flow jul 6
Ulf Mattsson
 
PDF
Identity federation – Mitigating Risks and Liabilities
Guy Huntington
 
PDF
The Business Case for Account Lockout Management
Netwrix Corporation
 
PDF
76 s201923
IJRAT
 
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...
IJNSA Journal
 
2020 KringleCon HolidayHack Report - Brazzell
Curtis Brazzell
 
Symantec-CWS_Brochure
Justyna Majek
 
Isaca e symposium understanding your data flow jul 6
Ulf Mattsson
 
Identity federation – Mitigating Risks and Liabilities
Guy Huntington
 
The Business Case for Account Lockout Management
Netwrix Corporation
 
76 s201923
IJRAT
 

Similar to Easing the Pains of Certificate Management (20)

PDF
Digital certificate management v1 (Draft)
Avirot Mitamura
 
PDF
Meeting Mobile and BYOD Security Challenges
Symantec
 
PDF
Is web security part of your annual security audit
Dianne Douglas
 
PPTX
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
PDF
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Netgate
 
PDF
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 
DOC
Certification authority
proser tech
 
PDF
Four Must Know Certificate and Key Management Threats That Can Bring Down You...
Venafi
 
PPT
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Nicholas Davis
 
PPT
Pki & personal digital certificates, securing sensitive electronic communicat...
Nicholas Davis
 
PPT
Securing email and electronic documents with digital certificates, by nichola...
Nicholas Davis
 
PPT
Securing Email And Electronic Documents With Digital Certificates, By Nichola...
Nicholas Davis
 
PPT
Session 10 Tp 10
githe26200
 
PPTX
Impact of digital certificate in network security
rhassan84
 
PPTX
Impact of digital certificate in network security
rhassan84
 
PDF
Alternatives to Certificate Authorities for a Secure Web
CASCouncil
 
PPTX
Best Practices for Certificate Management
AppViewX
 
PDF
eBook_PKI-AreYouDoingItWrong2022-f.pdf
HaNguyenThanh21
 
PPT
PKI by Gene Itkis
Information Security Awareness Group
 
PPT
Pki & Personal Digital Certificates, The Key To Securing Sensitive Electr...
Nicholas Davis
 
Digital certificate management v1 (Draft)
Avirot Mitamura
 
Meeting Mobile and BYOD Security Challenges
Symantec
 
Is web security part of your annual security audit
Dianne Douglas
 
Kent King - PKI: Do You Know Your Exposure?
centralohioissa
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Netgate
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 
Certification authority
proser tech
 
Four Must Know Certificate and Key Management Threats That Can Bring Down You...
Venafi
 
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Nicholas Davis
 
Pki & personal digital certificates, securing sensitive electronic communicat...
Nicholas Davis
 
Securing email and electronic documents with digital certificates, by nichola...
Nicholas Davis
 
Securing Email And Electronic Documents With Digital Certificates, By Nichola...
Nicholas Davis
 
Session 10 Tp 10
githe26200
 
Impact of digital certificate in network security
rhassan84
 
Impact of digital certificate in network security
rhassan84
 
Alternatives to Certificate Authorities for a Secure Web
CASCouncil
 
Best Practices for Certificate Management
AppViewX
 
eBook_PKI-AreYouDoingItWrong2022-f.pdf
HaNguyenThanh21
 
PKI by Gene Itkis
Information Security Awareness Group
 
Pki & Personal Digital Certificates, The Key To Securing Sensitive Electr...
Nicholas Davis
 
Ad

More from Entrust Datacard (14)

PDF
INFOGRAPHIC: Switch to SHA-2 SSL Certificates
Entrust Datacard
 
PDF
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Entrust Datacard
 
PDF
INFOGRAPHIC: Securing the Internet of Things
Entrust Datacard
 
PDF
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
Entrust Datacard
 
PDF
Defeating Man-in-the-Browser Malware
Entrust Datacard
 
PDF
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Entrust Datacard
 
PDF
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
Entrust Datacard
 
PDF
Zero to Dual_EC_DRBG in 30 minutes
Entrust Datacard
 
PDF
Advanced Solutions for Critical Infrastructure Protection
Entrust Datacard
 
PDF
Entrust Solutions Portfolio
Entrust Datacard
 
PDF
Entrust Physical & Logical Access Solutions
Entrust Datacard
 
PDF
Entrust IdentityGuard Mobile
Entrust Datacard
 
PDF
Entrust Mobile Security Solutions
Entrust Datacard
 
PDF
Entrust Enterprise Authentication
Entrust Datacard
 
INFOGRAPHIC: Switch to SHA-2 SSL Certificates
Entrust Datacard
 
Switch to SHA-2 SSL - A Step-by-Step Migration Guide
Entrust Datacard
 
INFOGRAPHIC: Securing the Internet of Things
Entrust Datacard
 
IDENTITY PLATFORMS: How central, flexible, deployment of multiple authenticat...
Entrust Datacard
 
Defeating Man-in-the-Browser Malware
Entrust Datacard
 
Zero to ECC in 30 Minutes: A primer on Elliptic Curve Cryptography (ECC)
Entrust Datacard
 
INFOGRAPHIC: Why Did Datacard Group Acquire Security Expert Entrust?
Entrust Datacard
 
Zero to Dual_EC_DRBG in 30 minutes
Entrust Datacard
 
Advanced Solutions for Critical Infrastructure Protection
Entrust Datacard
 
Entrust Solutions Portfolio
Entrust Datacard
 
Entrust Physical & Logical Access Solutions
Entrust Datacard
 
Entrust IdentityGuard Mobile
Entrust Datacard
 
Entrust Mobile Security Solutions
Entrust Datacard
 
Entrust Enterprise Authentication
Entrust Datacard
 
Ad

Recently uploaded (20)

PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Encapsulation theory and applications.pdf
gurumoop
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 

Easing the Pains of Certificate Management

  • 1. 50 Years of Growth, Innovation and Leadership Easing the Pains of Certificate Management: An Overview of Entrust, the No. 2 Provider of SSL Certificates in the Market A Frost & Sullivan White Paper www.frost.com
  • 2. Frost & Sullivan Executive Summary ......................................................................................... 3 Introduction .................................................................................................... 4 What are Certificate Authorities and How are SSL Certificates Issued? .................................................................... 5 Privacy and Trust ............................................................................................. 6 The Increasing Need for SSL .......................................................................... 7 Information Security Best Practices and Digital Certificates ......................... 8 The Creation of Best Practices with Digital Certificates ................................. 8 Customer Challenges Managing SSL Certificates ........................................... 9 Multiple Certificate Sources ........................................................................... 9 Managing a Broad Array of Certificates .......................................................... 9 Certificates in an Environment ........................................................................ 9 Unexpected Expiration of Certificates ............................................................ 10 Maintaining Required Encryption Levels ......................................................... 10 Complying with Security Policy or Regulations ............................................... 10 Risk of Data Breach ........................................................................................ 10 Selecting a Certificate Authority—Balancing Value and Trust .......................... 11 Entrust Meets Today’s Challenges.................................................................... 11 Comprehensive Management Platform and Discovery Solutions ..................... 12 Flexible Deployment and Subscription Model ................................................. 13 Personalized Sales and Service ........................................................................ 14 Trusted Security Brand .................................................................................... 14 The Final Word ................................................................................................ 14 CONTENTS
  • 3. Easing the Pains of Certificate Management EXECUTIVE SUMMARY Digital certificates are an essential piece of an organization’s security infrastructure. The need to secure multiple lines of data transfer is at an all-time high as organizations face the ever-changing methods criminals use to breach an organization. Consumers and end users have always relied on a trusted relation between themselves and the organization providing the content. End users have assumed that a secure line of communication exists. This is achieved through the installation of a digital certificate in the form of a Secure Socket Layer (SSL) digital certificate. SSL certificates, cryptographic protocols that allow for the secure transmission of data over the Internet, are only as strong as the verification process the Certificate Authority performs to authenticate the organization. In 2011, that implicit trust was tested by the attacks and breaches of multiple certificate authorities. While industry participants have gone to great lengths to assure customers that trust has not been affected, the industry has been forced to re-evaluate how business is done. The reliance on Domain Validated certificates, approximately 39 percent of all SSL certificates globally, has been heavily called into question as the means to verify the authenticity of the organization. The need to further authenticate the organization is becoming a required aspect of the trust framework between the organization and the user. This increased authentication is leading more organizations to use Organization Validated and Extended Validated certificates, which as of 2011 were approximately 45 percent and 16 percent, respectively, of all certificates issued globally. SSL is only one type of digital certificate that organizations implement. Other flavors of digital certificates also include code signing, Adobe CDS, and user and managed PKI certificates. All these certificates can be found scattered throughout an organization’s IT environment, leaving administrators with the daunting task of managing all of them. While implementing a certificate in an environment is the first step in securing lines of transfer, it is not enough. Organizations face many challenges after the implementation of a certificate. However, the challenges are not with the certificate itself. One challenge comes from managing all the certificates in an enterprise environment. It is not uncommon for a customer/user to come across an alert warning them of an unsecure site due to being incapable of verifying the validity of the certificate in place. Not only can this disrupt day-to-day operations, but it also can create customer/user confusion on whether to bypass the warning or exit the site, leading to either loss of confidence in the organization or loss of business revenue. Finding and managing multiple certificate types from multiple sources is also a major challenge. This can also become burdensome when an administrator in charge of certificates leaves the company or changes roles. Without a detailed inventory of these certificates, it is more difficult for organizations to manage encryption levels on the certificates, replace non-compliant certificates to comply with security policy or regulations, or assure there are no expired or rogue certificates in the environment. frost.com 3
  • 4. Frost & Sullivan This paper analyzes SSL certificates and the growing need for SSL implementation and management. In addition, it identifies many challenges customers face with the management of certificates and the risks that come with improper certificate management. The latest baseline standards created by the Certificate Authority (CA)/Browser forum are also examined with a discussion around why these standards are important. Finally, this paper will present Entrust’s Certificate Management Service (CMS), a solution that Frost & Sullivan believes provides many advantages for organizations’ information security infrastructure. INTRODUCTION IT administrators have long struggled with managing their certificates. The challenge does not come just from the implementation of the technology, but from the management of the certificates after they have been implemented. Imagine being an administrator in a large enterprise in charge of thousands of digital certificates without a proper database to know what certificates are available/being used, where they are, what they contain, and when they expire. The threat of stopping business operations due to a rogue or expired certificate can be costly. Whether it is due to change in management or change of responsibilities, the management of digital certificates can become a headache for any IT administrator. Regardless of the size of the organization, the inability to manage hundreds of certificates can result in unexpected expiration of certificates. In realizing this problem, some Certificate Authorities (CAs), such as Entrust, have developed certificate management systems and discovery solutions to scan for and manage all the certificates in a network. In 2011, a hacker named “Comodohacker” claimed responsibility for the breaches of Comodo and DigiNotar. In the case of Comodo, the certificate authority, the hacker spoofed digital certificates for prominent websites through the use of a CA reseller account. With the DigiNotar case, the hacker accessed DigiNotar’s systems, issuing multiple fraudulent certificates. As the certificate authority in charge of the Dutch government’s public key infrastructure, the government was put on full alert of investigating the attack. The company was subsequently shut down. In addition to these attacks, the hacker threatened the possibility of compromising other CAs, which would be a huge blow to the SSL certificate industry. This hit CAs at the core value—trust. These breaches signify that even security vendors can be susceptible to breaches if the proper steps are not in place to proactively safeguard their systems or have a best-practice methodology in place. 4 frost.com
  • 5. Easing the Pains of Certificate Management WHAT ARE CERTIFICATE AUTHORITIES AND HOW ARE SSL CERTIFICATES ISSUED? The most common digital certificate process consists of vendors and CAs who issue SSL certificates to secure an organization’s or individual’s website and Web server. As defined by the CA/Browser forum, a CA is a trusted third party that issues digital certificates and is the organization responsible for the creation, issuance, revocation, and management of those certificates. 1 CAs manage security credentials and public keys of these certificates. As the authority, CAs are responsible for completing the process of properly validating organizations prior to issuing a certificate. Once ownership of a website is validated, the certificate requested is issued. High-assurance certificates, which are organization and extended validated certificates, may contain information such as: • The name and information identifying the organization issued the certificate • The organization’s public key to encrypt sensitive information • The name of the CA who issued the certificate • A serial number • The certificate’s validity period A SSL certificate is an encryption technology installed on Web servers that allows transmission of sensitive data through an encrypted connection in a browser. SSL certificates ensure any transmission of data will not be compromised or captured by hackers and criminals. When a user makes a request and wants to send sensitive information to the Web server, the browser will access the server’s SSL certificate to obtain its public key to encrypt the data. With its private key, only the server can decrypt the information being sent, which keeps the information confidential and tamper proof. 1 “Frequently Asked Questions - Extended Validation SSL.” CA/Browser Forum. 10 January 2012. http://www.cabforum.org/faq.html frost.com 5
  • 6. Frost & Sullivan Figure 1—SSL Transmission Process SSL Transmission ProcessSSL Transmission Process Request of secure page Public key and certificate is sent Certificate check—encryption Private key decryption—requested data sent Perhaps more important than the encryption of the channel, SSL certificates also provide various levels of identity assurance to site visitors. According to Frost & Sullivan’s market research, Domain Validated, Organization Validated, and Extended validation certificates accounted for 39 percent, 45 percent and 16 percent, respectively, of certificates issued. 2 DV certificates, the lowest assurance level of SSL certificates, only require the authentication of ownership of a domain in order to be issued, which has led to rapid adoption. However, the issue within the security industry regarding DV certificates is the lack of thoroughly validating the certificate requester. Within the CA breaches of 2011, the types of certificates issued were DV certificates. Entrust, along with many within the market, firmly believe that DV does not offer sufficient authentication. There is much effort put into validating a certificate requester for OV and EV certificates. At minimum, OV certificates require validation of the organization and ownership of the domain. EV certificates require validation of everything from the organization, location of the organization, rights to the domain, to the person requesting the certificate. Before 2011, only EV certificates had associated baseline standards, which were created by the CA/Browser forum. Privacy and Trust The need to secure lines of data transfer and provide identity assurance continues to be a top priority of organizations. As more organizational services and transactions migrate online, organizations must keep sensitive data private and secure. And to ensure site visitors leverage those online services, assuring them of the organizational 2 Martinez, Richard. “Analysis of the SSL Certificate Market.” Frost & Sullivan (1 November 2011): 20. 6 frost.com
  • 7. Easing the Pains of Certificate Management identity is equally critical. In addition, as enterprises and governments rely more and more on SSL, the number of certificates in use is growing dramatically. Many organizations have multiple providers due to a decentralized purchasing process, which worked when they were dealing with smaller volumes and infrequent requests, but is no longer manageable at current volumes. Trust is a key factor for customers due to issues ranging from breaches to the concern about CAs lacking secure infrastructures/partner resellers. This has made customers take a closer look at which CA they will partner with. One assuring characteristic customers look for is that a CA is WebTrust certified. WebTrust is an independent organization whose certification process is intended to reduce certain business risks and provide a level of assurance to customers. 3 CAs that address principles in regards to security, availability, processing integrity, confidentiality, and privacy receive a WebTrust seal on their SSL Web page, identifying them as trusted vendors. Entrust is recognized as the first CA certified by WebTrust, which resulted in some of their processes and policies becoming the foundation of WebTrust certification. THE INCREASING NEED FOR SSL With businesses relying heavily on online data transactions, criminal efforts are continuing to gain steam. For example, according to McAfee Threats Report: Third Quarter 2011, malware attacks were expected to exceed 70 million samples by the end of 2011. The persistent threats are not slowing down. Through malware exploitation, an external agent can capture data through what is thought of as a secure line. This can occur if either a SSL certificate is not in place or does not have the proper encryption strength in place. Man-in-the-Middle (MitM) attacks were highlighted when valid certificates were issued by Comodo and DigiNotar for prominent domains, such as google.com, and used by criminals. Phishing attacks also continue to be a popular method criminals use to deceive users. In Q3 2011, McAfee reported an average of 2,700 phishing URLs per day. In addition, McAfee reported its findings of 3,500 new sites delivering malware are created per day. MitM attacks are predicted to be a top cybercrime trend in 2012. 4 Overall, it is important to note that in most cases, it is not just one type of attack that occurs in a single attack. Multiple types of attacks build upon each other to steal data or commit fraud. 3 McAfee. “McAfee Threats Report: Third Quarter 2011.” Intel (January 2012): 1-23. 4 RSA, The Security Division of EMC. “RSA 2012 Cybercrime Trends Report: The Current State of Cybercrime and What to Expect in 2012,” EMC Corporation (January 2012): 1-8. frost.com 7
  • 8. Frost & Sullivan INFORMATION SECURITY BEST PRACTICES AND DIGITAL CERTIFICATES Trust is the core characteristic of the relationship between CAs, digital certificates, organizations and users. For example, organizations rely on SSL certificates to assure users that when they access the organization’s site with an installed certificate, they are visiting the correct site and any information transmitted will be encrypted and safely transmitted. The SSL market was shaken by reports of breaches of several CAs. The CA/Browser forum realized that the lack of regulation of all certificate issuance processes needed to be reviewed. The CA/Browser Forum is a voluntary organization of leading certification authorities and vendors of Internet browser software and other applications. 5 The Creation of Best Practices with Digital Certificates Beginning in July 2012, the CA/Browser forum’s “Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates” will take effect. These requirements are for the operation of certification authorities issuing SSL/TLS digital certificates. After the breaches of 2011, the call for best practices/baseline requirements grew louder within the security community and consumers, alike. The baseline requirements provide clear standards for CAs, including external sub-CAs and registration authorities, on: Entrust is an active participant within the • Verification of identity CA/Browser forum, driving many • Certificate content and profiles initiatives to improve the practice of issuing • CA security digital certificates. • Revocation mechanisms Dr. Tim Moses, an Entrust senior • Use of algorithms and key sizes director, is currently the chairman of the • Audit requirements CA/Browser forum. • Liability, privacy and confidentiality, and delegation Frost & Sullivan applauds the creation of the new baseline requirements created by the CA/Browser forum. As the efforts of hackers continue to become more sophisticated and complex, the business need for baseline requirements to create a best practice methodology is crystal clear. All parties will be positively affected by 5 “CA/Browser Forum Home Page.” CA/Browser Forum. 10 January 2012. http://www.cabforum.org/forum.html 8 frost.com
  • 9. Easing the Pains of Certificate Management this new methodology. CAs will be safeguarded by the new requirements of business operation, and organizations, especially those with prominent websites, can be assured that criminals trying to create a phishing page or a MitM attack using a certificate will be audited and denied. CUSTOMER CHALLENGES MANAGING SSL CERTIFICATES Accessing a website and getting an error message warning that the connection may not be secure can be confusing for users. There is the question of whether the certificate/website is valid. To a user that is not familiar with the certificate process and life cycle, they will either opt to forgo the website or ignore and bypass the warning. In the case that a user bypasses the warning and the website is in fact a phishing site, a user’s sensitive data can be captured and used by criminals. This is a problem that has plagued organizations. Making matters worse, keeping up with what certificates are in place, where, and how many are installed can be a daunting task for IT administrators if certificates have not been properly documented. Multiple Certificate Sources It is not uncommon for an organization to purchase multiple digital certificates from multiple vendors. However, a problem that many organizations have is keeping track of the expiry date of each certificate. While purchasing certificates from one CA offers the advantage of easily being able to view when a certificate was purchased, this can get cumbersome when working with multiple CAs. Whether it is due to company mergers/acquisitions, better value at a particular time, or the role of an administrator handling the certificate changes, reaching out to multiple CAs to attempt to retrieve information about certificates purchased can become a headache for organizations, leaving room for mistakes. Managing a Broad Array of Certificates In line with managing multiple certificates from multiple CAs, managing the type of certificates in an organization’s environment is very important. As discussed earlier, there are three types of SSL certificates available. Depending on Web page/server specifications laid out, an organization may opt for an OV certificate in one page and an EV certificate in another. As websites develop over time, these requirements could change and more/different types of certificates may be required. In addition, administrators often have more than SSL certificates to manage. Administrators often need to manage code signing certificates, Adobe CDS certificates, user certificates, and managed PKI certificates in addition to SSL certificates. Certificates in an Environment A perk that many organizations take advantage of is purchasing certificates in bulk, rather than buying a certificate just when they need one. In fact, this is a suggested working practice at larger organizations and government entities. The only drawback is frost.com 9
  • 10. Frost & Sullivan accounting for those certificates. How long has a certificate been deployed? Where is it deployed? Has it been copied to multiple servers? When is its expiration date? How many certificates are left? What is its crypto-strength? These are all questions administrators have when trying to figure out what certificates are in their environment. Unexpected Expiration of Certificates In cases where a digital certificate can stop business operations, a question that comes to mind is, “How could this slip by?” A prime example of a mishap like this occurred in 2010, when the Target.com gift-card site was shut down because it gave a warning that the connection was not trusted. 6 The cause of this incident was an expired certificate. The problem, however, is challenging to avoid since in the absence of a failsafe process to renew a certificate (deploy a new certificate to replace the expiring certificate), the incumbent certificate will expire and potentially cause an outage. Maintaining Required Encryption Levels The strength of encryption in a SSL certificate can be broken up into two categories. A session key is created in the process of a user requesting information from a Web server. Public/private encryption strength is determined when the certificate signing request (CSR) and private key are created. 7 Depending on the level of sensitive data being accessed or processed, an administrator will have to change the encryption strength. However, effective December 31, 2013, 2048-bit key strength will be mandatory for publicly trusted SSL certificates. Complying with Security Policy or Regulations As legislative regulations and company security policies evolve, the need to make these changes in a timely manner is crucial to avoid potential fines or outages. For example, if the encryption levels of certificates on several servers need to be increased on a certain date due to a change in policy, having a tool that automatically sends a notification to administrators of when the change is needed and where the certificates reside helps to ensure organizational compliance. Risk of Data Breach The possibility of a data breach is always on the minds of IT administrators. In addition, a customer accessing an organization’s encrypted website expects that any data entered and transmitted will be safeguarded with proper encryption levels. If the encryption levels of certificates in place do not meet required levels, they can be targeted and cracked by criminals. 6 Schuman, Evan. "Target.com Blocked, SSL Certs Blamed." Web. 10 February 2012. http://storefrontbacktalk.com/securityfraud/target-com-blocked-ssl-certs-blamed 7 “SSL Details.” SSL Shopper. 10 January 2012. http://www.sslshopper.com/ssl-details.html 10 frost.com
  • 11. Easing the Pains of Certificate Management Selecting a Certificate Authority—Balancing Value and Trust Based on the size of a potential customer and budget limitations, customers are not only looking for the best bang for their buck. They are also looking for a company with a reputable track record with high-assurance certificate offerings. Trust is critical when choosing a CA. For example, if an organization needs switch out of their certificates due to a trust issue with a CA, the expense of certificates, the manpower and the time involved to transition makes this a painful process for organizations. With the talks of commoditization in the SSL certificate market, CAs are relying on their track record and the facts behind that reputation to win over customers. While price points are a major topic of discussion, value features such as types of certificates, helpful tools, and customer service also come into play when a customer makes a decision on choosing a CA provider. ENTRUST MEETS TODAY’S CHALLENGES Entrust is a highly respected certificate authority that focuses on offering only high- assurance SSL certificates, OV and EV, at the enterprise level. With a focus on the enterprise, Entrust is aware of and develops solutions for enterprise-class business needs. This has earned the company a reputation as a highly respected certificate authority and garnered sales in the market. As a result, Entrust currently has the second-largest market share in the total CA market and in the issuance of high-assurance certificates. Figure 2—High-Assurance (Organization and Extended Validated) Certificates Issued Market Share 8 High-Assurance (Organization and Extended Validated) Certificates Issued Market Share 8 8% Symantec 28% Entrust Others* 64% *Others category includes more than 10 other companies that issue high-assurance certificates 8 Ibid., p. 7. frost.com 11
  • 12. Frost & Sullivan Comprehensive Management Platform and Discovery Solutions Given the challenges that its customers face when it comes to managing all types of certificates, Entrust has raised the bar to develop a comprehensive solution that has the ability to discover and manage all certificate types. The cloud-based CMS enables organizations to efficiently manage their Entrust certificates through: • Administrative delegation and workflow • On-demand services • Audit and reporting tools • A strong verification process • A flexible subscription model Entrust CMS includes a discovery component that eases some of the pain of knowing what certificates are in an organization’s environment. This enables organizations to effectively create an inventory list of their certificates, regardless of certificate type or vendor, but it does not allow management of the certificates. A separate solution, called Entrust Discovery, takes certificate discovery a step further. Entrust Discovery provides organizations with the ability to manage certificate life cycles, regardless of certificate type or vendor, through expiration notifications, inventory lists and policy alerts. This avoids compliance problems, application outages, and management headaches. Figure 3—Certificates Found with Entrust Discovery 9 Certificates Found with Entrust Discovery 9 Miscellaneous CAPI Certificates Certificates Code-Signing Laptop MS CAPI Other—Cold Backups Desktop MS CAPI Entrust Discovery Server All Certificates • Email expiry notifications Certificate Types SSL Server • Policy violations MS CA • Reporting Any CA • Custom data • Single Certificate Interface Source: Entrust 9 “Entrust Certificate Discovery.” Entrust. 10 January 2012. http://www.entrust.net/discovery/index.htm 12 frost.com
  • 13. Easing the Pains of Certificate Management Flexible Deployment and Subscription Model Entrust offers CMS and Discovery as SaaS cloud solutions, enabling immediate deployment, automatic updates, high availability, excellent performance, and included silver-level support. Entrust also offers an Enterprise model that allows organizations to host the Discovery component on-premise with complete control over their data and application version. The two Discovery deployment models provide an organization with the flexibility and security that fits them best. Figure 4—Entrust Discovery Deployment Models 10 Entrust Discovery Deployment Models10 Service Model Enterprise Model • Immediate Single • Customer deployment E-mail Expiry Certificate premises Notifications Interface • Automatic • Complete manager control updates Policy Custom over data Violations Data • Deployment • Application in secure version environment Reporting control Source: Entrust Entrust also provides its customers the choice of pooling concurrent licenses or non-pooling subscription models. Pooling provides organizations the ability to purchase concurrent licenses and revoke a certificate, returning it to the license repository, with the ability to re-purpose the license as long as the certificate is valid. Non-pooling gives organizations the ability to purchase certificates in terms of unit years. This gives organizations control over certificate purchases, depending on business needs and budget requirements. 10 Ibid., p. 12. frost.com 13
  • 14. Frost & Sullivan Personalized Sales and Service Entrust has proven in competitive situations that it can offer enterprises high-level certificates to effectively secure their lines of data transfer. Entrust CMS resolves the problems of finding where and what certificates are in an organization’s environment, effectively managing certificate term periods, and offers a compelling balance of value and trust. With a customer renewal rate above 98 percent and best-in-class customer support, Entrust has continuously proven to be a trusted security brand. Trusted Security Brand With approximately 40 percent of Fortune 500 companies using Entrust’s solutions, the company has built a reputation of developing around the needs of the enterprise and addressing those needs efficiently and effectively. The company provides competitively priced solutions without sacrificing quality. Entrust understands that trust is at the core of any security technology, and with consistent 30 percent year-over-year growth, Entrust’s solutions and services are clearly valued by its customers and the security industry. THE FINAL WORD As the methods criminals use to create breaches continue to grow, organizations must be able to secure all lines of data transfer. While it is fairly simple to implement a certificate into an organization’s environment, managing hundreds to thousands of certificates can be difficult. If an application outage occurs due to an expired certificate, the resulting loss of traffic can cost an organization hundreds of thousands to millions of dollars. The need to know where all certificates are implemented, the ability to change encryption levels to comply with regulations, and the ability to manage those certificates must be done efficiently. A comprehensive solution from a trusted vendor with a focus on delivering best-in-class digital certificates is ideal for organizations facing these challenges. Entrust has proven to be a top-ranked certificate authority that focuses on the needs of the enterprise. The company’s continued efforts in developing solutions for enterprise business needs led to the creation of Entrust CMS. Frost & Sullivan believes Entrust CMS is a complete solution that provides customers with a high-value service without a high price tag. 14 frost.com
  • 15. Silicon Valley San Antonio London 331 E. Evelyn Ave. Suite 100 7550 West Interstate 10, 4, Grosvenor Gardens, Mountain View, CA 94041 Suite 400, London SWIW ODH,UK Tel 650.475.4500 San Antonio, Texas 78229-5616 Tel 44(0)20 7730 3438 Fax 650.475.1570 Tel 210.348.1000 Fax 44(0)20 7730 3343 Fax 210.348.1003 877.GoFrost • myfrost@frost.com http://www.frost.com ABOUT ENTRUST: Entrust provides identity-based security solutions that empower enterprises, consumers, citizens and websites in more than 4,000 organizations spanning 60 countries. Entrust's identity-based approach offers the right balance between affordability, expertise and service. With more than 125 patents granted and pending, these world-class solutions include strong authentication, physical and logical access, credentialing, mobile security, fraud detection, digital certificates, SSL and PKI. www.entrust.net ABOUT FROST & SULLIVAN Frost & Sullivan, the Growth Partnership Company, partners with clients to accelerate their growth. The company's TEAM Research, Growth Consulting, and Growth Team Membership™ empower clients to create a growth-focused culture that generates, evaluates, and implements effective growth strategies. Frost & Sullivan employs over 50 years of experience in partnering with Global 1000 companies, emerging businesses, and the investment community from more than 40 offices on six continents. For more information about Frost & Sullivan’s Growth Partnership Services, visit http://www.frost.com. For information regarding permission, write: Frost & Sullivan 331 E. Evelyn Ave. Suite 100 Mountain View, CA 94041 Auckland Dubai Mumbai Sophia Antipolis Bangkok Frankfurt Manhattan Sydney Beijing Hong Kong Oxford Taipei Bengaluru Istanbul Paris Tel Aviv Bogotá Jakarta Rockville Centre Tokyo Buenos Aires Kolkata San Antonio Toronto Cape Town Kuala Lumpur São Paulo Warsaw Chennai London Seoul Washington, DC Colombo Mexico City Shanghai Delhi / NCR Milan Silicon Valley Dhaka Moscow Singapore