Global Public Cloud market size is expected to reach $488.5 billion by 2026 as per a research study conducted by www.businesswire.com and there will be a predicted 16% CAGR market growth during the forecasted time period. This triggers the immediate need to shift our focus on “Cloud Security”. Let’s deep dive into the Public Key Infrastructure (PKI) in Amazon Web Services (AWS) Cloud.
Let us understand PKI in AWS
ACM stands for AWS Certificate Manager. Just like any Certificate Manager, ACM provides convenient options for cloud service users to create, manage and deploy public and private SSL/TLS X.509 certificates and keys. These certificates provide authentication of identity of websites as well as private resources and protection for sensitive data hosted on Amazon Web Services platform. AWS services supported certificates can be provided either by directly issuing with ACM or by importing third party certificates to ACM management system.
Services offered through ACM in AWS
Amazon provides two options for customers to deploy SSL/TLS X.509 certificates. Depending on the business requirement customers can choose from the below options.
ACM Certificate Manager (ACM) – This service is targeted for customers who need secure web existence using TLS certificates. ACM deploys certificates using AWS services – Amazon CloudFront, Elastic Load Balancing, Amazon API Gateway, and other integrated services. Enterprises with secure public website with significant web traffic can prefer this certificate management service
ACM Private CA – This service is most suited for small and medium enterprise customers who desire to build their own Public Key Infrastructure (PKI) with in AWS Cloud and projected for private use within the organization. Within private CA users can create their own CA hierarchy and issue certificates for authenticating internal users, applications, services, devices etc.Note : Certificates issued using Private CA cannot be used on internet
Tailored Cloud Key Management Services
Get flexible and customizable consultation services that align with your cloud requirements.
Public certificates provided by ACM have the characteristics described in this section. These characteristics only apply to certificates provided by ACM and might not apply to certificates imported to ACM:
Serial No.
Characteristics
1
Domain Validation (DV)
ACM Certificates are domain validated. Subject field of an ACM Certificate identifies a domain name. Ownership can be validated using email or DNS
2
Validity Period for Certificates
13 months
3
Managed Renewal and Deployment
Automatic renewal and provisioning of certificates by ACM
4
Browser and Application Trust
ACM certificates are trusted by all major browsers including Google Chrome, Microsoft Internet Explorer and Microsoft Edge, Mozilla Firefox, and Apple Safari. ACM Certificates are also trusted by Java
5
Multiple Domain Names
Each ACM certificate must include one Fully Qualified Domain Name (FQDN) and additional names can be added further
6
Wildcard Names
ACM allows to use an (*) asterisk in domain name to create an ACM certificate that can protect several sites in the same domain
7
Algorithms
Public key algorithms supported by ACM:
2048-bit RSA (RSA_2048)
4096-bit RSA (RSA_4096)
Elliptic Prime Curve 256 bit (EC_prime256v1)
Elliptic Prime Curve 384 bit (EC_secp384r1)
AWS Certificate Manager Pricing
Public SSL/TLS certificates provisioned through AWS Certificate Manager are free of cost. Customer needs to pay only for AWS resources created to run application/services.
ACM Private CA is priced along two stages
Monthly fee of $400 for each ACM private CA until it is deleted
Customer pays a one-time fee when certificates are issued from ACM Private CA
Please visit Amazon Web Services portal for more details: www.aws.amazon.com
If your organization is looking for implementation of AWS Certificate Authority, please consult [email protected] for further information.
Certificate Manager is a service that helps to manage and deploy secured public and private digital certificates such as Secure Socket Layer/Transport Layer Security (SSL/TLS) for cloud based services and connected resources. Certificate Manager provides a security repository of private keys, certificates and prevents outages during certificate expiry by providing push notifications. Certificate Authority acts as a trusted third party for requestor and receiver of certificates.
Why to encrypt data in Cloud?
As per Thales Data Threat Report 2020, out of all the organizations surveyed, half of the overall organizational data (50%) is now stored on Cloud environment. 47% of all participating organizations confirmed that they experienced data breach or failed a compliance audit during a past one year.
*Source: Global Cloud Tipping Point: The 2020 Thales Data Threat Report
Companies are using multi-cloud environments in each category of Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). Below are the statistics from the survey:
More than one IaaS vendor – 81% of the participants
More than one PaaS vendor – 81% of the participants
Managing more than 100 SaaS apps – 11% of the participants
As per the above respondents who are using multiple cloud environments, 100% of them have some data in cloud which is unencrypted. This raises a serious concern regarding data security and also creates a definite threat for data privacy compliance violation as per latest General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and PCI DSS etc. To avoid the outages and vulnerable situations many organizations are now opting for encryption in cloud.
Tailored Cloud Key Management Services
Get flexible and customizable consultation services that align with your cloud requirements.
What are the benefits of using Certificate Manager in Cloud?
Using Certificate Manager in cloud environment helps in tackling multiple problems related to data security. Providing data security helps organizations to be in compliance with laws and regulations such as GDPR, CCPA etc. Other benefits of using Certificate Manager in cloud include:
Secure certificate and key management: Private keys used in certificates are protected and managed using Certificate Manager. Keys are encrypted and best practices are ensured for key management
Protect and secure cloud apps with SSL/TLS: Data in transit of cloud apps can be protected by configuring SSL/TLS. This process ensures data is communicated/transferred between trusted entities only.
Avoid certificate outages: Certificate expiry causes business outages. Certificate Manager issues notification on expiry due date for public facing or internal certificates
Compliance with laws and regulations: Violating compliance regulations can cause severe damage to brand reputation and creates financial loss. Using dedicated certificate manager and enabling encryption can help in avoiding such circumstances.
If your organization is looking for implementation of encryption technologies in cloud environment, please consult [email protected] for further information.
Secure Socket Shell (SSH), also known as Secure Shell, for convenience, is a popular protocol that operates on the principle of public key cryptography. Primarily used to secure private transactions, they are leveraged to institute authentication on both the server-side and client-side. It is important to note that the Secure Shell is used to encrypt data flowing to and from a remote system. Some typical use-cases of this kind of cryptography include system-to-system file transfers, remote logins into computer systems, and automated server access without having to manually log in.
One of the biggest benefits of SSH Keys is their resilience against cyber exploits, such as brute-force attacks, given that passwords are not required to be exposed over the web in the transaction. It also features most of the key capabilities of PKI and fundamentally works on the principle of public-private key pairs.
To the uninitiated, SSH Keys and x.509 certificate-based authentication (which also involves public and private keys) might seem similar, but in truth, they could not be any more different.
SSH Keys vs x.509 Certificates – Key Differences
While x.509 certificates rely on digital certificates and issuing bodies (Certificate Authorities) to sign private keys, SSH Keys are not governed by any institution. They are created, circulated, and used within transacting partners and organizations, and can be managed without any external interference.
That aside, they also possess functionality that their counterparts don’t – the ability to enable remote access to systems. On the other hand, TLS certificates cannot provide that sort of functionality on its own, unless deployed alongside other protocols like FTP.
Risks associated with SSH Keys
The absence of a governing body presents a veritable challenge in managing SSH keys – a lack of organization. SSH Keys are generated based on need, and when ad-hoc processes govern the issuance of these keys, there’s bound to be key sprawl. This means keys are discarded once they are declared useless or vulnerable, and a lack of inventory renders them difficult to keep an eye on – considering the fact that large organizations may possess hundreds of thousands of SSH keys on file. However, their presence on the server makes them possible back-doors to potential hackers, which can then be abused to conduct data espionage, theft, or breaches.
Key rotation, another important function, is often ignored by administrators. A stale key presents a weak link to malicious actors, which can, again, be abused to exploit network resources.
Tailored Encryption Services
We assess, strategize & implement encryption strategies and solutions.
If you do not possess organizational directives toward SSH key handling, it would be in your best interest to institute one now. Enforcing strict policy, exercising audit tracking, and possessing full control and visibility into the SSH key infrastructure can go a long way towards bettering the cyber health of the org. Automation of management is also an excellent way to do this – there are tools available that can actively manage and automate the entire SSH key lifecycle. In the meantime, here are some best practices you can start following immediately to take your cybersecurity up a notch.
Gain Complete Visibility
Only by finding and locating the keys on your system can you protect them adequately. Run periodic discovery scans across your network with an appropriate tool to locate and inventory all SSH keys. Once this is done, map them with the endpoints they are tied to, and tag them with all the information an administrator would need while dealing with them, such as passcodes
Rotate Keys Regularly
Stale SSH keys present a golden window of opportunity to hackers who may try to crack their passcodes and infiltrate the server. Set up policy that enforces regular generation, re-keying, and rotation of SSH keys, and ensure that all stakeholders are duly notified when this happens. Care must be taken NOT to reuse passcodes, and to use fresh credentials each time. Automating this process in large organizations can save several man-hours and significant operational costs.
Enforce Audit and Policy
Create org-wide policy, and ensure that operations/IT personnel adhere to it – For instance, policies on regular key rotation. Furthermore, make liberal use of audit trails using specialized software, in line with industry regulations, to maintain tabs on the use, reuse, and application of all your SSH keys.
Create Role-based Permissions
Prohibit access and modification of SSH Keys or their credentials by all the personnel in your team(s). Use directory services to provide different levels of privilege for each user category, to prevent haphazard control and promote audit trail.
Avoid the Use of Hard-coded Keys
When SSH keys are built-into or packaged with software applications, they present a dangerous security vulnerability. Why? Since they’re governed by passphrases, a carelessly issued SSH key with a weak passphrase may be the weak link in an application that hackers could potentially exploit, compromising the integrity of the entire applications. Ensure that SSH keys are centrally managed by a dedicated management system.
If you’d like professional assistance with setting up a scalable SSH key management system, feel free to reach out to us at www.encryptionconsulting.com, and to discover the capabilities of an SSH key lifecycle management and automation tool and how it can fit into your IT processes, visit https://www.appviewx.com/products/cert/
A hardware security module (HSM) is a physical computing device that protects and achieves strong authentication and cryptographic processing around the use of digital keys. Through an isolated, tamper-proof environment, these devices are built to create and secure cryptographic keys, protect critical cryptographic operations, and lastly enforce implemented policies over the use of these keys. HSMs can come in various forms: PCI e-cards, USB tokens, and network attached appliances are all common.
The Rise of Hardware Security Modules
Organizations have begun realizing the importance of HSMs. The global deployment rate of these devices has risen from 26% in 2012 to 41% in 2017 according to the 2018 Global Encryption Trends Ponemon Institute Research Report. With technology’s ever-changing environment, organizations must keep up to be successful. These changes can lead an organization down two paths. One may lead to growth and prosperity, but the other may lead to destruction and despair.
Growing Concerns:
Cyber-Warfare
Data Privacy Regulations
Mobile Payments
Internet of Things
Organizations from all industries are being affected by their data management through encryption or key management. HSMs can offer organizations the ultimate security.
Securing Data using Hardware Security Modules
Hardware Security Modules boasts many impressive features and administrative functions.
HSMs:
Generate Encryption Keys
Store Keys
Crypto Operations Processing
Restrict Access only for those Authorized
Federal Information Processing Standard 140-2 Levels 3 or 4
For a key generation, an HSM uses a true entropy-driven, hardware-based Random Number Generator, usually built to compliance to level PTG.2 of the BSI Specifications AIS20 and AIS31, and as pertains to Hash_DRBG from the NIST SP 800-90A. Secure Private and Secret keys can only be generated by data returned by such DRBGs (Deterministic Random Bit Generator).
Whether the stages of lifecycle from creation, import, usage, rotation, destruction, and auditing, the HSM maintains protection over encryption keys to ensure data is never exposed. Once the keys are created and stored in the HSM, authorization will only be allowed through a series of key cards and passphrases to gain access, as most HSMs provide support for both multi-factor authentications, and can require access via the “4-eyes” principle.
Risks of Software-only Cryptography
For those that choose to bypass HSMs, software-only cryptography is the next option. However, those choosing software-only cryptography must understand the risks that come with this decision
The two types of attacks on Software-only Cryptography:
Logical Attacks –
mainly involving an attack on main memory or discs in servers to locate the crypto keys
Vulnerability during stage operations in server memory.
Core Data Dump
Accessible by Passphrase
Physical Attacks –
the removal and scanning of old hard drives or memory.
Technicians have forcibly removed and frozen hardware to locate cryptographic keys
How does an HSM protect against these two specific threat vectors? The protected secrets never exist outside the HSM, and inside the HSM only ever exist ‘in the clear’ during use, and while inside protected RAM (CPU cache memory, with code running in the cache memory also). Any data-at-rest on the device will be AES256 encrypted. And FIPS 140-2 Level 3 and higher HSMs will react to environmental changes such as temperature (higher or lower than normal), changes in the electrical feed (over- or under-voltage), and Level 4 HSMs extend this protection to the physical, and will erase themselves if the HSM hardware is damaged.
Security Compliance & Regulations
While organizations face many different drivers to encrypt data, fifty-five percent of organizations have said compliance with privacy and data security requirements is their top driver according to the 2018 Global Encryption Trends Ponemon Institute Research Report. Universally, countries are beginning to set a standard for privacy, for those organizations handling sensitive information. Those who wish to ignore these regulations and laws will be at the mercy to hefty fines.
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health (HITECH)
The Payment Card Industry Data Security Standard (PCI-DSS)
The Future of Hardware Security Modules
In today’s environment, organizations must adapt to the new digital world. By deploying HSMs, organizations will be laying out the foundation for enterprise encryption and key management. Your cryptographic keys and digital identity will have maximum security. Whether dealing with Public Key Infrastructure (PKI), Document Signing, Code Signing, Key Injection, or Database Encryption, HSMs will provide the utmost security with respect to cryptographic keys now, and in the future.
To most people, the term ‘encryption‘ goes hand-in-hand with PKI, and rightfully so. PKI, or more commonly, SSL/TLS certificates and keys, have been in use for over two decades, securing channels of communication by providing end-to-end encryption of data-in-transit. Enterprises have typically employed x.509 certificates across their entire IT infrastructure to protect information belonging to them, and more importantly, their customers. The fact remains that the value of a robust, leak-proof PKI system cannot be understated. After all, history has demonstrated that a single certificate going offline can snowball into literally costing a firm millions of dollars.
Back to the present – the phenomenon of digital transformation is in full bloom, and manual processes are continuously being automated across the board. This means more devices and virtual services are being added to networks – these are endpoints that have to be protected by installing certificates on them. More importantly, x.509 certificates are not a fit-and-forget solution. Once a certificate is installed on, say, a server, it has to be continuously monitored for issues, renewed when its validity expires, and replaced with a new one. Here’s a quick rundown of the activities a PKI expert might have to perform while managing the life cycle of a certificate.
As is apparent, managing certificates using manual processes is not a simple task. Several teams follow a manual, ticket-based approach to certificate management, which works on an ad-hoc basis. While the obvious problem with manual management is the fact that handling thousands of certificates can be awfully error-prone, unreliable, and time-consuming, there are also some hidden downsides:
Inefficient Policy and Audit Mechanisms: A lack of granular control over who modifies or generates certificates/keys does not allow for reliable audit tracking or homogenous policy enforcement across the network.
Clouded visibility: Building on the former pain-point, siloed processes severely limit visibility into trust structures, which could lead to far too many certificates going undocumented. This makes it painful to locate and maintain a certificate in order to prevent its unexpected expiry.
Insecure private key storage: Holding private keys in unsecured locations (plain text documents, as opposed to HSMs, for instance) opens up an enterprise to possibilities of data theft or breaches by means of man-in-the-middle attacks. The human element involved in manual management is also a constant risk factor.
These downsides are usually circumvented by implementing structured certificate management processes from day 1, and ensuring that all ops teams are equipped with ample visibility and control over their PKI. Automate the manual processes to remove the margin of error, and you’ve got yourself a foolproof security infrastructure to handle your encryption needs.
Certificate Management
Prevent certificate outages, streamline IT operations, and achieve agility with our certificate management solution.
And in order to do that, you’d do well in following some industry-standard best practices. The official ones are detailed in the NCCoE-published guide on the NIST recommendations for TLS certificate management. However, if you’d like a quick, distilled summary of the de-facto mandated principles to be followed while managing TLS certificates, here are our top 5 best practices for certificate lifecycle management, in no particular order:
Obtain Visibility
Ensure that you always have a handle on every certificate in your inventory. This entails periodically scanning the network to identify CA-issued certificates and mapping them to the endpoints they’re installed on. While this also greatly simplifies future certificate ops, it also helps administrators weed out orphaned, expired, or otherwise insecure certificates.
Ideally, subnet scans must be performed to located certificates and host names. Care must be taken to perform well-controlled scans by batching the subnet list and implementing cooling periods between scans, so as to avoid network load. Hint: Schedule scans overnight or during periods of low network traffic for the best results!
Maintain Inventory
It doesn’t stop with scanning! Care must be taken to ensure that the results of the scan are stored, or updated in your existing inventory. Categorization of discovered certificates plays a major role in simplifying operations. For instance, you may choose to group certificates based on whether they’re used in test, or production environments.
You may also want to group them based on owner hierarchy to simplify tracking and alert escalation. Finally, ensuring that policy is implemented uniformly across groups is imperative, but we’ll get to that.
Enforce Policy
While organizational policies might already be in place, as mandated by NIST, what you require is a means by which policy can be enforced via automation. For example, you may choose to define renewal mechanisms for certificates to be automatically renewed when they are past 80% of their validity periods. Such rule-definition capabilities for policy enforcement enable you to quickly recover from potential disasters.
For ex: If you have contracts in place with backup CAs, and mechanisms to automatically implement a bulk replacement, you hedge yourself against the risk factor of a CA compromise.
Protect Private Keys
Regardless of the method used to store private keys (HSMs, software vaults, keystores, or even files), your #1 priority should lie in removing the human element from the key management exercise. When you prevent individuals from having direct access to private keys, you eliminate the possibility of theft, and make it simpler to track down potential compromise. This state of automated key orchestration is achieved by leveraging automation workflows to push certificates and their keys to network endpoints. And when key access is absolutely necessary, a role-based, privileged approach must be followed.
That said, additional layers of security never hurt anyone. Instruct your teams to make conscious efforts to encrypt keys at rest, and protect critical data by means of instruments adhering to the FIPS 140-2 standard.
Enable End-to-end Monitoring
Despite having a fully automated certificate management process, PKI infrastructures have to be constantly monitored for weak links. What you need is a system that ties into every aspect of your certificates across multiple CAs and network security/automation software. Dashboards that track expiry and redundancy are incredibly handy, as are notifications sent to certificate owners prior to expiry.
Another way to drill down on the monitoring/maintenance cycle is to schedule reports on the status of certificate groups that reach only their owner(s). This serves the purpose of keeping teams informed on statuses, as well as eliminating noise.
As a security stakeholder or a member of a Sec/Net/DevOps team that deals with TLS certificates and keys, it would be in your best interest to ensure that your organization adheres to these guidelines, if you haven’t done so already. As they say, better safe than sorry – every single certificate may be that one weak link in an otherwise solid security setup. Preventing certificate outages is a lot simpler than dealing with them afterward. Good luck!
If you need assistance with setting up and managing your PKI, feel free to reach out to us at www.encryptionconsulting.com, and to learn more about implementing full-fledged, scalable certificate lifecycle automation systems within your organization, visit appviewx.com.
Validating and trusting an identity is one of the most important aspects of Cyber Security. Public Key Infrastructure is one of the oldest security tools for issuing digital identities. An organization’s PKI creates a security ecosystem as the center of trust by issuing digital certificates for all systems.
Security leaders today often struggle with the modernization of their PKI by their in-house teams. Many organizations have PKI’s that were built prior to the advent of cloud, IoT, and DevOps. Add to this the growth of connected devices and use of multiple applications by an organization and you have a PKI that needs to be overhauled and reconstructed.
In order to meet proper security measures and the organization’s scalability objectives, many PKI’s must be re-designed from the ground up. Once re-built, the PKI must be maintained with care using industry best practices and processes.
Because re-building a PKI can be very complex depending on the systems, people and certificates that comprise its fabric, a security leader will usually find the project to be a costly expense. Any areas or subsets of the PKI that can be simplified, managed and maintained by a trusted third party should be explored. The goal of the PKI is to attain trust by issuing and managing digital certificates within a structured environment.
This is why Encryption Consulting has launched a cloud-hosted PKI as-a-Service. Encryption Consulting’s cloud-hosted PKI-as-a-Service will allow your organization to meet current compliance and regulation quickly and without a major investment of people, systems, and processes. We will start by gathering all of your business and data security requirements. This will enable us to design your PKI to meet 100% of your business requirements including the full lifecycle of your key management.
The experts from Encryption Consulting* will handle all day to day maintenance of your PKI. You and your team will continue to own the full PKI operations. Today, it is imperative to have a properly built PKI to effectively defend your organization from cyber-threats and meet current and upcoming privacy and data security regulations. Encryption Consulting will allow your organization to accomplish these feats and more with our managed PKI as-a-Service.
Enterprise PKI Services
Get complete end-to-end consultation support for all your PKI requirements!
We will launch a dedicated PKI that will meet all requirements and demands for your organization for the present and future.
Expert Management
24/7 Monitoring by PKI experts that will manage and monitor your PKI in the cloud.
Complete Security
PKI built-in a maximum secure environment aligned with the highest security standards and policies rather than in-house.
Seamless Deployment
Deployment can be done much quicker for your organization by not having to install or purchase any hardware or software
Decrease Operation Complexity
Our experts will handle all the heavy lifting of the complexity of PKI.
Increase Scalability
Our solution integrates your current and upcoming applications in your PKI such as IoT, DevOps, and the Cloud.
Return on Investment and Fewer costs
With no purchases necessary on software and hardware, costs will be significantly lower. Teams will be able to focus on other aspects while we fully handle PKI.
Full Ownership
Encryption Consulting runs the PKI on a daily basis but your organization maintains full command.
This firm is a leading financial services provider recognized for its innovative approach to data protection and commitment to maintaining the confidentiality and integrity of client financial information. Operating in a highly regulated industry, the company employs innovative security measures and complies with stringent financial regulations to safeguard assets and data.
Despite these strengths, the firm faces challenges in its code signing practices. Lacking a streamlined and secure code signing process undermines the security of its software deployments, exposing critical systems and client data to potential vulnerabilities. This shortfall presents a pressing need for improvement to maintain trust and uphold its reputation for security.
Challenges
Theft of Code Signing Keys
Private code signing keys can be a juicy target for cyber attackers. Improperly protected keys are dangerous. Stealing private code signing keys allows intruders to disguise malicious software or malware as authentic code. Worse, there are limited revocation mechanisms in code signing systems, which makes the threat of stolen private keys even worse. When keys or digital certificates are poorly managed and stored, it opens the door to attackers, letting them steal the private keys of the trusted user.
Developer productivity
By integrating code-signing into DevSecOps, organizations can automate security checks, foster collaboration between developers and security teams, and enable continuous improvement throughout the development lifecycle, ultimately leading to secure and reliable software.
Compliance Requirements
Secure code signing provides an audit trail. DevSecOps embraces transparency and accountability. Signed artifacts facilitate compliance with regulatory requirements. For example, a company must comply with a regulation that mandates data security. Signed code provides an audit trail that can show the software hasn’t been tampered with.
Performance Requirements
Code Signing plays an important role as it can enable the identification of legitimate software versus malware or rogue code. Digitally signed code ensures that the software running on computers and devices is trusted and unmodified. Software powers your organization and reflects the true value of your business.
Protecting the software with a robust code signing process is necessary for performance without limiting access to the code, assuring this digital information is not malicious code and establishing the author’s legitimacy.
Lack of timestamping
Lack of timestamping was a major issue with this organization, which can lead to a detrimental security posture. Without time stamping, expiration/revocation of code signing certificates would lessen customers’ confidence in the same software product. Timestamps make sure that even if certificates lose their validity or are revoked for some reason, their signatures remain valid, secure, and trusted.
Timestamps prevent replay attacks. It occurs when an attacker records a transaction and then replays it later. It also plays a crucial role in securing blockchain, which ensures all transactions are valid and the blockchain remains secured. This enables easier tracking and prevention of fraudulent activities.
Enterprise Code-Signing Solution
Get One solution for all your software code-signing cryptographic needs with our code-signing solution.
CodeSign Secure stores private keys in FIPS 140-2 validated HSMs (such as those of Entrust, Thales, etc.), fortifying key security. This enabled the protection of code signing keys from theft or misuse, which was one of the organization’s top concerns.
With CodeSign Secure, developers can produce code signing keys seamlessly without using special tools. A delicate balance was struck between ensuring security and impeding developer productivity.
The security team can customize access levels based on project type, acceptable risk, and request source. CodeSign Secure simplified compliance reporting, eliminating audit pain points. It helped manage access to code signing keys, and meeting compliance requirements was critical.
By generating file hashes and transmitting them, along with private key alias names, to the Hardware Security Modules (HSMs), we achieved signature generation directly from the HSM in just 2ms. This met stringent performance requirements, such as signing a file within 4ms.
We have implemented a robust logging mechanism in CodeSign Secure, capturing all requested data for each code signing request. This met the need for comprehensive logging, including timestamps, client IP addresses, file hashes, HSM-generated signatures, and certificate names.
Impact
CodeSign Secure stores private keys in FIPS 140-2 Level 3 compliant validated HSMs (such as those of Entrust, Thales, etc.), fortifying key security. By storing private keys in Hardware Security Modules (HSMs), CodeSign Secure provides additional protection against theft and misuse, bolstering the overall security posture.
With CodeSign Secure, developers can produce code signing keys seamlessly without using special tools. A delicate balance was struck between ensuring security and impeding developer productivity.
It enabled security teams to tailor access levels based on project requirements and acceptable risk levels. Additionally, streamlined compliance reporting simplified regulatory adherence and enhanced audit efficiency, ensuring industry-standard compliance.
By generating file hashes on the client side and transmitting them, along with private key alias names, to the Hardware Security Modules (HSMs), we achieved signature generation directly from the HSM in just 2ms. CodeSign Secure’s rapid 2-millisecond signature generation, exceeding the 4-millisecond requirement, not only met performance standards but also saved valuable time for the team, optimizing their workflow for critical software development tasks.
We have implemented a robust logging mechanism in CodeSign Secure, capturing all requested data for each code signing request. Through this detailed logging mechanism, CodeSign Secure ensured transparency by tracking code signing requests, data integrity via file hashes, and security analysis by including HSM-generated signatures and certificate names.
Conclusion
CodeSign Secure from Encryption Consulting revolutionized code signing for a leading financial services company. It provided unprecedented security by safeguarding private keys and allowing granular access control. Simultaneously, it empowered the client’s development teams by streamlining workflows and enhancing productivity.
The robust auditing capabilities further strengthened their security posture and ensured compliance with industry standards. Furthermore, it enabled a single platform for all code signing use cases, which includes Windows signing, apple signing, Linux signing, Docker and Container Image signing, and firmware code signing for the organization. In addition, it enabled integrity checks, compliance with the CA/B forum, and security enhancement.
This healthcare institution is a well-established provider in the medical sector, offering a broad range of services that include primary care, specialized treatments, and emergency response. It is recognized for its commitment to patient care and medical innovation. The institution houses innovative medical equipment and is staffed by highly trained medical professionals. The institution operates several clinics and hospitals, serving a diverse community focusing on accessibility and comprehensive healthcare.
Despite its many strengths, the institution faces significant challenges in its data protection strategies. It lacks robust mechanisms to safeguard patient data effectively, leaving sensitive information vulnerable to breaches. The absence of advanced encryption practices, insufficient staff training on data privacy, and outdated IT infrastructure contribute to potential risks in data security. These shortcomings threaten patient confidentiality and the institution’s compliance with healthcare regulations like HIPAA (Health Insurance Portability and Accountability Act), which mandates strict standards for protecting health information.
The institution is aware of these vulnerabilities and is evaluating and integrating stronger data protection measures. These include adopting more secure data encryption technologies, comprehensive training programs for all staff on data privacy, and overhauling their IT systems to include more modern and secure solutions. This initiative aims to enhance the trust and safety of their patients and ensure compliance with national and international data protection standards in healthcare.
Challenges
Health Information Exchanges
HIEs ( Health Information Exchanges) need to receive and send data to and from doctors, insurance companies, and patients. Securing these transmissions and ensuring that the information is sent using appropriate digital channels can be difficult. This may be fruitful for attackers who intend to steal sensitive information relating to patient data.
User Error in Technology Adoption
At times, healthcare professionals may be so busy that they do not have the time to invest properly in learning how their technology works. Other healthcare professionals may not be computer savvy. Regardless of the reasons, it is easy for users to make mistakes as they adapt to new technologies.
The Rise of Hacktivism
Hackers or intruders often target healthcare organizations because they are after the sensitive data flowing through the organization or the organization’s money. Those involved with hacktivism may select to hack a healthcare organization just to drive home a particular point. For example, attackers may hack a healthcare organization because they disagree with the hospital’s patient treatment decision.
Adoption of Mobile and Cloud Technology
While mobile and cloud technology can make it convenient to manage healthcare IT systems efficiently, they can also present certain security risks. For instance, if a cyber attacker were to steal a doctor’s password or mobile device, they may gain access to a vast payload of sensitive information of the users.
Outdated Technology
Much of older technologies have already been breached by cybercriminals. Some healthcare organizations, for instance, are full of outdated technology that is simply too expensive to replace. As older technologies may have vulnerabilities that have not been patched by the most recent security upgrades, outdated technology can be easier for an intruder to penetrate easily.
Tailored Cloud Key Management Services
Get flexible and customizable consultation services that align with your cloud requirements.
Gained an understanding of the sensitive data flow around data management platforms and integrated customer data sources, eliminating the lack of documented data security requirements.
Encryption Consulting evaluated existing data control capabilities and identified areas of improvement. This eliminated the lack of regular updates to data classification and handling policies.
Encryption Consulting created technical and governance data security requirements applicable to various data platforms, which eliminated the need to review data protection use cases.
The organization also developed technical and governance data security requirements for various data platforms, eliminating the lack of a well-defined implementation roadmap for data protection technologies.
Impact
Gained an understanding of the sensitive data flow around data management platforms and integrated customer data sources. This documented and consolidated data security requirements.
Encryption Consulting evaluated existing data control capabilities and identified areas of improvement. This enabled future implementation roadmap plans for Data Protection technology landscapes.
Encryption Consulting created technical and governance data security requirements applicable to various data platforms. This enabled a periodic review process for the data protection framework.
Conclusion
Encryption Consulting’s implementation of enhanced data protection strategies has significantly bolstered this healthcare institution’s security framework. By gaining a comprehensive understanding of sensitive data flows and integrating robust encryption technologies across its data management platforms, the firm has markedly improved its ability to safeguard patient information against potential cyber threats. This strategic overhaul addressed the institution’s previously outdated technology and insufficient data protection mechanisms, leaving patient data vulnerable.
The consultancy’s rigorous evaluation of the institution’s data control capabilities led to vital improvements in data classification and handling policies, ensuring these align with the latest security standards and healthcare regulations like HIPAA. Additionally, creating specific technical and governance requirements has standardized data security practices across various platforms, enhancing overall security posture.
Moreover, developing a well-defined roadmap for implementing data protection technologies has prepared the institution for sustainable security management, enabling periodic reviews and updates to its data protection framework. This proactive approach mitigates the risk of data breaches and unauthorized access and strengthens the trust of patients and partners in the institution’s commitment to data security and patient confidentiality.
In conclusion, Encryption Consulting’s intervention has transformed the institution’s data protection strategy, ensuring a high level of security that supports its mission to provide safe, accessible, and innovative healthcare services.
This retail organization is a prominent player in the global market. It operates a vast network of stores that offer a wide range of consumer goods, from clothing and electronics to groceries and home essentials. With a significant online presence, the company has also built a reputation for convenience, customer service, and competitive pricing. It employs thousands worldwide and is committed to sustainable and ethical business practices.
Despite its success and scale, the organization has encountered challenges in managing its Public Key Infrastructure (PKI), crucial for securing its extensive digital transactions and communications. The company struggled with assessing and deploying its PKI systems, which are vital for the encryption and digital signing of sensitive data. This shortfall has posed data integrity and security risks, potentially impacting customer trust and business operations.
The issues primarily stemmed from outdated PKI technology that could not adequately support the scale of digital transactions processed daily. Additionally, the lack of skilled personnel familiar with modern PKI solutions hindered these systems’ effective upgrade and management.
The company recognized these vulnerabilities and has initiated efforts to overhaul its PKI framework. It aims to integrate advanced security measures, train staff on cutting-edge technologies, and establish a robust PKI system that aligns with current cybersecurity standards to protect customer data and maintain its market leadership.
Enterprise PKI Services
Get complete end-to-end consultation support for all your PKI requirements!
Structured and well-considered planning is one of the best practices for PKI deployment. Well-defined planning will not only help an organization keep track of its certificates, but it will also decrease the security risks to the PKI.
Once the system has been in place for a while, and if it has not been built in a structured manner, your organization can easily lose track of what certificates have been issued. Many organizations do not pay attention to or know the number of certificates they have, their expiry dates, where to find them, etc. The consequences of such mismanagement range from failed audits to certificate and key misuse that can ultimately compromise an organization’s systems.
Not allocating skilled internal resources
The most prevalent mistake when deploying PKI is underestimating the needed resources. Running an in-house PKI requires effort, time, and money. A dedicated team with skilled resources is required to run the show. The PKI team should have sufficient resources and skilled owners who can lead and respond effectively to an outage or security incident.
Security of the Root CA
The security of the Root CA must be well-considered. In PKI deployments, all trusts come from the Certificate authority (CA). The CA issues the Root Certificate, which ensures the cryptographic keys’ validity to verify the authentic identities. The root CA is the foundation of trust for every certificate issued across the organization’s environment. If you cannot trust your root CA, you cannot trust your PKI.
As per security guidelines, specifying who can obtain the certificate and when the certificate will be revoked is crucial for establishing and maintaining trust in Certificate authorities and avoiding PKI deployment mistakes. A regular audit of relevant certificate authorities is required to ensure that the certificate practice statements (CPS) are implemented correctly and avoid any network risk.
Bad Certificate Lifecycle Management
Another PKI deployment mistake is a lack of forward planning for managing the entire certificate lifecycle.
Poor handling of expired certificates may cause outages and significant expenses. Automating certificate renewals may help in this case. If the organization is making a manual effort, then monitoring the expiry of certificates is a must.
Not storing certificates and keys Securely
Hackers can use various techniques to analyze and detect keys while they are in use or transit. Ensuring the keys are stored securely under FIPS 140-2 level 3 systems is necessary.
Solutions
The current PKI infrastructure is assessed using the PKI Assessment. A new PKI service based on Microsoft ADCS 2016 R2 was also designed. This mitigated the issue of Root CA expiry and the deployment of root CA on ADCS 2008, which is nearing the end of its support.
CP and CPS documents were created while consolidating issuing CAs from 9 to 4 ICAs. This mitigated the organization’s lack of CP/CPS policy and lack of documentation and procedures.
Installation and configuration of HSM for storing CA and ICA keys, along with creating Key Ceremony procedures and defining roles and responsibilities for Key management, mitigated the issue of loss of HSM keys to the Root CA and lack of proper roles and responsibilities defined for PKI custodians.
Implement PKI hierarchy with offline Root CA and 4 Issuing CA’s connected to four domain forests.
Validate the existing Certificate templates and create new Certificate templates to meet existing and upcoming Digital certificate requirements. Use the existing HTTP server and LDAP for CDP (CRL Distribution Point).
Impact
It helped the organization by providing a well-defined PKI system.
The PKI Assessment and deployment defined people, processes & technology to manage PKI infrastructure.
It also led to consolidating and removing redundant ICA’s, thus reducing infrastructure and maintenance costs.
The PKI Assessment and deployment even provided the required information to the auditors.
This particular assessment and deployment of PKI enabled the support for new digital certificates demands such as MDM, VPN, and IoT requirements.
It enabled the issuance of valid certificates for existing internal-facing web apps and a valid certificate chain.
Conclusion
Implementing Encryption Consulting’s PKI Assessment and Deployment proved transformative for this retail organization, effectively addressing its previous challenges in managing its Public Key Infrastructure. The retail firm has significantly improved its data integrity and security measures by redesigning the PKI systems with a modernized structure and enhanced security protocols. This overhaul included consolidating issuing Certificate Authorities, implementing a new PKI service based on Microsoft ADCS 2016 R2, and establishing rigorous Key Ceremony procedures, which have streamlined the management of digital certificates and keys.
AWS has been architected to be one of the most flexible and secure cloud computing environments available. Designed for a scalable, dependable platform, this enables customers to deploy applications and data securely and rapidly. Organizations are continuously moving their infrastructure and applications to cloud service providers.
However, security issues play a significant role in making the migration decision. Today, organizations lack clarity on available options for hosting crypto keys in the cloud. For Amazon Web Services, AWS provides two services of crypto key management on their cloud, AWS Key Management Service (KMS) or AWS CloudHSM.
AWS Cloud HSM
AWS CloudHSM is a cloud-based hardware security module that is customer-owned and managed. AWS CloudHSM acts as a single-tenant on hardware restricting it from being shared with other customers and applications. Organizations can utilize AWS CloudHSM for those wanting to use HSMs for administering and managing the encryption keys, but not having to worry about managing HSM Hardware in a data center.
AWS CloudHSM allows FIPS 140-2 Level 3 overall validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPC) to store and use your keys. Complete control is given for users how keys are used through an authentication mechanism separate from AWS.
AWS CloudHSM supports multiple use cases including the following: management of Public/Private key pairs for Public Key Infrastructure (PKI), Code & Document Signing, storing private keys for various services such as database, storage and web applications, storing keys for DRM solution. AWS CloudHSM will allow your organization to meet compliances of key management requirements with the use Hardware Security Modules supervised by AWS with the ability to incorporate multiple platforms to store keys.
Below is the table which summarizes the AWS Cloud HSM Crypto Properties
Tenant
Single-Tenant
Standard
FIPS 140-2 Level 3 Common Criteria EAL4+( supported by cloudHSM
classic older model)
Master Keys
Master Key HSM
Crypto Key types
Symmetric – AES (Modes supported CBC, GCM and ECB)
Asymmetric – RSA, ECC
Hashing – SHA-256, SHA-512, RSA, ECDSA
API Support
PKCS11
OpenSSL
JCE
Crypto next generation (CNG)
Access Authentication/Policy
Quorum based K of N principle
Key Accessibility
Can be accessed and shared across multiple VPC
High Availability
ADD HSM in Different Availability Zones
Audit Capability
CloudTrail
Cloud Watch
MFA support
Tailored Cloud Key Management Services
Get flexible and customizable consultation services that align with your cloud requirements.
AWS KMS allows for your organization to create and control keys for cryptographic operations. This includes key generation, storage, management, and auditing when in the process of encrypting/decrypting or digitally signing data for applications or across AWS services. AWS KMS allows ability of complete security through managed encryption keys across AWS platforms.
Centralized key management gives the user a central point of control for managing keys and defining access policies throughout all integrated AWS services. With AWS KMS, you will have the ability to create a customer master key (CMK) generally known as a master key, use a master key, create and export a data key encrypted by a master key, enable/disable master keys, and audit the usage of master keys in AWS CloudTrail. AWS incorporates Master keys and Data keys.
The Master key will not leave the AWS KMS service in an unencrypted form. With AWS KMS, specific access policies can be set for only trusted users that can use CMKs. In AWS KMS, Bring your own key (BYOK) feature is available to import your own key material into that CMK, however, the imported key material is supported only for symmetric CMKs in AES-256-XTS keys in PKCS#1 standard format. AWS KMS can be paired with AWS CloudHSM cluster to create the key material for a CMK that can be managed by AWS KMS service.
Below is the table which summarizes the AWS Key Management Service Crypto Properties
Tenant
Multi-Tenant
Standard
FIPS 140-2 Level 2
Master Keys
Customer Owned Master key
AWS Managed Master Key
AWS owned Master key
Crypto Keys
Symmetric
Asymmetric AES in XTS mode only
Crypto API
AWS SDK/API for KMS
Access Authentication/Policy
AWS IAM Policy
Key Accessibility
Accessible in multiple regions (Keys outside the region in which
created cant be used)
High Availability
AWS Managed Service
Audit Capability
CloudTrail
Cloud Watch
AWS KMS And AWS Cloud HSM
AWS CloudHSM provides single tenant key storage giving FIPS 140-2 Level 3 compliance. CloudHSM allows full control of your keys such including Symmetric (AES), Asymmetric (RSA), Sha-256, SHA 512, Hash Based, Digital Signatures (RSA). On the other hand, AWS Key Management Service is a multi-tenant key storage that is owned and managed by AWS.
AWS KMS allows supports Customer Master Keys for symmetric key encryption (AES-256-XTS) and asymmetric keys (RSA or elliptic curve (ECC). If your organization’s key management strategy for encryption will be running a singular cloud service provider for now and for the foreseeable future, then AWS KMS will provide the simplest environment to maintain. However, if you are planning on taking advantage of multiple cloud providers but do not wish to maintain the HSM’s, AWS CloudHSM may be the solution for your organization to allow for encryption keys separated from the data of the other platforms that are being utilized.
