How to manage digital certificates (ahead of AWS refresh)

Companies have until 5th March 2020 to update their AWS database instances with new digital certificates or they will stop running.

In IT, it’s essential to have trust that whatever you are interacting with is actually what it claims to be.

Digital certificates are essentially used for authentication purposes, since they prove that the owner is who he claims to be. If the certificate is in place and can be trusted, then the asset or application can be trusted too.

However, they aren’t static. They have to be created, kept up to date and managed over time. They act as the gateway for each device from being authenticated to being authorised, to validate encryption, to ensure confidentiality on VPNs, and to prove the integrity of data or the identification of an application server. As every device or application that interacts can have its own certificates over time, they can be considered almost like a parallel universe to IT.

Making a change to a certificate can therefore have a big impact on IT later, as it can either break a process or lead to issues with applications working. For example, the 14th of January 2020 was the deadline for many sysadmins around using old certificates for their database instances.

PwC and ICAS issue chartered accountants with digital certificates on blockchain

According to PwC, issuing credentials on blockchain could significantly reduce employers’ screening costs.

While new instances will have the new certificates as standard, older ones have to be updated with new certificates to run in the AWS cloud.

As part of this, all certificates would need to be rotated and the instances rebooted. If this work is not carried out, then the services will fail on the 5th of March 2020.

For many teams, these interruptions to services would cause the most pain. The downtime and restart would eat into customers’ ability to use the service, leading to lost revenue. Others pointed out they expected certificates to be managed for them as part of their use of the cloud. This attitude – which I consider to be wrong from a hygiene and change management process standpoint – should be worrying to the security professionals working in these organisations.

Planning ahead around security certificates

As digital certificates play a crucially important role for ensuring the identity of the server or application to the connecting clients, any change in this area should be carefully evaluated, understood, and performed after a conscious decision. However, it can be easy to take these steps for granted when automation and orchestration is involved. The fact that

certificates are important as elemental building blocks for IT means that they should get more attention, not less.

Naturally, orchestration for managing these certificates is grounded on other capabilities such as the visibility of a very diversified digital environment. This visibility is challenging by itself, as it can be difficult to keep track of all the changes taking place across IT. However, without this accurate list of certificates, it is hard to understand what changes are needed, let alone automate the process for keeping those certificates updated.

Alongside the ability to track the changes in the number of certificates, another element that is needed is situational awareness around those certificates over time. This allows you to have the situation under control about where and when digital certificates are expiring or where actions need to be taken. By getting alerts with a large enough amount of notice, you can plan ahead around taking proper remedial action consciously. Alternatively, you can see the impact that any change may have in advance.

For applications, a security certificate change may cause a brief downtime window. However, planning ahead around this can lead to less downtime than a missed certificate expiring. Users are more likely to understand and forgive something that has been planned ahead, compared to an unplanned outage with no notice.

Certificate management: Remember to enforce PKI lifecycle automation

Companies need to enforce PKI lifecycle automation, says Shwetha Sankari, as she considers certificate management.

Controlling your digital universe of certificates

To get ahead around certificates, the first step is knowledge. This involves understanding how many certificates you have in practice, where they are used and for which purpose, and finally how secure the underlying configuration is. The proliferation of digital environments in the cloud will be based on a range of different assets from database instances, storage buckets and application components through to identity and access management instances, virtual private clouds, and multiple network groups.

Whatever environment you have in place, this list of certificates and their status can help you plan ahead for the future. Ideally, this comprehensive observational base can help you instantly take action by drilling down to the details around a certificate that needs work to avoid missing an expiration date. Alternatively, it can help show where leaving a weak configuration in place is a risk for a business critical application.

Once you have this visibility in place, you will have to work to keep it up to date. For teams managing cloud environments with thousands of certificates in place, this will call for continuous visibility and assessment. Over time, you can keep track of certificates and ensure that these essential elements remain up to date and unobtrusive, keeping the rest of your IT running and trusted.

Written by Marco Rottigni, chief technical security officer EMEA at Qualys

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at stubbenedge.com

Related Topics

AWS
Digital Certificates