An ever-growing trend in authentication cybersecurity is the replacement of credential-based authentication with certificates. Credentials are simply incapable of protecting a secure network. According to the 2019 Verizon Data Breach Investigations Report, 29% of 2019 network breaches involved the use of stolen credentials.
When it comes to securing authentication communications and ensuring a user-friendly experience, certificates are miles ahead of credentials. Click here to read how a SecureW2 client upgraded their authentication security with certificates.
For admins, certificates present more involved processes when it comes to configuration and distribution. Certificates require many tools to operate successfully; foremost of which is the PKI Certificate Authority (CA). A Managed Cloud PKI can be the key to implementing an effective certificate security strategy. Below we have compiled many best practices to follow when configuring and implementing an effective CA.
What Is A Certificate Authority?
A certificate authority is an entity that distributes digital certificates. Certificates signed by the CA are trusted by different groups for various purposes depending on the type of CA. In simple terms, CAs make sure everyone communicating with a certificate is who they say they are.
There are two primary types of CAs in common use: Public Certificate Authority and Private Certificate Authority. A public CA issues certificates for public-facing operations. These CAs are trusted by browsers and ISPs for secure communications between websites. The most common place you will see a public CA certificate is to certify website communications and enable HTTPS.
A private CA issues certificates for internal use. They are far more limited in scope compared to public CAs because they are used for private communications and not trusted publicly. Of course, this is the benefit of using a private CA because it is near impossible to replicate the private key to gain unauthorized network access. Some of the typical uses of private CA certificates are for certificate-based authentication to Wi-Fi networks, VPN, web applications, and more.
SecureW2 specializes in providing PKI services to enable organizations to switch from credentials to certificate-based authentication. The following are some best practice tips for running a private CA on your network to ensure a smooth transition to setting up a CA and effective management throughout your certificate usage.
IT Training
While everyone encounters certificates on a daily basis with actions such as accessing HTTPS websites, they are less common for authentication to Wi-Fi networks. As a result, many IT network admins aren’t familiar with managing the certificate lifecycle and lack the proper training to manage the certificate lifecycle without proper training.
The certificate lifecycle requires a level of oversight during every stage of the process and requires configuration and management that is much different compared to credentials. Preparing IT for the processes involved and providing an effective management software that can oversee certificate distribution, connection errors, tie certificate identity to a device and user, and revoke certificates with ease is a must.
Protect The Root Certificate Authority
In the certificate chain of trust, the Root Certificate Authority is the first level which signs every certificate in that private CA. Having a signature from the root CA indicates that a certificate can be trusted and used on the network.
It is absolutely vital that the root CA is protected. If it is somehow breached, every certificate will need to be replaced because the root CA signature can no longer be trusted. An effective strategy is to host the root CA offline and protect it with an Hardware Security Module (HSM) so it is near impossible for anyone to access that is not authorized to do so.
Prepare An Onboarding Strategy
Manual configuration of certificates is a poor strategy for any organization with a large number of users. The manual process is difficult for end users due to the high level technological concepts involved; there are many opportunities for misconfiguration, and requiring IT to configure every user’s device is far too time-consuming.
Some of the most visible benefits of certificates is their strong security and user-friendly operation. Manual configuration can negate both of these benefits. A well-designed onboarding software can provision users’ devices with certificates easily and configure them correctly to gain maximum user experience and security advantages.
Customize Certificates For Network Segmentation
One of the greatest assets of certificates is how customizable they can be. Especially when it comes to authentication of network users, certificates can be customized for a huge variety of policy and security settings.
A customization that many organizations have found success with is the implementation of Zero Trust policies. Zero trust is the philosophy that users should only have access to resources they need. This limits risk of sensitive data being breached by outsiders. Certificates allow for easy network segmentation so each user group has no ambiguity as to which resources they should be accessing.
An Effective CRL
Within any network, situations occur where certificates need to be revoked. If they are not, it could lead to unauthorized users obtaining network access. By implementing an effective Certificate Revocation List (CRL), any user that is removed from the network will have certificates that cannot access the network.
Beyond just implementing a CRL, it must be properly managed by utilizing both a Delta and Base CRL. The base CRL is the list containing all revoked certificates and is updated at wider intervals. The delta CRL is updated frequently and contains all certificates that are revoked in between base CRL updates.
Prepare For Certificate Expiration
An easy mistake to make is forgetting to watch over when certificates expire. If a client certificate expires before they expected, it is an issue but it isn’t catastrophic. At most, it could lead to an IT support ticket, but they can be quickly reissued a certificate.
A serious issue can arise when a server certificate or certificate protecting sensitive resources expires. This can result in a significant backup in authentication requests or leave a security opening for outside attackers to exploit. An unseen certificate expiration was one of the primary factors that led to the Equifax breach of 2017 where 147 million people had their personal information exposed. It’s important to have a system in place that mitigates the risk of certificates expiring unnoticed.
Make Certificate Authority Management A Priority
Replacing credentials with certificates across your network is an excellent step into the future of cybersecurity. But effectively implementing multiple certificate authorities requires planning and active management.
Organizations like SecureW2 provide all the tools needed to successfully integrate certificates with existing network infrastructure. They can quickly have your network ready to provision devices with certificates and offer robust management software to oversee every step in the certificate management lifecycle.
Check out SecureW2’s pricing page to see if our certificate authority solutions can take your cybersecurity to the next level.
