Over the past several years, high-impact cybersecurity breaches have disrupted the operations of government agencies, global businesses, and the very infrastructure on which our way of life depends.
But not all risk is malicious. Downtime and lapses also occur due to internal failures. Digital infrastructure is complicated, and something as simple as an undocumented certificate can bring operations to a screeching halt.
Either way, digital trust suffers. Not only do these incidents cost significant resources to remediate, but they also inflict reputational damage that lingers long after the issue has been resolved.
The World Economic Forum (WEF) defines digital trust as “individuals’ expectations that digital technologies and services — and the organizations providing them — will protect all stakeholders’ interest and uphold societal expectations and values.”
Building a digital ecosystem worthy of digital trust relies on the assurance that devices, applications, and data are accurate and secure from threats. Like Zero Trust and AI, digital trust is a concept enabled by technology.
In this blog, we’ll talk about the technological elements that make digital trust possible.
Public Key Infrastructure
Public Key Infrastructure (PKI) is the cryptographic ecosystem governing the issuance of digital certificates. These certificates protect sensitive data, secure communications, and provide digital identities for users, devices, and applications.
PKI creates a hierarchy of trust. Certificates are issued by intermediate certificate authorities (ICAs), and those ICAs ladder up to the root certificate authority. In large organizations, ICAs are dedicated to particular digital functions. For example, DevOps might have its own CA.
Digital certificates are present in practically every business process. They secure websites and email clients, IoT devices and applications of all kinds, and much more. According to Keyfactor’s 2024 PKI & Digital Trust report, the average organization uses over 80,000 internal certificates at any given time.
A few factors make PKI tough to manage at scale.
- Niche expertise
Most organizations lack a dedicated PKI team. Commonly, PKI and certificates are managed by IT, security, or infrastructure teams. These technicians rarely have niche PKI knowledge, and manual processes exacerbate the potential for user error. - A lack of ownership
Even though the teams named above may be administering PKI and certificates, there is no larger vision or centralized governance for PKI. This results in teams using certificates to procure their own solutions and create their own less-than-secure processes. - Low margin of error
It only takes one expired certificate to knock entire systems offline. This makes the discovery, tracking, and management of certificates a high-stakes practice.
Innovations like AI, IoT, and quantum computing introduce new use cases and risks to the business while spurring greater certificate volumes. Therefore, sub-par PKIs become harder to manage and modernize.
Finding the right partners will be key to executing effective, scalable PKI strategies. Proper tool selection will give teams true visibility into the certificate landscape and position them to do PKI right without burning out.
Secure Shell Protocol (SSH)
Secure Shell Protocol (SSH) is a cryptographic network protocol that allows devices to operate securely over unsecured networks. In other words, it secures remote connections to the network. They also allow machine-to-machine sessions that make automation possible.
SSH does so through public key cryptography – automatically creating public-private key pairs to encrypt network connections. Safeguarding and properly managing these keys is crucial to building digital trust.
Organizations use a lot of SSH keys. It’s common to find 50 to 200 keys on a server or a million SSH keys in an organization. Without a management strategy, attackers can compromise these keys to gain high levels of access and circumvent security controls. From there, they can inject fraudulent data, subvert encryption software, deploy malware, or outright destroy systems.
Discovering all SSH keys in the IT environment is vital to protecting them. Legacy and orphaned keys must be accounted for, and the trust relationships of every SSH key pair must be mapped. Once this is done, organizations can audit their SSH implementation to find weaknesses and shore up processes. Keys that use weak encryption algorithms or provide unnecessary root access must be updated.
Code Signing
Code signing is a cryptographic process that grants a stamp of authenticity to a piece of software. Developers digitally sign apps, software, or embedded firmware with private keys to prove the code originates from a legitimate source and hasn’t been tampered with.
Without code signing, or without secure code signing, users may inadvertently download software from a malicious source. Code signing attacks allow attackers to compromise the software supply chain, so malicious software gets pushed out to thousands of users.
Today, Developers release new software and updates continuously. Balancing the speed of development with security best practices can be difficult, and embedding the code signing process within the existing software development lifecycle poses a challenge.
Code signing requires its own set of certificates and keys that are valuable targets for bad actors who can sell them on underground markets.
To secure the code-signing process, organizations must store code-signing keys on hardware security modules, rather than insecure locations like developer workstations or build servers. It’s also wise to restrict access to those keys to a limited number of authorized users. Segregating duties among these users can drastically reduce the potential for damage if a code-signing key is compromised.
Transport Layer Security
Like SSH, Transport Layer Security (TLS) is a cryptographic protocol that protects data as it travels from one user to another over the internet. In the address bar of your internet browser, the small padlock icon indicates that data sent to and from that website is protected by TLS.
TLS protects sensitive information like passwords, credit card numbers, browsing habits, and more from being intercepted by bad actors. Though TLS is practically a given for websites, it’s less common (though advised) in securing internet-involved processes like email.
TLS certificates are internet-facing and interact with many third-party applications (e.g., web browsers). Therefore, they have to meet the standards of the entities they must interact with. For example, Google Chrome flags certificates that are configured with lifespans longer than 90 days, or that use an outdated hashing algorithm like SHA-1.
Those who keep their PKIs updated with the latest best practices will prove more resilient and trustworthy in facing the digital future.
Certificate Lifecycle Automation (CLA)
Recall that certificates and PKI are typically managed by IT, security, or infrastructure teams. Not only do these teams lack deep PKI knowledge, but they must juggle PKI alongside their primary responsibilities.
Given the explosion in certificate volume and the ongoing cybersecurity labor shortage, manual certificate management processes don’t scale and exacerbate conditions that lead to team burnout.
Certificate lifecycle automation returns significant bandwidth to these teams and practically eliminates the chance of an outage. A proper certificate lifecycle management (CLM) platform solves many problems in one fell swoop.
- Proactive discovery and logging gather a complete inventory of all certificates in the IT environment — even untracked, undocumented certificates that lie hidden, waiting to expire.
- As a universal hub for all certificates, a CLM platform gives teams total visibility across the certificate landscape in one tool. With this visibility, they can create and drive policies that support secure certificate practices.
- With all certificates in one place, teams can start automating the lifecycle of their certificates. This creates the potential never to experience an expired certificate again.
The DNA of digital trust
Digital certificates, keys, and cryptography will continue to serve as the technical DNA of digital trust for the foreseeable future. When leveraged properly, these tools can insulate organizations from the threats of AI, quantum, and compliance.
No matter what, these seismic shifts in technology are coming. Organizations that invest in flexible, resilient PKI policies will be poised for success in the near future.
Ready to learn more? Check out Keyfactor’s 2024 PKI & Digital Trust Report.