Cyber security is a field both deep and broad with a large number of complicated facets. As no one can be an expert in all things, it can sometimes be difficult even for experienced security professionals to know where vulnerabilities are in the system.

That’s where risk assessments come in; they can help you identify problems that need to be addressed. The problem is that risk assessment tools aren’t always straightforward or easy-to-use.

That’s why we’ve put together this guide to help simplify the process for you. Using four basic questions, you can quickly identify if there’s cause for serious concern regarding your PKI management. While this guide won’t be comprehensive, it will certainly help you begin the risk management process for your system’s security.

1. How Do You Manage Keys and Certificates?

A business’s PKI may start with a single key and a handful of certificates, but it won’t end there. As the company grows, so will its online presence, and a larger digital footprint requires more certificates to secure. Depending on the size of the website, a company can quickly accumulate 10,000 certificates or more.

That’s a lot of information to keep track of, and how you track it makes a big difference. There are usually two approaches: you’re either using unsophisticated tactics like tracking it yourself in a spreadsheet or trusting your CA to do it, or you’re using a trustworthy third-party solution. If your solution is the former, you’re making a big PKI management mistake.

2. Who Requests Keys and Certificates?

This question is like playing golf: the fewer the better. Ideally, your PKI management will be centralized and under the jurisdiction of a single department. The more departments that are authorized to request keys and certificates from a CA, the more difficult your PKI will be to manage, and the more likely you are to experience problems with self-issued certificates.

3. How Often Do You Rotate Keys and Certificates?

Most professionals who know enough about PKI to request a certificate know that they should be rotated. The problem is that they’re not usually rotated often enough, and few are aware that they should be rotating keys. Best practice is to change both in less than six months. If you’re hanging on to either for longer than a year, you need to reevaluate your PKI policies.

4. Do You Automate?

Humans are prone to error, and the more we interact with something, the more likely we are to produce one of those errors. Automating the requesting, tracking, and renewal of certificates and keys cuts down on human error, which is why the practice is so strongly recommended.

If you’re not automating any part of your PKI management, you should be on the lookout for issues and vulnerabilities caused by negligence or ignorance.

If any of these questions gave you pause, then you need to take a closer look at your PKI management. A more thorough risk assessment by industry experts will help you pinpoint issues that need to be addressed. Get started today and ensure the security of your company.

via:  tripwire