Security certificate maintenance – there must be a better way

Broken-chainOver the last few years, I’ve seen numerous instances where will maintained systems that are run by organizations with good operational records have fallen over, caused by security certificate expiration.

Just last week, Google Mail went down for a significant time when their security key chain broke (note Google’s use of SHA-1 internally – but that’s a whole other issue). Gmail is a solution that is core to an increasing % of the population, schools and businesses. Most people likely believe that Google operations are well run and world class – yet they stumbled in the same way that I’ve seen many others before.

A reliable and rigorous approach is needed for organizations to track their certificate chains that proactively warns the organization before they expire, since it will take hours to repair them once they break. There are many critical tasks that come with certificate management, and ignoring or mishandling any one of them can set the stage for Web application exploits or system downtime.

These certificates (which contain the keys) are the cornerstone to the organization’s cryptography-based defense. As the market-facing application portfolio of an organization expands, the number of certificates will also expand and the key chains can get longer with more convoluted interrelationships as well (especially if not planned and just allowed to evolve). Additionally, the suite of certificate products from vendors can be confusing. There are different levels of validation offered, numerous hash types, lengths and warranties (which actually protect the end users, not the certificate owner). It can be difficult to know what type of certificate is required for a particular application.

CSS-Security put out this high-level video about certificates and why they’re blooming in organizations (there is an ad at the end of the video about their product to help with certificate management).

Most companies still manage their certificates via a spreadsheet or some other manual process. That may be fine when you’re just getting started but it can quickly spiral out of control and addressing the problem may involve costs that are just not understood.

There are products and approaches to the enterprise certificate management. Automation tools can search a network and collect information all discovered certificates. They can assign certificates to systems and owners and manage automated renewal. These products can also check that the certificate was deployed correctly to avoid using an old certificate. Automated tools are only part of the answer and will require some manual intervention.

When purchasing one of these certificate management tools, ensure that the software can manage certificates from all CAs, since some will only manage certificates issued from a particular CA.

The ‘Who Moved My Cheese?’ of Legacy Systems

Having recently gone through a personal disruption related to employment, I dusted off my copy of Who Moved My Cheese? After re-reading the book, I thought about how this applies to the life of the CIO and application portfolio management. We are all too often with the world we understand and the 80% (or more) of the budget it consumes – failing to Sniff out opportunities.

Recently there was a post: CIOs make the tough call on legacy systems by Mary K. Pratt that delved into the issue of managing the layer upon layer of project success that builds up to calcify an organization’s ability to respond, that I found a worthwhile read.

Even in this day of IaaS and SaaS, the basics of optimizing the application portfolio of an organization remains relatively unchanged. It gets down to where the organization is headed and an assessment of costs vs. value generation.

Organizations need to ask some fundamental questions like:

  1. What needs to be done and why?
  2. How is it going to be accomplished?
  3. What is the expected outcome?
  4. When will it be needed or done?
  5. How will we measure outcomes, so we can validate that the task is complete and effective?
  6. What resources will be required? ($$, people…)

Essentially an assessment of leading and lagging indicators and how the portfolio can support them.

A simple view of the assessment is summed up in this quadrant chart:

Apps Portfolio Assessment

I am sure there are other complex and wonderful interpretations of this, but to me this view is the simplest. Keep what adds value and has a low cost to operate. Refactor those programs (where possible) that have a high cost to maintain and also add high value. Validate the need for anything that delivers low value – you may be surprised how many of these you can turn off. Finally, replace those that have business support and high cost.

In this age of automation, the concepts of cost need to be holistic and not just the IT maintenance costs… For a parity of Who Moved My Cheese? touching on automation look to this Abstruse Goose illustration.

It is not hard to start but it is constantly changing so it may never be done.