Define ownership of people (PKI subject matter experts, DevOps teams and other application
owners), process and tools (i.e., X.509 certificate management).
Determine whether the incumbent PKI or external SSL/TLS certificate providers offer X.509
certificate management solutions or tools. At a minimum, discovery tools should be used to
determine the scope of the X.509 environment, covering known and unknown certificates that
exist in the environment.
Ensure that they understand at least the known number of X.509 certificates in their environment. If this number exceeds 100, then certificate management solutions and other tools should be implemented to mitigate risks.
Understand compliance requirements and ensure that PKI technology, processes and people are in compliance. Key management is critical in the context of PKI – how are the private keys protected, what identity proofing schemes are in place, what validation policies are required for issuance of certificates, how is revocation handled etc.
Implement automated certificate discovery and renewal/management tools that work to minimize the risk of unplanned expiry, and ensure policies are met. Manual and automatic certificate management should be leveraged to attribute accountability and ownership of X.509 certificates within organizations. SRM leaders must recognize that not all discovery solutions are perfect; therefore, some certificates might remain undiscovered.
Investigate full life cycle certificate management tools over discovery-centric tools when dealing with large, complex, multivendor certificate environments, especially in multiple-certificate-based enterprise use cases such as mobile and IoT. As security leaders formalize plans to add additional mission-critical use cases, formalized and more holistic X.509 certificate management will transition from a “nice-to-have” to a “must-have.” As dependence on X.509 certificates increases, so does the impact of an operations or security incident. Security leaders can increase operational efficiency and security by using full life cycle management tools for complex environments.
Ensure that X.509 certificate operations and management are a part of the overall cybersecurity
incident response plan to better prepare for security incidents that relate to deprecated cryptographic algorithms and/or CA compromise. Ultimately, this is to minimize the impact and downtime in the event of a certificate issuer compromise, critical vulnerability exposure, suspected compromise or attack.