Why is it that some security products sit in the corner collecting dust, while others get deployed across the enterprise? There are several non-technical reasons that play a role— management buy-in, excitement to use the product— as well as a number of technical reasons. This post will focus on the technical reasons that lead to some security products lacking widespread adoption while others thrive and see deployment across the enterprise.
3 Requirements For Full-Scale Deployment
Outside of functioning as designed and fulfilling its stated purpose, there are three qualities that a product must possess in order to have a high chance of being successfully deployed across an enterprise:
Security is an obvious requirement for any enterprise product. A lack of security could mean a lack of compliance, which can have serious business consequences. What it means to be secure depends on the system in question, but, generally speaking, you should look to protect the confidentiality, integrity, and availability of the system.
In today’s world, users are accustomed to lightning fast operations. It doesn’t matter if it is watching a high-definition video on a plane, making an online purchase from a mobile phone, or modifying a shared document online, users demand speed. How fast your solution needs to operate depends on the nature of that solution, but a good general rule of thumb is that it shouldn’t be noticeably slower for an end-user than the alternative (i.e. having no solution in place). For a more accurate analysis, consider calculating the cost of delay for your particular situation.
When deploying a product enterprise-wide, it needs to be as easy as possible. Easy has three components to it: ease of deployment, ease of use, and ease of management and maintenance.
Sometimes, ease of deployment can be overlooked if the product provides a lot of value and it is very easy to use and manage. But, in general, one should look for products that are easy in all three respects. Without ease of use, your end-users are going to require lots of training, submit lots of help desk request tickets, and overall increase the total cost of ownership of the system. The same is true if a product isn’t easy to manage— it can create technical debt and make the product expensive to use, reducing potential for a return on investment.
Falling Short of All 3 Tenants: An Example
Multi-factor authentication (MFA) is a popular security control but it has not gained the level of adoption one might expect, given how long it has been around and the security benefits it provides. Not all companies use MFA, and those that do are not necessarily using it enterprise-wide.
Part of the reason for this is that MFA doesn’t satisfy all three requirements of widespread deployment. There is certainly an impact on performance, as the user has to complete the MFA process, but you could argue that this is a negligible inconvenience, as it only happens during authentication and it compensates for the minor delay with major security benefits.
The real failure happens on the ease of use and management. Integrating MFA into existing applications and processes can be very challenging. For example, traditional approaches for adding MFA to SSH requires reconfiguring SSH servers and clients. Integrating MFA into applications almost always results in development work.
Additionally, the use of physical tokens can introduce management and training overhead. In fact, it has only been in the semi-recent past when companies and open source developers have released SDKs and applications that simplify the deployment of MFA easier that enterprises have seen more widespread adoption of MFA.
Enterprises need a code signing system that keeps signing keys secure, but one that doesn’t reduce the tempo of day-to-day operations. Learn how to design such a system here.
Designing For Enterprise-Wide Deployment
The principles of Secure, Fast, & Easy are in Garantir’s DNA and these pillars guide everything we build. The most obvious example of this is in how we designed and built GaraSign.
Many enterprises lack central access and control over the keys that control the organization’s most critical systems— SSH, code signing, TLS, and more. GaraSign solves this problem by enabling enterprises to secure and store all cryptographic keys in an HSM, without impeding performance or disrupting existing processes.
GaraSign was designed to enable enterprises to store all cryptographic keys in a centrally-managed HSM. As the keys are never exported to clients, the keys remain secured from compromise. Furthermore, since access to the keys is proxied, GaraSign is able to enforce stricter security controls such as MFA, device authentication, approval workflows, IP address whitelisting, notifications, and more, on a per-user or per-key basis. Additionally, each key’s use can be easily audited from a central location.
With the keys locked away in a centrally-managed HSM, performance is a primary concern. The biggest performance degradation factors are network bandwidth consumption and HSM connection operations. To reduce the impact of network bandwidth, GaraSign is designed with a client-side hashing architecture. Additionally, GaraSign caches the HSM connections (and other connections, such as to the database) server-side, so that the performance impact of establishing connections is kept to a minimum. The result is that signing (and other cryptographic operations) is extremely fast— so fast that it is approximate to signing with locally-stored keys.
In order to support deployments across a large number of use cases on any platform, GaraSign comes with all the cryptographic service providers needed for every major platform, plus some of the more esoteric ones for good measure. Additionally, GaraSign supports single sign-on (SSO) with common identity platforms.
The result: customers can perform a wide number of use cases (code signing, SSH, TLS, S/MIME, document signing, file encryption, etc.) on practically any platform (Windows, macOS, Linux, Java, Android, etc.) using the same tools they use today. By allowing customers to use the same tools and supporting things like SSO, training is kept to a minimum and existing processes require minimal modifications, if any at all.
If you’re interested in learning more about how GaraSign works, get in touch with the Garantir team to schedule a demo.