Does this sound familiar? You are working at a company on a big project and are just about ready to move to production but need to add the final touches. You are told that you need TLS certificates for your load balancers, application servers, and database servers, a secure place to bootstrap some secrets from, and to turn on database encryption. Seems simple enough, you just need to find out who to request this from. You couldn’t have been more wrong – you are suddenly inundated with questions and a maze of a decision tree:
- Will the service only be used internally or will external customers have access? If internal only, the ADCS team will issue the certificates, otherwise the team that maintains the relationship with the publicly trusted certificate authority will do it.
- How will you renew the certificates? Automatically via ACME or SCEP, some server-side orchestration mechanism, manually by setting your own calendar reminder, or just hope you move on to a new job before that happens?
- Will the infrastructure sit on-premise or in the cloud? If it is in the cloud, the cloud infrastructure team will generate the keys for you, otherwise you may generate them yourself.
- What kind of keys do you plan on using? A bunch of foreign acronyms are thrown your way – ECC, RSA, PQC, etc.
- How often do your secrets need to be rotated? Will this happen automatically or manually?
- Etc.
As it will turn out, it will take almost as long to get the final touches added as it did to complete the bulk of the project thus far.
If this sounds familiar, don’t worry, you are not alone. It is no secret that tech moves quickly but oftentimes our infrastructure and processes lag behind. We are now seeing the industry catch up by deploying Enterprise Cryptographic Services. At a high level, the Enterprise Cryptographic Services team is responsible for the secure management and usage of keys, certificates, and secrets. Since these cryptographic primitives are used throughout so many of the commonly used use cases and protocols, the Enterprise Cryptographic Services team plays a crucial role in the overall enterprise security strategy.
Cryptographic Services Examples
Some examples of what the Enterprise Cryptographic Services team is responsible for include:
- Secure key generation and storage
- Management of the cryptographic devices that store the keys, whether on-premise, in the cloud, or both
- Automated and manual certificate issuance and renewal
- Proper key destruction and certificate revocation when necessary
- Automated and manual secrets creation, rotation, and destruction
- Auditing of permissions to keys and, ideally, real-time key usage to ensure compliance with corporate policies
Proper Tooling
To properly run an Enterprise Cryptographic Services team, the proper infrastructure and tooling is required. At a minimum, this tooling should provide:
- Native client integrations to operating systems and runtime environments via cryptographic service providers
- Integration with federated identity providers such as Entra ID, Okta, Active Directory, etc. via industry-standard protocols like OIDC/OAuth2, SAML, Kerberos, LDAP, etc.
- Support for many use cases such as TLS, Code Signing, SSH, RDP, Data Encryption, and more
- Centralized auditing over all administrative and end user requests
- Integration with private and publicly trusted certificate authorities for certificate management
- Advanced security controls such as MFA, approval workflows, just-in-time access, and others during authentication and sensitive operations
- Policy-driven key and certificate management on a per object basis
- Support classical and post-quantum cryptography
- High performance via techniques such as client-side hashing and enveloped encryption
Whether you are just starting your journey to Enterprise Cryptographic Services, have a mature service already deployed, or are somewhere in between, Garantir is here to help. We have a wealth of experience creating, deploying, and managing Enterprise Cryptographic Services solutions, including our best in class solution GaraSign, for large and medium sized enterprises. Please contact us to us to discuss your needs.