GaraSign: TLS Use Case
TLS is the industry standard protocol for securing data in transit. Two of the biggest challenges with TLS are protecting the keys and managing their certificates. TLS keys are often stored in software directly on web servers, leaving them vulnerable to compromise. For large enterprises managing many servers, this creates serious risk and makes certificate lifecycle management difficult.
With GaraSign, keys are secured in a hardware security module (HSM), rather than in software or stored locally on servers. Avoiding outages with timely rotation of certificates is greatly simplified, as all keys and certificates are centrally managed.
TLS is ubiquitous throughout enterprise IT environments.
How do you securely manage all the keys and certificates?
The industry standard for enterprise organizations is to encrypt all network traffic with TLS. For enterprises, this presents two challenges: the keys must be secured and the certificates must be renewed prior to expiration to avoid outages and downtime.
All too often, TLS keys and certificates are stored locally in software on servers. This doesn’t provide adequate security, nor does it enable easy certificate rotation, as the certificates are not centrally managed.
Minimal Key Protection
Storing keys in software on servers leaves them vulnerable to compromise by attackers.
Certificate Outages
SSL/TLS certificates must be renewed to avoid outages, but it's hard to do so when they aren't centrally managed.
Key Sprawl & Compliance
Many servers means many keys, making it difficult to remain compliant and meet key management requirements.
With GaraSign, all keys and certificates are centrally managed and secured in an HSM.
Secure Access To HSM-Protected Keys
GaraSign is deployed on customer-managed infrastructure between the HSM and the servers, restricting those servers to proxied key access.
The result is that keys remain secured and non-exportable in the HSM, while servers can use the keys they need to perform TLS handshakes and protect network traffic. GaraSign further secures keys via granular access controls and features, such as device authentication, IP address whitelisting, and more.
Centrally-Managed Certificates
When you deploy GaraSign, all TLS certificates are centrally-managed. This ensures easy certificate rotation to prevent outages and costly downtime. It’s also easy to perform other certificate lifecycle management tasks.
TLS Key Management Made Easy
No matter how many keys and certificates in a given environment, GaraSign enables enterprises to manage and audit their infrastructure from a centralized location. Using this approach, administrators always maintain full visibility on all keys. GaraSign creates a detailed log for each key, making it easy to audit key usage to see when keys were used, at what time, and by which users.
Client Certificate Authentication
GaraSign can also be used to manage the keys and certificates used for client authentication (aka mutual TLS). This can be used to enable privileged access management, via features like multi-factor and device authentication, without reconfiguring servers.
