Attacks on Trust Driving Compliance Evolution

When it comes to cybersecurity, any new regulatory compliance measure or guidance is typically driven by a significant expansion of associated real-world threats and incidents. For example, in October 2005, the Federal Financial Institutions Examination Council (FFIEC) issued very pointed guidance requiring a second factor of authentication in an Internet banking environment. This effectively replaced the initial FFIEC Internet banking authentication guidance of 2001. The updated FFIEC guidance came as a result of these real-world instances:

A.) The massive growth of Internet banking (from 2001-2005), and

B.) The increase in the number and sophistication of threats to Internet banking authentication

Each financial services enterprise then proceeded to come up with a plan to technologically require users to employ a second factor of authentication (beyond a password) that would be as minimally intrusive as possible to the customer’s online experience. Fast-forward to present day, and this is why risk-based and behavioral scoring occurs behind the scenes at any bank’s login page, serving as that least intrusive, yet valid, second factor of authentication.

New risk areas and new real-world incidents drive the evolution of information security audit and compliance.

Similar to user IDs and passwords, encryption keys and digital certificates provide trusted authentication (along with trusted encryption of the data transmitted), whether between two machines or a machine and a user. However, if cybercriminals compromise, for example, SSH keys that provide root-level access to critical Linux systems, they’ll get away with a whole lot more than a few hundred dollars from a user’s checking account. When it comes to protecting keys and certificates, the stakes are much, much higher for the enterprise.

Malicious use and compromise of keys and certificates is no longer a theoretical threat. In 2013, even prior to the discovery of Heartbleed, an analysis by the Ponemon Institute of over 2000 large, global enterprises showed that ALL had experienced and responded to an attack on keys and certificates in the previous 24 months. In this same study, IT security professionals estimated the impact of an attack on trust to total on average almost $35 million.

Add to this equation the fact that enterprise usage of keys and certificates is growing at rates similar to the adoption of online banking in the early 2000s. It then becomes very apparent that risks associated with keys and certificates (and thus trust online) can easily spiral out of control if Global 2000 organizations don’t act now.

From a compliance perspective, encryption keys and digital certificates are now where online banking user IDs and passwords were in 2005. Attackers are expanding their efforts to breach their targets via weaknesses in keys and certificates, as they know many organizations’ PKI are silently rife with vulnerability. This is why many Global 2000 industry compliance bodies are more and more insisting that all enterprise encryption keys and digital certificates be protected in a similar manner to all other privileged access credentials at an organization.

Industry Compliance Involving Keys & Certificates

Financial FFIEC, GLBA, FDIC, NCUA, PCI DSS, SOX

Insurance PCI DSS, HIPAA, SOX

Healthcare HIPAA, HITECH, HITRUST, NIST, SOX

Retail PCI, SOX, NIST

Technology ISO 27000, COBIT, NIST, SOX

Manufacturing ISO 27000, SOX

Energy and Utilities NERC CIP, NIST, SOX

Government NIST

Requirements around the protection of keys and certificates (Next Generation Trust Protection) have been added directly or indirectly to nearly all major regulatory compliance bodies.

Failing to protect trust can result in serious regulatory and business consequences for the enterprise, ranging from failed audits and fines to irreversible brand reputation damage.

Our mission here at Venafi is to prevent this from happening to our customers. Given that enterprise keys and certificates provide trusted communication, implementing a program to protect enterprise keys and certificates is now more commonly referred to as “Next Generation Trust Protection.”

The collective risks involved with unprotected keys and certificates are at an all-time high, and regulatory compliance bodies are now evolving to address them. This is a point of convergence for Next Generation Trust Protection, where the risk and real-life threats to keys and certificates drive widespread regulatory and security framework evolution. The Venafi Trust Protection Platform secures trust by protecting enterprise keys and certificates and is well positioned to meet industry best practice needs around Trust Protection. By instituting a Next Generation Trust Protection program, you’re not only better securing the enterprise brand and dramatically cutting costs, but you’re also staying ahead of the evolving information security compliance curve.