Cryptography is a cornerstone of risk management in HPE Nonstop enterprises. That’s especially true of the SSH and SSL tunnels which enable secure remote access to terminals and secure connectivity between systems. Yet focusing too hard on algorithms and key lengths obscures a bigger issue.
Nonstop customers are exposed to unprecedented security risks. Compliance expectations have shifted. And the entire crypto-operating model must evolve in step. A long overdue shift is needed in how organizations manage keys, certificates and secrets: from “local, manual, and fragmented,” to “centralized, governed, and automated.”
Why legacy models are failing
Crypto keys and certificates sit at the heart of HPE Nonstop security. But they’re an increasingly popular target for threat actors. Some reports claim that over a third (35%) of network intrusions involve some form of certificate or key abuse. This kind of attack technique is often difficult to uncover without the right kind of visibility, which means adversaries get more time inside networks. Global median dwell time rose from 11 to 14 days over the past year.
Yet just a third (34%) of organizations have full certificate visibility, according to separate research. This is due in part to the outdated way in which many large enterprises manage their keys and certs. Legacy operating models are longer fit for purpose at a time when keys, certificates, secrets and credentials are exploding in volume. Keys are stored separately on individual servers, policy is decentralized, and there’s no visibility into where certificates are, when they expire, who owns them, and who is accessing them.
This creates major governance and audit risks.
It also makes it more likely that keys are rotated manually, and certificates are managed and reviewed manually. This drives additional operational cost and risk. Human error can mean missed renewal dates which cause service outages, damaging customer trust. One study claims that 67% of organizations experience these events every month. And that’s within the 398-day maximum validity limit for TLS/SSL certificates. This is now 200 days, and will continue to fall over the coming two years – to just 47 days by 2029. That will put extra strain on manual renewal efforts and add operational costs.
Security and compliance expectations are changing
All of this plays into the hands of threat actors looking for forgotten SSH keys or expired SSL certificates to hijack. It’s also why regulators will no longer tolerate these legacy approaches to key, secrets and certificate management.
Their expectations are that:
- Organizations have good visibility into their cryptography estate: a comprehensive list of all SSL/TLS certificates and SSH keys deployed, along with key lengths and expiry dates
- Every key and certificate has an identified owner
- There are automated processes for key and certificate rotation within best practice time frames
- Every SSH key is periodically reviewed and obsolete keys are removed
- There are clear logging processes in place to show certificate issuance, renewal history, access logs and more
- There are documented processes to revoke and replace keys if they are compromised
All of which is made more challenging, if not impossible, with decentralized, manual processes.
Towards centralization and automation
This is why HPE Nonstop customers are increasingly looking to centralized, automated mechanisms for key, secrets and certificate management. A centralized, HSM-backed key and secrets store with MFA-protected access delivers audit-ready logs for improved governance, visibility and control. Automated certificate lifecycle management means certs are issued, renewed and rotated according to policy with little effort – supporting ultra-short lifespans.
This is where comforte’s TAMUNIO Assure platform can help. It offers all of the above. Full-stack key governance supports PCI DSS 4.0, GDPR, and NIS2 compliance requirements. And HPE Nonstop-wide secret consolidation lowers operational overheads, simplifies audits and reduces risk.
Customers and regulators expect more of global organizations handling critical data in vast volumes. That’s why the crypto operating model is changing. Enterprises that fail to keep up will not only be exposed to cost, compliance and security risk. They will be at a competitive disadvantage.
