@denbesten @JoePete @AaronFaby
I hear your pain, and I fully understand it. I am going through the same pain where I am located, except most of New Zealand is asleep and a lot of security people have migrated to Australia where they can have a better life - if they like Sun, Sea, Snakes, Crocodiles, Stinging Wasps and poisonous spiders they have it all - gone through all that previously.
There are many areas which are misunderstood such as Developers not understanding how to use PKI root structures for protecting Kubernetes containers etc due to the complexity when really they just want the job done especially when they are attempting to get CI/CD pipelines up and running etc.
I am coming across organisations who use ITSM's such as ServiceNow, or Spreadsheets, or CMDBs, but the entire processes are manual - mistakes occur, misconfiguration s occur, and often the expiration date is left to one or two people who actually understand certificates. Whether they are used within SSH server farms or proxies, firewalls or IoT devices etc etc.
I agree that many will think about moving to cloud providers, but are they any better than organisations, looks at Microsoft outages, or AWS massive outages and we become totally dependent upon them all.
All of which have their weaknesses, either the certificate database is a flat file, and you need authorisations. scripts to make certificate requests and then you need scripts and APIs and additional integrations with Hashicorp Vault or Jenkins or even Kong for applications. It comes in all shapes and measures.
There are many providers out there who can provide integrations. semi-automate the certificate lifecycle management process, which historically we have left to the few and to those who actually understand it. Who swallowed the NIST three volume bible on certificate management etc.
Current HSMs will be redundant in the next four years, they are costly bricks but essential in many cases, whether built into an IoMT device or ICS device etc - which points back to the vendors and their capabilities.
There are many providers, I have done some research on a number, but at the end of the day it is down to the organisation:
1) On Premises, do it yourself; 2) Build it yourself' 3) Manage it yourself; 4) Use a SaaS service and manage it yourself; 5) SaaS service and get them to manage it for you etc.
There is a lot more to this: Risk Management; Assessment of current environment, Design for automation; Proof of Concept; design workflows for automation, test and test and keep testing - start small and grow in confidence, get the bugs out of the system. I suggest using an ITSM or CMDB integrate it, but ensure you have full visibility, able to handle incidents, notifications, and audit trails and reports are really important.
Most of these systems are based on the number of certificates to handle - the greater the number, the less the cost annually.
This is only the start of a journey, then think about Crypto-Agility with PQC, migration from Public Key Infrastructure and Hybrid systems towards Quantum Key Management - sorry folks it is happening like it or not.
Blockchain security is busted, not because of the cryptographic algorithms,. but the entire processes around including who can you trust.
Humans are inherently insecure, we make mistakes, the impacts are becoming bigger.
If you reach out I am happy to share some of my findings; but not on a public basis.
A lot of development, experience needs to be built up and humans only really learn through pain, rather than someone putting it on a plate for them.
Compliance and regulations are progressing and chasing us all hard.
Regards
Caute_Cautim
