ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT less discovery can t find all keys and certificates
Key and certificate management is no longer just an IT function. So it cannot be treated the same way IT generally thinks about installing applications, servers, and services. When deploying security within any environment, one choice that always comes up is whether to deploy an agent-based or agentless solution. There are positives and negatives to both approaches. This white paper aims to help you choose which method will best protect the foundation of your security, keys and certificates, based on the problem and level of security you want to solve for. This is a significant issue that impacts most global 5000: 54% don t have visibility into where all their keys and certificates are many of which are not network discoverable. less Key and Certificate Discovery Is Not Enough Most organizations prefer agentless security platforms, services, and solutions because they typically require less configuration, less administration, and have minimal impact on system resources. For network discovery, most tend to believe that agentless discovery meets their requirements to secure keys and certificates. However, the problem they are solving for has changed. The problem is not a simple PKI management issue: where are all of my keys and certificates and how many do I have? The problem is now a security issue where attackers are using encryption to hide their malicious activities within your traffic. Key and certificate management is no longer just an IT function. So it cannot be treated the same way IT generally thinks about installing applications, servers, and services. It has become a security program, and as such, it requires continuous monitoring, compliance, and regulation. This does not mean that IT security teams need to install and maintain an agent that is burdensome and system resource intensive. Rather, the ideal discovery agent will have minimal system impact, be discreet, reliable, and agile enough so that it can be installed anywhere. At the same time, it should be robust enough to leverage automation, receive updates, and enforce polices from the management platform. Venafi and less Discovery The Venafi Trust Protection Platform features agentless discovery that provides a very comprehensive view into your encryption posture to help you eliminate any security blind spots that are caused by unknown or rogue keys and certificates. Consistent monitoring and discovery for network discoverable keys and certificates helps eliminate a majority of these blind spots. However, there are still some locations where keys and certificates cannot be found with agentless discovery. The Venafi agent is a client/server application that works within the Venafi Trust Protection Platform to provide constant visibility into the blind spots where agentless discovery cannot see. The Venafi agent Page 2 of 5 I ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT
The Venafi agent continuously monitors for any changes to your SSL/TLS keys and certificates and SSH keys on any supported system in your network. continuously monitors for any changes to your SSL/TLS keys and certificates and SSH keys on any supported system in your network. The Venafi agent is installed on local systems where it performs scheduled protection for encryption assets found in designated keystores and directories that are not network discoverable. In addition, the Venafi agent enforces SSH security policies, adds and removes access keys, and ensures the reliable rotation of both user and authorized SSH keys. The agent enables you to change SSH source restrictions, forced commands and other key options to harden your SSH security and enforce customized SSH policies. The chart below compares use cases where either an agent-based or agentless approach is best suited to the discovery of keys and certificates. AGENTLESS DISCOVERY Any Network facing based TLS/ SSL Keys Any Network facing SSH servers Network Appliances SSH Keys on Linux, HPUX, AIX, Solaris (credential to log in the box using SSH required) AGENT-BASED DISCOVERY Certificates using TLS protocols that are not discoverable Certificates where SNI is being used Certificates that are being used for client authentication PEM Store PKCS12 Store PB7 Store Java Key Store CMS Key Store iplanet Keystore SSH Keys on Linux, HPUX, AIX, Solaris SSH Keys on Windows SSH Key Usage Monitoring How Lightweight Is the Venafi? The Venafi agent only requires 40 MB of free disk space, 30 of it for the software, and only 10 MB to queue data to be sent to the Trust Protection Platform server. The agent utilization profile (both memory and CPU) is impacted by the number of keys and certificates on a system. The only requirement for ports to be opened is 443 back to the Trust Protection Platform server. The agent supports Linux, Solaris, HPUX, AIX, and Windows. The agent was designed to minimize both CPU usage and overall system resource impact. For example, the agent has a feature called Randomization that randomizes the times the agent communicates with the server or performs a scan on a host system. The Randomization feature will reduce the impact on a host s virtual hypervisor with multiple guest systems running on it. Page 3 of 5 I ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT
With an agent, you avoid having a single device perform hundreds of tasks. Instead, you have hundreds of devices performing a few tasks each. Once the agent performs its initial discovery and submission of discovered certificates and keys to the Trust Protection Platform server, in subsequent updates it will only submit data that has changed to the server. The times when the agent is actively performing scanning or remediation operations is centrally configurable (e.g., hourly, daily, weekly, monthly, time of day, etc.). This gives administrators complete control of the operating footprint of the agent. Using the Venafi can also reduce the amount of work required to configure and manage trust between Trust Protection Platform and the agent-enabled devices where you plan to deploy certificates. This is especially true if you do not use similar configurations across devices where you want to install certificates. As certificates are discovered, Trust Protection Platform creates the necessary objects so that it can manage the discovered certificates almost immediately, regardless of their configuration. The agent-based method also helps with load distribution because installed Server s use the system resources on the devices where they are installed as opposed to an agentless approach, where all of the work performed is on the Trust Protection Platform server. With an agent, you avoid having a single device perform hundreds of tasks. Instead, you have hundreds of devices performing a few tasks each. Venafi Benefits GROUPING Allows you to logically group agent-enabled devices so that you can easily assign different configurations to those devices within each group. Grouping devices also lets you more easily delegate groups to other administrators to coordinate and complete various types of work. NO REQUIREMENT FOR CREDENTIALS Eliminates the challenge of managing multiple credentials. less technologies, in some cases, require administrative credentials for agentless discovery. This makes it challenging to find the correct people to get the credentials, and then keep those credentials in sync when credentials are changed. With the Venafi agent installed it is easier because the server agent runs as a system service/daemon with administrative access. The connection back to the Venafi Trust Protection Platform is protected leveraging TLS encryption/authentication that includes a rolling code that changes on every agent check-in. With the Venafi agent, administrators do not need to worry about gathering and managing credentials, because the authentication between the platform and the agents is automatic once they register. WORK ASSIGNMENT BY GROUP Lets you define group membership rules for each agent group. Rules allow you to specify criteria that determines which systems become members Page 4 of 5 I ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT
Venafi helps you eliminate blind spots No single discovery method will help you locate all of our keys and certificates. And any key or certificate that you don t know represents a blind spot in your security that hackers could leverage to infiltrate your business. The Venafi Trust Protection Platform helps you maintain visibility and control of all your keys and certificates with both agentless and agent-based protection. So you can leverage the approach that works best in your business: lightweight agentless for your network-based keys and certificates, and agent-based protection for keys and certificates that are not network discoverable. ABOUT VENAFI Venafi is the market-leading cybersecurity company that secures and protects keys and certificates so they can t be used by bad guys in attacks. Venafi provides the Immune System for the Internet, constantly assessing which keys and certificates are trusted, protecting those that should be trusted, and fixing or blocking those that are not. 2016 Venafi, Inc. All rights reserved. Venafi and the Venafi logo are trademarks of Venafi, Inc. Part Number: 160603-WP-Venafi- of which groups. Work can then be configured and assigned to the systems within each group. There are several different types of work that can be configured within agent groups, including agent registration, SSH configuration, certificate discovery, and agent upgrades. For example, you might assign agent registration work to one group and SSH configuration work to another group; or you could assign all work types to one or more agent groups. Additional Features Discover SSH encryption assets located on the file system, rotate authorized keys and user keys for SSH, and utilizes client REST API(s) over HTTPS. In addition, the agent can be used to audit key usage by gathering information from SSH server logs. Example Scenarios CONSIDERATION If you have a Unix or Linux system and you need CMS (GSK), JKS, PEM, or PKCS#12 If you have a network appliance like F5 Big-IP LTM, Citrix NetScaler, A10 vthunder, IBM DataPower, etc. If you have a Windows system and you need CMS (GSK), JKS, PEM, or PKCS#12 If your security policy does not allow exposing sudo/root credentials to remote systems for SSH key scanning Strict Network restrictions (and associated architecture) If Trust Protection Platform is able to connect to a device on which you plan to install a certificate but the device cannot contact Trust Protection Platform If you have strict restrictions on SSH access to the device (e.g. all external connections to the device are workflow enforced) Devices have dissimilar configurations (use many different management credentials, keystore locations vary from server to server, etc.) Your servers cannot have software installed Device operating system version is not supported by the Venafi You want to perform routine scanning of trust assets on all of your devices RECOMMENDATION or less Depending on which method best fits your organization less less If a device cannot connect to the Trust Protection Platform, then an agent would not function. During less certificate installation, Trust Protection Platform initiates the network connection. less less Page 5 of 5 I ELIMINATE SECURITY BLIND SPOTS WITH THE VENAFI AGENT