The PKI Guy discusses digital certificates security with Muralidharan Palanisamy of AppViewX

Q&A with Muralidharan Palanisamy, chief solutions officer, AppViewX

TPG: Tell us a little bit about AppViewX.

MP: AppViewX is revolutionizing the way NetOps and SecOps teams deliver services to Enterprise IT. We have a modular, low-code software platform that enables the automation and orchestration of network and security infrastructure using an intuitive, context-aware, visual workflow.

TPG: What is your latest information security product?

MP: Our Certificate Lifecycle Automation solution helps enterprise IT manage and automate the entire lifecycle of its internal and external PKI. It provides extensive visibility into the certificate and encryption key infrastructure, which helps protect the enterprise from threats to the business.

TPG: What is AppViewX’s role in protecting the security of digital certificates?

MP: AppViewX effectively removes the human element from key management so that no one has access to a private key. Our fully automated solution provides a safe and secure way of protecting and managing digital certificates and keys. Certificates may be renewed using automated workflows that enforce secure and compliant processes.

TPG: How can enterprises manage their certificates more efficiently?

MP: The first step is to gain visibility of all the certificates in the enterprise. Our platform provides an intelligent discovery process to identify all of the certificates and then add them to the central inventory of our solution. Once a certificate is in the inventory, our solution will monitor the status and compliance of the certificates and generate alerts to the teams who own the renewal and/or revocation processes. These powerful services address a majority of the customer’s pain points. Beyond this, enterprises can automate the enrollment and deployment of certificates on end points and remove human access to keys.

TPG: What is configuration compliance and why is it important?

MP: Enterprises have legislated regulatory mandates and internal security policies to audit and enforce configuration as well as the process to change a configuration. Automating and enforcing configuration changes using standardized workflows (with pre- and post-validations) is the way to a secure and compliant network. From an application security perspective, the protocols used to communicate, the ciphers used to encrypt, and the strength of the encryption keys used are all important factors to protect the information touched by an application. Weaknesses can result in huge reputational and legal damage for the enterprise.

TPG: What should companies look for when purchasing a network automation tool? 

MP:

1. Is the tool intuitive and easy to use?
2. Is the tool easy to set up and onboard users?
3. Can the tool adjust to different internal business processes?
4. Does the tool easily integrate with your solutions?
5. Can the tool be extended to support new or unique solutions?
6. Can the tool be extended to support your unique business processes?
7. Can the tool easily be upgraded in your production environments while interacting with multiple systems and many end users?
8. Will the vendor help you onboard the tool and your end users?
9. Can the tool auto-discover certificates and map the infrastructure to the application?
10. Can your users initiate their own service requests?
11. Can the tool audit configuration changes and enforce compliance?
12. Can the tool authenticate and authorize configuration changes based on role of the user?
13. Can the tool alert and report critical events?
14. And, finally, can the tool scale to support your most demanding digital transformation requirements?

TPG:  What exactly is low-code automation?

MP: Low-code automation is a visual and intuitive way of building automation workflows and reports that meet the needs of the business, without requiring advanced programming skills.

TPG: How do you recommend companies protect private keys in a hybrid environment? 

MP:

1. Periodically run discovery services to maintain an accurate inventory Use Network Hardware Security Modules (HSMs) to store private keys where possible.
2. Deploy private keys in software vaults if network HSM is not an option.
3. Auto-generate the private key on the device using automated systems without human involvement.
4. Do not reuse the private key on multiple devices and rotate keys periodically
5. Leverage auto-enrollment capabilities and shorter life spans.
6. Have a central key management and orchestration solution to quickly revoke/rotate the keys in case of a compromise.
7. Audit actions on applications and end-devices.
8. Generate vulnerability and compliance reports with auto-escalations for irregularities.

TPG: What can companies do to better manage their security?

MP: Enterprises can better manage their security by streamlining their processes. Processes need to be put in place from the time of establishing initial trust for a device, all the way to the end of the life cycle to better secure and segment it.

Device Identity plays an important role in security. The initial process of assigning a digital identity is very crucial, since the device needs to be trusted by other applications. Security policies should be based on the device identity, or should be verified periodically. More importantly, automated enforcement or remediation has to be set up to audit the defined security policies. The security of an enterprise can be improved if the standard mode of deployment is a cookie cutter approach with all policies enforced and predefined.

TPG:   Tell us how you are simplifying the management of security policies.

MP: The AppViewX Platform provides an application-centric view of the network security infrastructure with self-service capabilities and advanced automation workflows. Security teams can define and enforce policies, with the ability to tailor them to meet unique business requirements. The custom, event-driven workflows ensure no changes are implemented without proper change control and approvals. The Platform also integrates with ITSM tools for ticketing and governance and can notify users via email and Slack messages.