CLM PKI Management

Certificate LIfeCycle Management Solutions

PKI and CLM Solutions for Enterprise Companies.

 

 

 

What we Offer

PKI Professional Services


DBA Binary Fusion delivers
the expertise you need to ensure
your PKI environment not only meets your
needs today, but is properly designed
for your needs down the road.

Co-Managed PKI Services


We keep close watch over your PKI to ensure
that everything is operating efficiently and securely,
so you don't have anything to worry about.

PKI Assessment Online or Onsite

After you have deployed the PKI,
Our online or onsite PKI Assessment provides
you with the knowledge and assurance that it was done right.

Enterprise PKI Support Services

We approach PKI support differently than the competitors. We can work with Mobile, and IoT devices, helping you secure your environment based on the the Certificate Lifecycle Management Best Practices.  Take a look how different we truly are, by reading below.

 

What is CLM?

Certificate Lifecycle Management systems (CLM/CLMS), also called Certificate Management Systems (CMS), provide that support. They allow admins to manage every part of the lifecycle for an individual certificate while maintaining a broader perspective on the state of the network.
 
 

Why CLM?

  • Machine Identity is at the core of enterprise cybersecurity.
  • You may have the most advanced IAM, antivirus, and firewall solutions, but if machine identities are not managed correctly, applications and devices cannot communicate securely.
  • Digital certificates and keys are what establish machine identities, which is where certificate lifecycle management comes in.

Other reasons besides cybersecurity include compliance, and audit saved money on not having to deal with Mis (major incidents) that result due to devices having issues with certs.

Managing Certificates is Complex

  • Discovering Devices without certs can be challenging.
  • Certificates Expire (causing business process failures)
  • Keys Stored in all over the place. (insecure location of keys).
  • Scattered Ownership of Certificates. (people leave)
  • Low Visibility (no single pane of glass)
  • No PKI Self Service (no way to request a certificate and have it generated automatically)
  • Manual Processes with no rudimentary supervision.
  • Way too many different infrastructure components.
  • Revocation of certificate is not being documented, or rarely performed.


CLM Stages that DBA Binary Fusion can help your organization tackle.

Discovery

  • Devices that have invalid certs are no certs can be difficult to discover. The Discovery process depends on the types of devices, protocols, API programmability, and other characteristics.

Enrollment

  • Credentials and other inputs are gathered to enroll the certificate. For example, certificate signing requests with Common names and identification of service together with authorization details are gathered.

Issuance

  • Certificate enrolment data is validated, and a certificate is issued. The certificate is stored in a database and provided to the end entity which provided the initial enrolment.

Expiration

  • The certificate approached the end of its validity period. An expired certificate will no longer be valid and trusted, therefore the end entity should be aware of it and decide to either renew or decommission.

Destruction

  • After the expiration and validity period, the private key and certificate are no longer needed. The private key is securely destroyed, and the certificate is decommissioned from the public key infrastructure.

 


What DBA Binary Fusion can do for your organization?

 Discovery of Assets

  • Discover and visualize your assets by subnet, &or app level through manual, or existing CMDB and AD integration.

Centralized Ownership

  • Define ownership for certificate and keys.
  • Enforce Access control
  • Audit Tracking

 Process and Policy

  • Remove reliance on personal knowledge to handle PKI.
  • Enforce policy across for all stakeholders

Endpoint Deployment

  • Streamline certificate push to endpoints.
  • For ex: F5 Load Balancers, Servers, VCs, Printers.

Certificate Operations

  • Grouping and expiry reminders
  • Inventory Certs
  • Visibility via monitoring
  • Renewal Automation
  • Certificate Key Generation.
  • CA Automation


Here is what our CLM solution can do for you.

Wrap DBA Binary Solution Solution around CLM stages per your need and package them in CLM Fusion View (custom built CLM management software).

  • Wrap solution around CLM stages (enrollment, issuance, expiration, destruction)
  • Get to know your devices & certificates.
  • Are they in PEM, are they in CER, or DER.
  • Tie revocation of certificates into ITSM such as Service Now.

Create Visual Representation of your Certificate Ownership

  • Discover your devices and present them in custom built software CLM Fusion View for your organization.
  • Create Geo-Based views to help you visualize your certificates, by departments, device type, locations etc.
  • Review your existing devices' vulnerabilities to see which certs are most vulnerable, (an example of which ones using SHA1 vs SHA2) and handle these first etc.
  • View which certs use weak ciphers and low bit cryptographic keys.

Integrate Certificate Generation Workflows

  • Orchestrate Manual, Semi-Automatic, and Automatic Workflows where applicable.
  • Integrate already existing certificate generation workflows, map to security groups.
  • Create/Leverage Self Provisioning Certificate UI of either another vendor or create a custom one for your environment.

 

 


Customer Use Case

Examples of use cases other customers struggle with when it comes to managing PKI infrastructure and different types of CLM stages.

Use Case Example 1: Financial Company Looking to Secure their VC devices

Financial company that has multiple video conferencing devices across many different geographical offices looking to secure these devices with certificates as the form of identity.

Problem1: On-premise Video Conferencing Devices were not adequately secured.

The yearly audit revealed an inadequate level of security present on Video Conferencing devices. The audit discovered that anyone can unplug a video conferencing device and plug their own device to hop on the network and perform malicious scans, which may result comprise of company's network.  As part of audit discovery and recommendation, the company was advised to secure their video conferencing devices using certificates and advised to renew certificates every 2 years.  Other recommendations included joining video conferencing systems to cloud-based management solutions such as WebEx Control Hub or Zoom.

DBA Binary Fusion company was involved.

Upon discovery analysis here is what we found:

  • Video conferencing devices were from different vendors, different OS, some vendors supported certificates some did not. 
  • Some of the devices supported CSR generation process directly within the WebUI management of the Video Conferencing System and some did not 
  • Some had GUI interface and some did not.
  • Some video conferencing devices had API CLI compatibility and some did not. 
  • Some had vulnerabilities and others did not. 
  • Process for generating certificates for each of the devices strictly depended on the device type, making it difficult to come up with the singular process to generate certificate from the UI interface for each of the devices.  
  • Some of the VC systems needed to be upgraded first before generating CSR was even possible.
  • Some video conferencing systems were managed by Cloud management interfaces such as WebEx Control Hub. 
  • However, WebEx Control Hub didn't provide any way of distributing certificates. 


Solution:  This is how DBA Binary Fusion helped customers tackle this issue.

 

Inventory of Devices

  • DBA Binary Fusion helped customers create an inventory of all video conferencing devices, categorized them by region, type, department, ownership.  DBA Binary Fusion identified which devices needed to be upgraded in order for certificate signing requests to be generated.   
  • DBA Binary Fusion centralized visibility of every video conferencing device into a geographical portal called "CLM Fusion View" (custom-built portal based on micro-services architecture, designed specifically for customer's Certificate Lifecycle Management Needs).  Within CLM Fusion View, policies were created that would enforce Audit recommendations to notify certificate owners if certificates are about to expire. 

Certificate Renewal and Expiry Notifications

  • DBA Binary Fusion modified "CLM Fusion View: in such a way that made it very easy for IT teams to regenerate certificates every 2 years.  CLM Fusion View was modified per customer's environment, making it possible to discover devices based on ICMP, SNMP and programmatically using APIs.  CLM Fusion View was also tailored towards customer's existing CMDB system Service Now, making it easy to keep track of certificate changes, renewals, and expirations.   Alerts were configured notifying certificate owners when the cert is about to expire, giving cert owners ample of time to log into "CLM Fusion View" and renew certificates.

Support for other devices beyond Video Conferencing Units 

  • Also, CLM Fusion View was updated with not only support for video conferencing devices that customers had struggled with managing certificates but also was updated with other on-premise devices such as printers.   Additionally, certificate revocation was configured in CLM Fusion View to delete private keys anytime the certificate expires.  
  • DBA Binary Fusion also updated CLM Fusion View to create a ticket automatically in ServiceNow every time new certificate was generated keeping a track record of certificate activities.

Flexible Auto-Discovery and generation of CSR

  • CLM Fusion View was designed in synergy with the customer's growing environment.   Anytime new device that hopped on the network was automatically discovered in CLM Fusion View. 
  • Admins had the capability to specify which VC device they want to generate a certificate for. 
  • CLM Fusion View automatically logged into each of the devices and generated CSR, then navigated automatically to respective CAs, had certs signed and imported them back into Video Conferencing devices.  
  • In cases where it was not possible to manage certificates using API programmatic functions, DBA Binary Fusion utilized manual practices, where Service Ticket was created by the company's who admin who needed certificate generated and DBA Binary Fusion would receive the Service Now Ticket and installed certificate manually.  DBA Binary Fusion staff was basically was an augmentation of the company's workforce.
  • Additionally, DBA Binary Fusion modified CLM Fusion View to log in automatically into multiple VC units, forcing VC units to join automatically into WebEx Control Hub.

GEO Map Visualization of Devices

  • After certificates were deployed on all of the video conferencing systems, each of the VC units were shown on the GEO map on customer's SIEM such as Sumo Logic or other SIEM tool such as Splunk and in "CLM Fusion View".
  • Network Engineering and Security teams were involved in creating Cisco Identity Service Engine rules to match video conferencing authentication and authorization requests based on unique value keywords within the certificate Subject Alternative Name.  DBA Binary Fusion assisted network engineering staff with formulating policies on Cisco ISE and also helping Network Engineering and Security teams profile other types of devices that also needed certificates or additional validations.  

We offer our services for different types of companies and industries.

Industries we service include, financial, health, professional LLCs, manufacturing companies and beyond.

We can help you secure, analyze and design your network and help you manage your certificate life cycle process based on your existing environment and can also help you work out eccentric details that you need to provide to auditors in order to pass year yearly audit.

How to Contact Us

If interested to see some additional use cases or would like to get a similar solution implemented in your organization then don't hesitate to reach out to This email address is being protected from spambots. You need JavaScript enabled to view it.  and one of our IT consultants will get back to you.  You can also contact us by the phone number on the top right corner or send us a chat message. 

Fill out the form below to get to know you a little bit more and provide you a demo presentation tailored for your environment.