With the growth of certificate-based authentication, many organizations have found Shadow IT CAs run by engineers that needed certificates and did not use the company-approved private CA. These are usually not created with malicious intent, but instead, an engineer realizes that they need a certificate authority to create certificates for their authentication (either to their application, to a cloud service, or something else). Since they do not know who to talk to or if the organization has an internal Certificate Authority for this use case, they go ahead and create a certificate authority on their own. This is a major risk for you since certificate authorities – if not configured properly – can become huge vulnerabilities for your organization. The problem with Shadow IT Certificate Authorities and self-signed certificates is that, since they were not created by your team, they are hard to find.
These certificates can be hiding anywhere, from ports used for RDP, databases, etc. to being used by applications and IoT devices for authentication, to even being used as SSL certificates for internal sites. To find these certificates in all those areas you would have to create a script that checks each of those places for certificates you don’t know about. To help you with this, we have created EZMonitor. EZMonitor’s internal network scanning can be setup in minutes by simply running our agent in a Windows computer in your network (if you have multiple networks, EZMonitor allows you to scan and find all those certificates across all the networks).
The biggest fear of running this scan is finding what we hope we don’t find: a shadow IT Certificate Authority. If this happens, we have to ensure that the services that use that certificate authority move to a secure and compliant certificate authority. If your organization has one that can be used by them, chat with the team leader and explain why it is important to use an approved CA and then I would recommend creating guides and sharing them with your organization to enable them to use that CA and avoid this in the future. If your organization doesn’t have one, and is not planning on creating and managing one, I would recommend pointing the team to a cloud based certificate authority such as EZCA that takes care of all the security and compliance of the CA enabling them to focus on running their services while the PKI experts at Keytos manage and protect your certificate authority.