Users cannot be trusted. For the most part, they are lazy and choose comfort over safety. According to statistics, 21% write down their passwords for work accounts on paper, 50% indicate the same passwords for work and personal services.
The environment is also hostile. 74% of organizations allow personal devices to be brought to work and connected to the corporate network. 94% of users cannot distinguish between a real email and a phishing one, 11% clicked on attachments.
All these problems are solved by a corporate public key infrastructure (PKI), which provides mail encryption and authentication, and replaces passwords with digital certificates. This infrastructure can be raised on Windows Server. According to , Active Directory Certificate Services (AD CS) is a server that allows you to create a PKI in your organization and use public key cryptography, digital certificates, and digital signatures.
But Microsoft's solution is quite expensive.
Total Cost of Ownership for a Microsoft Private CA
Cost of ownership comparison between Microsoft CA and GlobalSign AEG.
In many situations, it is more convenient and cheaper to create the same private certificate authority, but with external management. This is exactly the problem that the GlobalSign Auto Enrollment Gateway (AEG) solves. Several lines of expenses are excluded from the total cost of ownership (purchase of equipment, support costs, staff training, etc.). Savings can exceed .
What is AEG
(AEG) is a software service that acts as a gateway between SaaS GlobalSign certificate services and a Windows enterprise environment.
AEG integrates with Active Directory, allowing organizations to automate the registration, provisioning and management of GlobalSign digital certificates in a Windows environment. By replacing internal CAs with GlobalSign services, enterprises increase security and reduce the cost of managing a complex and expensive internal Microsoft CA.
GlobalSign SaaS Certificate Services is a more reliable option than weak and unmanaged certificates on your own infrastructure. Eliminating the need to manage a resource-intensive internal CA reduces the total cost of ownership of PKI, as well as the risk of system failures.
Support for SCEP and ACME protocols extends support beyond Windows, including automated certificate issuance for Linux servers, mobile devices, network devices, and other devices, as well as Apple OSX computers registered in Active Directory.
Enhanced security
In addition to saving money, outsourced PKI management improves system security. As the Aberdeen Group study notes, certificates are increasingly being targeted by attackers who successfully exploit known vulnerabilities such as untrusted self-signed certificates, weak encryption, and cumbersome revocation mechanisms. In addition, attackers have mastered more sophisticated exploits, such as fraudulently issuing certificates from trusted CAs and forging code-signing certificates.
βMost enterprises do not actively manage the risks associated with these attacks and are not ready to quickly respond to trade-offs,β Derek E. Brink, Vice President and IT Security Fellow at Aberdeen Group. "By enabling enterprises to place the operational aspects of certificate management in the hands of experts while maintaining corporate control over group policies in Active Directory, GlobalSign aims to secure the future growth of certificate use by addressing practical security and trust issues in an efficient, cost-effective deployment model."
How AEG works
A typical AEG system includes four key components to ensure that the correct certificates are sent to the correct access points:
- AEG software on Windows server.
- Active Directory servers or domain controllers that allow administrators to manage and store information about resources.
- Endpoints: users, devices, servers and workstations - virtually any entity that is a "consumer" of digital certificates.
- A GlobalSign Certification Authority, or GCC, which sits on top of a trusted certificate issuance and management platform. This is where certificates are generated.
Three of the four components shown are on-premises at the client, and the fourth is in the cloud.
First, the endpoints are pre-configured using group policies: for example, certificate validation for user authentication, S/MIME request for the certificate, and so on - for subsequent connection to the AEG server. The connection is secure over HTTPS.
The AEG server queries Active Directory via LDAP for a list of certificate templates for these endpoints and sends the list to clients along with the location of the CA. After receiving these rules, the endpoints connect to the AEG server again, this time to request the actual certificates. AEG, in turn, creates an API call with the specified parameters and sends it to the GlobalSign Certification Authority or GCC for processing.
Finally, the GCC back end processes the requests, usually within a few seconds, and sends an API response along with a certificate that will be installed on the endpoints upon request.
The whole process takes a few seconds and can be fully automated by configuring endpoints to automatically obtain certificates using group policies.
AEG Unique Features
- You can enroll through the MDM platform.
- Developed by former employees from the Microsoft Crypto team.
- Solution without client.
- Simplified implementation and lifecycle management.
Architecture examples
Thus, external PKI management through the GlobalSign AEG gateway means increased security, cost savings and risk reduction. Another benefit is easy scalability and improved performance. Properly managed PKI ensures long uptime, eliminates disruption to critical operations due to invalid certificates, and offers employees remote, secure access to company networks.
supports a wide range of use cases that require two-factor authentication, from remote workgroup clients accessing the network via VPN and Wi-Fi, to privileged access to highly sensitive resources via smart cards.
GlobalSign is a global leader in providing cloud and networked PKI solutions for identity and access management. For more product information, please contact .
Source: habr.com