Entrust IdentityGuard Cloud Services

Discovery
 Common Certificate Management Problems
o Application outages due to
certificate expiries
o Compliance Concerns?
o Complexity of Certificate
Management
o Non-recoverable
encryption of corporate
data!
 The Solution! Entrust Discovery…
o Scan network for certificates
o Load known certificates
o Manage certificates with
o Email expiry notifications
o Custom data per certificate
o Reporting
o System notices
o Policy violations
o Certificate path validation
o Facilitate replacement
of non-compliant certificates
o Single dashboard of certificates for entire enterprise
 Discovery – Overview
Server Certificates Miscellaneous Certificates User Certificates All Certificate Types
SSL SSL Code- Other (Cold Laptop Desktop MS Any
Server Server Signing backups) MS CAPI MS CAPI CA CA

MS CAPI
Agent Manual API
Scanner

Cloud Model Entrust Discovery Manager Enterprise Model

• Immediate deployment • Customer premises
•Email expiry notifications
in secure environment • Complete control over
•Policy violations/alerts
• Automatic Manager data
•Custom data tracking per certificate
updates • Application version
•Raw certificate viewing
• Support included control
•Certificate path validation
•Reporting
 Helping You Manage Your Business!
Management Dashboard Data by Certificate Authority Saved & Ad-hoc Searches

o View summary metrics, policy violations, Certificate Details – Raw Certificate

and notices
o Drill to a list of certificates
o Search for any criteria
o Drill to a specific certificate, even launch
the raw certificate
 Prevent Unexpected Certificate Expiry
• Multi-level notifications – Time and person redundant!
• Certificate Owner receives “Info” and “Warning” email
• System Admin receives “Alert” email & others if no cert owner identified
• Info, Warning and Alert all configurable # of days
• Notifications grouped into 1 email per user
• Notification Information includes hostnames located on
• Report view is customizable
 Ensure Your Security Policy is Enforced!
o Flag saved filters as policies
o Receive email notification
and home page alerts
when policies violated
o Examples:
o 1024 bit keys
o SHA1 signed certificates
o Non-compliant vendors
o Wildcard certificates
o Certificate copies
 Improved Management with Custom Data
o Track custom searchable fields for every certificate!
o Add as many of multiple types (text, date, Y/N, Number, picklist,email)
 Empower Workgroups to Manage Certificates
o Create organizations (workgroups)
o Assign users to Organizations
o Users can then only see and/or action
o Certificates assigned to their organizations, or
o Unassigned certificates
 Streamline Cert Management with Rules
MS CAPI
o Configurable workflow Agent Manual
Scanner
API

rules allow the system

to do the work for you Entrust Discovery Manager
o 3 types of rules If
CA = X
Yes Auto-manage
certificate
o Issuer Rules
o Notice Rules If
Notice does X
Yes
• Replace cert …
• Manage cert…
o Certificate Rules • Clear notice…

•Manage Cert…
If Cert Yes •Set Org…
contains X
•Set Custom field

End
Certificate States
 Streamline Cert Management with Rules
o Use ISSUER RULES to auto-manage certificates by CA!
o Determine desired management status based on the Issuer (CA)
o Decide which link to present for certificate renewal on a per-private-CA basis
 Streamline Cert Management with Rules
o Use NOTICE RULES to auto-manage system notices!
o Automate notice actions
o Unmanage certificates no longer in use
o Replace updated certificates, etc
o Manage newly found certificates
 Streamline Cert Management with Rules
o Use CERTIFICATE RULES to auto-populate certificate
custom fields!
o Update custom fields based on data from/about the certificate
 Report on All Certificates for Compliance
o Email reports
o Expiring certificates
o All owned certificates
o Policy violations
o System notices
o Admin report
o On screen
summary reports
o Data export
o Reporting API
o Charts (v2.3)
 Quick Setup and Evaluation!
o Obtain free evaluation license from Entrust
o Installation of all components up and running in 10
minutes (see video)
o DISCOVER how to sleep well at night!
 Competitors – 2 Camps
>
Installation
Functionality
Discovery Monitoring Renewal

I want to Auto-Install

Tell us where the

problems are
>
High $$$ Cost Low $
 What Differentiates Entrust?
Capability Entrust Venafi Sym Other
CIC
Locally deployed scanner    
Both Cloud and Premises data store    
SSL Certs AND Other cert types    
Easy to deploy    
Rules engine    
Comprehensive reporting    
Inexpensive    
Deploys certs to end points    
Mobile app    
 Why You Should Discover!
Who gets the call
Reduced Risk of Outages at 1 a.m. when an
Could you provide an outage occurs?
accurate certificate
inventory when needed? Facilitate Compliance
Are you sure ALL your
Reduced Risk of Data Breach crypto is strong
Are you consolidating enough?
certificate vendors due Cost Savings by Single Sourcing
to acquisitions?
Are you currently
Ease of Management managing your
certificates manually?
 Certificate States
Unlicensed States
•Discovered - Any certificate brought into Discovery, without a decision
being taken on it
•Ignored – Any certificate that you wish to ignore

Licensed States
•Registered – no email notifications (likely state for user SMIME
certificates)
•Monitored – With email notifications (likely state for SSL or server
certificates)
 Cloud vs. Premises
o Cloud and Premises version are the same, except…

Cloud Premises

Authentication Single-sign on from Cloud UserID/password or

Services Leverage AD integration
Certificate renewal Yes No
integration to SSL
 What Will Discovery Be Able to Manage?
Collection Method What Discovery Will Find What Discovery Won’t Find

Discovery Agent Server Certificates Server Certificates

•from any vendor
•Internally or externally facing servers
•Publicly or privately trusted
•Any validation (DV/OV/EV)
•Any type (Wildcard/UCC/Multi-SAN)
•Protecting any IP/port combination reachable from Agent
SMTP Certificates
SSL VPN Gateway certificate
Discovery CAPI Scanner Windows User/Device Certificates
•Any user/device certificate stored in Microsoft CAPI
•Any certificate store in CAPI
Discovery Manual Import Can Import Any Known Certificate
• Can import any certificate file or PEM formatted text block
• Individual or bulk in .zip file
• Good for Code Signing or specialty certs
Discovery API Import Can Import Any Known Certificate
• Known CA’s only
• Customer must write connection code to API
•on closed ports like cold backup devices (use
Manual Import)
•Outside the searched network segment
…(setup another Agent!)
SSH Certificates
• SSH can use end user certs for authentication
but the server doesn’t have a cert of its own
that can be discovered by probing the port
Certificates stored in
•file (Entrust EPF)
•Apple Keychain (Apple user/device cert store)
•Mobile device certificates
•Certificates on devices (tokens, SmartCards,
HSM’s, etc)
 Configure Your View
o Create Global and Personal views to
determine
o which fields you want to show/hide
o the order the fields appear in (v2.3)
o Save multiple views
o Leverage Global views in
notification reports! (v2.3)
o Combine with a filter to get
specific data in specific view
o i.e. SSL certs showing
SAN’s column
Discovery Roles and Users
 Discovery Manager - Technical
o Ports:
o Inbound ports to open: 27535
o Web service inbound from Agent uses: 27535
o Running Location
o within customer premises (Enterprise model) or
o Entrust premises (Service/SaaS model)
o O/S Support (Enterprise model, for SaaS not relevant)
o Linux RH 5.5
o Windows XP, 7, Server 2003, Server 2008 (32 and 64-bit)
o VMWare – i.e. requires no hardware
o Embedded database (Java Derby) – no customer knowledge req’d
o Backup files only
o Network impact: minimal
 Discovery Agent Scanning Technology
• Leverages licensed open-source NMAP.org software
• NMAP is award-winning utility for network exploration
• NMAP has many capabilities, however, Entrust Discovery Agent only
implements…
• NMAP Command Line Port Scanning 
• NMAP O/S Detection 
• NMAP Service Detection 
• NMAP App Version Detection 
• NMAP Scripting Engine Detection 
• NMAP Firewall Detection 
• NMAP sweeps 
• NMAP Other abilities 
• Entrust’s NMAP Query = NMAP -Tnormal -PN ("assume host is alive”) -P<ports> (i.e. -P443) -iL<filename>
Helping You Manage Your Business!
Helping You Manage Your Business!
Helping You Manage Your Business!
Helping You Manage Your Business!
 Find Unknown or Rogue Certificates
o Scan your network
o Hourly, daily, weekly,
monthly schedule or ad-hoc
o Run scans during specific hours
o Submit partial scans
o Run multiple scans
simultaneously
o Prioritize scans
o Fine tune scans
o Scan rate
o Host ranges/lists
o Port ranges
o Scan previously found hosts only
o Randomize hosts in scans
 Scanning Best Practices
o Run multiple, tailored scans
o Infrequent (monthly/quarterly) system-wide scan at normal
speed
o Frequent (Daily/Weekly) scan of previously found sites with
certs
o Break scans into smaller chunks
o Prioritize scans!
o Randomize scans if necessary
 Monitor Agent Health from Manager!
o Launch and configure Agent(s) from Manager
o View certificate load of each Agent
o Review health status of each Agent
o Manual - Only connects via manual upload and cannot determine health
o Automatic OK - Has connected in last 24 hours
o Automatic Unknown - Has previously connected but not in last 24 hours
o Upgrade - Agent version out of date and requires upgrade
 Discovery Agent - Technical
o Ports: Inbound ports to open: 27534
o Running location: within customer premises
o OS Support
o Linux RH 5.5
o Windows XP, 7, Server 2003, Server 2008 (32 and 64-bit)
o VMWare – i.e. requires no hardware
o Network impact: Minimal
o Protocols
o Agent uses SSL handshake to determine if port is protected and
then collects data about the certificate
o Optional SOAP based web service to transfer data from multiple
Agents to Manager
Agent Scanning Technology
 Manage Undiscoverable Certificates
o Track cold backup certificates or undiscoverable certificates…
o Import one to many certificates manually
o Automatically managed!
 Why Manage Certs in MS CAPI?
o Prevent non-recoverable encryption of corporate data!
o Employee encrypts with a free certificate that is not backed up?
o Ensure only compliant encryption is present!
o Prevent expiry of machine/device certificates
o Network failure due to unexpected expiry of machine certificates
o Evaluate encryption against policy
o Are employees buying their own certificates when organization provides an
efficient means already?
o Are employees using encryption to bypass organizational controls like DLP (Data
Loss Prevention)?
 How to Inventory Certs in MS CAPI
o Use new CAPI Scanner to inventory user and device
certificates stored in MS CAPI
• Host .exe on a read-only
fileshare
• Run as a login script or Fileshare
system startup script
• Query for User or device XML file(s)
certificates
• Query any certificate store

Monitors
Fileshare

Exports to
Manager
 Avoid Outages & Non-compliant Encryption!
o Use new CAPI Scanner to inventory user and device
certificates stored in MS CAPI
o Setup policies to monitor for non-compliant vendors and
expiring certificates
 Discovery CAPI Scanner - Technical
o 1 MB .exe placed on fileshare within customer
environment
o Must be accessible from client machines
o Optionally push executable onto some remote machines if they
don’t have access to fileshare
o You configure…
o Execution schedule
o Output location
o Scan the User/Machine store
o Output is XML file (one per user, one per machine)
o Can be imported to Manager individually
o Agent monitors the fileshare and exports data to Manager
 Import Certs from Another Known CA
o Leverage existing systems to populate
Discovery, and tag them to a desired
management state
o Good for:
o MS PKI or any PKI or any certificate store
o Update existing records
programatically (v2.3)
o Query Discovery for reporting