PKI – Top 5 Leading Airline Webpages

Case Study

Top 5 airline - Improves Security and Accelerates Business

Accutive Security – Center of excellence services for enterprise key and certificate lifecycle management and machine identities to protect and automate PKI & CLM

Business Profile

This leading airline company operates a wide range of flights, including both domestic and international, offering a comprehensive air transportation service. With operations spread across the globe, and the critical nature of air travel, the airline maintains a top-notch security team dedicated to safeguarding its digital and physical assets.

Executive Summary

Industry: Airlines

IT Environment: Multiple data centers secure 8,500+ employees, customer portals, and various partner access.

Business Challenges

Secure SSL/TLS certificates for web services
Attain visibility and compliance, certificate location tagging, and security
Reduce risk and avoid trust-based attacks
Quick Discovery & Implementation
Detailed inventory of keys and certificates
Enabled prioritization workflows

IT Environment

Currently, the airline’s network supports over 10,000 employees, including 8,000 mobile users. The network also ensures secure access for alliance partners and customer web portals facilitating ticketing and payment services. Given its vast geographical presence, the airline operates multiple data centers worldwide. The security team leverages Public Key Infrastructure (PKI) to support these projects and services and secure the company’s operations globally.

Business Challenge

The airline’s security team was planning to rely more heavily on PKI to secure their web services, with upcoming projects like multifactor authentication (MFA) based on certificates. They also intended to use PKI to secure VPN access and mobile devices.

The idea of increasing their dependence on keys and certificates without transparency and protection for these assets was a major concern. The team was manually managing about 75 digital certificates, but they were aware that many more keys and certificates had been issued in their infrastructure. What they lacked was information about each certificate’s location, who had signed it, and the strength of the cryptography used.

The Senior IT Risk Management Analyst articulated, “It dawned on us that the manual administration of thousands of keys and certificates was impractical. We understood the necessity of an enhanced approach to ascertain their appropriate configuration and adherence to our security policy. Absent the ability to supervise keys and certificates, we were vulnerable to an immense degree of unregulated risk.”—this last sentence doesn’t make sense—not sure what it’s supposed to say

The team also came to realize the importance of bolstering their security measures for keys and certificates, especially in light of the increasing frequency of trust-based attacks. The senior analyst elucidated, “In the rapidly evolving landscape of cybersecurity, strategies that were deemed secure a few years ago are no longer robust enough to withstand current threats.” Drawing on a famous quote from a noted cybersecurity conference, he added, “As Bruce Schneier wisely said at the RSA Conference in 2019, ‘Security is a process, not a state or product. It is a journey and not a destination.’ This underscores our need to continually adapt and upgrade our security protocols to stay ahead of potential threats.”

Solution: Machine Identity Management & PKI

While wrestling with these complications, some team members attended a Gartner conference, and a technology partner eventually introduced them to Accutive Security, a professional services and consulting firm known for their expertise with some of the top vendors in the cybersecurity space. Intrigued by Accutive Security’s reputation and partnerships, they looked into their services and promptly perceived the value of their proficiency in key and certificate protection. Consequently, the company engaged Accutive Security for a comprehensive suite of services, securing keys and certificates for SSL/TLS, SSH, and mobile devices. Do we want to say “Our” instead of “Accutive Security” in this paragraph?

“Keys and certificates hold a unique position; they are simultaneously low-risk and vitally significant ‘crown jewels.’ One of the outstanding benefits of Accutive Security is their capacity to utilize scan results for clear scoping, identifying crucial points. They were adept at expeditiously and precisely indicating the risk level, leading us to the discovery of around 430 high-risk certificates,” expressed the Senior IT Risk Management Analyst at the airline company.

The senior analyst lauded, “Accutive Security made a compelling case for themselves. Their caliber of work was commendable, and the expertise and passion for security exhibited by the Accutive Security team were truly noteworthy.”

Solution Business Impact

Immediate Results

The team began to research and gather more detailed information about the solutions and services provided by Accutive Security. It didn’t take them long to see the significant value that Accutive Security’s key and certificate protection services and expertise in auth + crypto could bring to their organization. The more they understood, the clearer it became that these services were exactly what they needed to enhance their security infrastructure.

Prompted by these insights, the corporation made a tactical move: they capitalized on Accutive Security, designating it as their go-to Center of Excellence for Certificate Lifecycle Management (CLM) and machine identities. Delving into their experience, the airline’s Senior IT Risk Management Analyst remarked, “Keys and certificates encapsulate a peculiar range of risk degrees – they can be relatively benign, yet they could embody the most treasured assets in our digital landscape.” With impressive speed and specificity, Accutive Security managed to reveal the risk profile associated with the digital certificates

“Their evident dedication to fortifying our organization’s security instilled in us a profound trust in their solutions. Armed with the findings from Accutive Security’s assessment, our security team’s perspective was drastically transformed. Instead of manually handling 67 certificates, we uncovered an astonishing number of over 3000 keys and certificates within our network.”

Reduced Risk

With Accutive Security’s services and solution for key and certificate discovery, the security team achieved a comprehensive inventory and could prioritize the risks related to each asset. The airline’s security team rapidly secured their most vital keys and certificates, and now with Accutive Security, they can align their security measures with the risk level and value of the asset.

“By securing our keys and certificates while using Accutive Security services, PKI has transformed from being a burdensome, elusive, black-box environment to serving as a tool at the forefront of our security. Accutive Security's services empowered our business from the first day."

-- Senior IT Risk Management

Analyst, Airline Company

Quick Remediation

When certificate issues happen now, the company uses Accutive Security as a center of excellence for products and services and can quickly discover additional vulnerabilities beyond those discovered by their vulnerability scanners. Quick Remediation

“We utilize multiple vulnerability scanners, but they serve a general purpose and might not detect specific key and certificate vulnerabilities,” noted the senior analyst.

“Due to its specialized nature, the Accutive Security platform helped us pinpoint vulnerabilities unique to keys and certificates that went unnoticed by our other tools.”

Protection against Trust-based Attacks

The Accutive Security team helped the PKI solution become essential to the airline’s security ecosystem, shielding the company against trust-based attacks. The security team now employs the Accutive Security partner platform to ensure high-risk systems are protected using robust cryptography. They also use Accutive Security to validate that the certificates on each system are those initially issued. Certificate mismatches serve as a strong signal that the system may have been compromised, for instance, via a manin-the-middle (MITM) attack. Any discrepancies are flagged, and the PKI team can swiftly respond using Accutive Security.

Empowering the Business

Utilizing the services provided by Accutive Security, the security team has pinpointed the SSL/TLS certificates posing high risks, allowing them to focus their resources effectively for maximum impact. Additionally, they have leveraged Accutive Security’s expertise to protect their mobile certificates. In today’s business landscape, multiple certificates per user have become a necessity, a surge that would be unsustainable through manual methods. Yet, with Accutive Security’s support, the security team has been able to expand its use of keys and certificates both efficiently and securely.

Next Steps

Thus far, the airline has put a spotlight on safeguarding its most vital SSL/TLS keys and certificates. In the near future, an inventory and protection of all 1,000 SSL/TLS certificates and 8,000 mobile certificates is in the cards. The upcoming goal is to secure all SSH keys.

There are also plans in the pipeline for the security team to leverage the comprehensive API driver integration provided by Accutive Security, aiming to ease integration with other security appliances. Their ultimate goal is to incorporate the intelligence gleaned from Accutive Security into their overarching security dashboard and to equip their operations center with these security metrics. This would ensure that in the event of a sensitive occurrence, data would be relayed and escalated within the operations center, thus enabling more streamlined remediation processes.

In the words of the senior analyst, “The Accutive Security team is made up of committed, responsive, and goal-oriented professionals. The positivity and efficacy of our partnership can’t be overstated. Their solution does exactly what it says on the tin, and it does it excellently. No ifs, ands, or buts about it.”

The senior analyst further explained, “We’ve successfully automated the issuance of certificates for our mobile devices, unlocking an array of new capabilities by enabling these mobile devices to interact with other devices.”