SCEPman Review

SCEPman is a low cost, high risk, cloud only platform solution to certificate deployment within the limited scope of a Microsoft Azure Mobile Device Management solution.

SCEPman cannot be confident in the Digital Identity certificates it is signing. There is very little value provided by the SCEPman service regarding security, policy, or management of the Digital Identity certificates generated by the SCEPman system. The SCEPman service is heavily dependent on Microsoft Azure and is dependent on many additional Microsoft Azure infrastructure as a service subscriptions. This means it's cost structure can be deceiving.

SCEPMan has limited ability to manage or revoke compromised certificates. The inability to ensure revocation of compromised certificates and the inability to be sure of the devices that a SCEPMan certificate is issued to, presents significant risk to client networks and also nullifies or reduces the effectiveness of other controls on those networks.

SCEPman makes no assertion with regards to the security of their software or its deployment in Azure. SCEPMan relies soley on the security afforded by the Microsoft Azure services it depends on. The reliance on the controls of the hosting services, no matter how strong they are, is the equivalent of taking a virtualisation platform and assuming that any software from any source placed on that virtual platform is as secure as the platform itself. From a security perspective, this is an assumption that invites compromise.

SCEPman does not contribute to a public key infrastructure deployment and isolates the keys it 'accesses' from the rest of an organizations security infrastructure. SCEPman documentation alludes to the ability to 're-use' your SCEPman generated Certificate Authority certificate for other purposes but Cogito would suggest that there are very limited cases where it is safe to do this. Granting additional permissions to any user or system using a SCEPman generated certificate presents a large risk to those relying systems and services.

SCEPMan's main benefit is in it's price. Given the availability of Active Directory Certificate Services, which is bundled with the Windows Server Operating System, and supports Intune, Cogito fails to see where SCEPMan makes a good price argument, given the alternative can be configured in a secure manner.

Other places where SCEPMan might find customers is where an installation is small enough that positive control of certificates can be tracked manually, or where there is no perceived need to track or manage credentials securing access to services such as WIFI network access points. Other possible use cases include where confidence in the holders of digital identity certificates is not desirable, where incident management is not of concern, or where a security system does not require auditing or any real security controls.

SCEPman is a product intended for home lab, or low security Wi-Fi configuration environments. SCEPman's use securing a corporate or Government Wi-Fi connection is not recommended. SCEPman describes the product as suitable for uses such as a secure VPN, however with the limited ability to configure SCEPman to automatically deploy certificates to a firewall appliance, and acknowledging all the security limitations of the system, this seems impractical and irresponsible.

SCEPman Cost Breakdown

All deployments assume deployment in Southeastern Australia datacentres. Please note there are no New Zealand datacentres advertised. If data sovereignty is a concern, offshore cryptographic material storage and access must be included in the security profile and risk management plan.

All prices are included in NZD and price conversions were calculated on 09/05/2024. Prices will vary.

The service specifications referenced below should be considered the minimum recommended by SCEPman on their Azure Sizing documentation. SCEPman provide a disclaimer, that for large volume enrolments (such as certificate renewal windows, and fleet upgrade and provisioning) the minimum recommended specs will be insufficient to maintain service stability:

“Please do not assign SCEP profiles to a large number of users/devices at once, since this may result in a request-peak at your SCEPman instances.”

SCEPman provides an “Azure Cost Prognosis” to breakdown the estimated cost of the service: “you should expect an additional 5% to 25% on top of the App Service Plan”.

After reviewing the numbers and running a lab scale deployment, the true estimate is 25% to 50%.

Small deployment

5,000 certificates

Standard deployment (not security focused)

20,000 certificates

Security Focused deployment (security focused)

20,000 certificates

Recommendations

Cogito have the following recommendations with regards to SCEPMan:

• SCEPman is a low cost, high risk, cloud only platform solution to certificate deployment within the limited scope of a Microsoft Azure Mobile Device Management solution.
• SCEPman cannot be confident in the Digital Identity certificates it is signing. There is very little value provided by the SCEPman service regarding security, policy, or management of the Digital Identity certificates generated by the SCEPman system. The SCEPman service is heavily dependent on Microsoft Azure and is dependent on many additional Microsoft Azure infrastructure as a service subscriptions. This means it’s cost structure can be deceiving.
• SCEPman has limited ability to manage or revoke compromised certificates. The inability to ensure revocation of compromised certificates and the inability to be sure of the devices that a SCEPMan certificate is issued to, presents significant risk to client networks and also nullifies or reduces the effectiveness of other controls on those networks.
• SCEPman makes no assertion with regards to the security of their software or its deployment in Azure. SCEPMan relies soley on the security afforded by the Microsoft Azure services it depends on. The reliance on the controls of the hosting services, no matter how strong they are, is the equivalent of taking a virtualisation platform and assuming that any software from any source placed on that virtual platform is as secure as the platform itself. From a security perspective, this is an assumption that invites compromise.
• SCEPman does not contribute to a public key infrastructure deployment and isolates the keys it ‘accesses’ from the rest of an organizations security infrastructure. SCEPman documentation alludes to the ability to ‘re-use’ your SCEPman generated Certificate Authority certificate for other purposes but Cogito would suggest that there are very limited cases where it is safe to do this. Granting additional permissions to any user or system using a SCEPman generated certificate presents a large risk to those relying systems and services.
• SCEPman’s main benefit is in it’s price. Given the availability of Active Directory Certificate Services, which is bundled with the Windows Server Operating System, and supports Intune, Cogito fails to see where SCEPMan makes a good price argument, given the alternative can be configured in a secure manner.
• Other places where SCEPMan might find customers is where an installation is small enough that positive control of certificates can be tracked manually, or where there is no perceived need to track or manage credentials securing access to services such as WIFI network access points. Other possible use case include where confidence in the holders of digital identity certificates is not desirable, where incident management is not of concern, or where a security system does not require auditing or any real security controls.
• SCEPman is a product intended for home lab, or low security Wi-Fi configuration environments. SCEPman’s use securing a corporate or Government Wi-Fi connection is not recommended. SCEPman describes the product as suitable for uses such as a secure VPN, however with the limited ability to configure SCEPman to automatically deploy certificates to a firewall appliance, and acknowledging all the security limitations of the system, this seems impractical and irresponsible.