Poor Management of Security Certificates and Keys Leads to Preventable Outages
Digital security certificates have become a vital part of online communications. Combining cryptography with a standardized format, they have grown from simple assertions of identity to full authentication methods. But as important as they have become, security certificates remain fallible.
More Certificates, More Problems
According to a Venafi study, 79 percent of respondents suffered at least one certificate-related outage in 2016. Additionally, 38 percent suffered more than six, and 4 percent experienced 100 or more such outages last year. Unfortunately, response time is no better: 64 percent of respondents said that they were unable respond to a certificate-related security event in six hours or less.
All of this is exacerbated by the rise in the number of certificates that organizations use in their normal operations. This may be due to the increased number of devices that use corporate networks to connect to the internet. The more devices an organization has attached to its networks, the more certificates it will use.
Off Key With Certificate Management
When Venafi looked at the practices of some organizations, it was surprised to find that the average enterprise had over 16,500 unknown keys. That does not include the certificates or keys that were known to the organization — just the ones it did not realize it was responsible for.
The Venafi study also revealed that the vast majority of companies do not have control over their key and certificate inventory. Furthermore, these organizations do not use automation for the certificate renewal process. According to the study, this may be because two-thirds of companies have no existing centralized record of when their certificates will expire.
Even if a company does establish a central record of certificates, the study found that two-thirds of them use the visibility and security tools of the issuing certificate authority (CA). These tools are limited to certificates that have been issued by that CA, and there is no independent reliability check available to verify their efficacy.
The Scope of Security Certificate Struggles
Despite these concerns, Venafi vice president of security strategy Kevin Bocek remains hopeful. “The good news is that certificate-related outages are completely preventable, but you need to understand the scale and the scope of the problem,” he said in a press release.
The scope of the problem is at once simple and complex. Protecting a certificate from operational outage is simply a matter of ensuring that the certificate is valid and that it will be renewed before it expires. But it is difficult to know what certificates are in use inside an organization. These certificates can extend from the data center to the cloud and all the way to the Internet of Things (IoT) on the edge of networks. The scale of such a task calls for an automated process to discover, issue and remediate all the keys and certificates used by a business.
Certificates can fail for very simple reasons. It is up to security teams to come up with methods to make sure those preventable reasons are avoided.