Poor Management of Security Certificates and Keys Leads to Preventable Outages

Digital security certificates have become a vital part of online communications. Combining cryptography with a standardized format, they have grown from simple assertions of identity to full authentication methods. But as important as they have become, security certificates remain fallible.

More Certificates, More Problems

According to a Venafi study, 79 percent of respondents suffered at least one certificate-related outage in 2016. Additionally, 38 percent suffered more than six, and 4 percent experienced 100 or more such outages last year. Unfortunately, response time is no better: 64 percent of respondents said that they were unable respond to a certificate-related security event in six hours or less.

All of this is exacerbated by the rise in the number of certificates that organizations use in their normal operations. This may be due to the increased number of devices that use corporate networks to connect to the internet. The more devices an organization has attached to its networks, the more certificates it will use.

Off Key With Certificate Management

When Venafi looked at the practices of some organizations, it was surprised to find that the average enterprise had over 16,500 unknown keys. That does not include the certificates or keys that were known to the organization — just the ones it did not realize it was responsible for.

The Venafi study also revealed that the vast majority of companies do not have control over their key and certificate inventory. Furthermore, these organizations do not use automation for the certificate renewal process. According to the study, this may be because two-thirds of companies have no existing centralized record of when their certificates will expire.

Even if a company does establish a central record of certificates, the study found that two-thirds of them use the visibility and security tools of the issuing certificate authority (CA). These tools are limited to certificates that have been issued by that CA, and there is no independent reliability check available to verify their efficacy.

The Scope of Security Certificate Struggles

Despite these concerns, Venafi vice president of security strategy Kevin Bocek remains hopeful. “The good news is that certificate-related outages are completely preventable, but you need to understand the scale and the scope of the problem,” he said in a press release.

The scope of the problem is at once simple and complex. Protecting a certificate from operational outage is simply a matter of ensuring that the certificate is valid and that it will be renewed before it expires. But it is difficult to know what certificates are in use inside an organization. These certificates can extend from the data center to the cloud and all the way to the Internet of Things (IoT) on the edge of networks. The scale of such a task calls for an automated process to discover, issue and remediate all the keys and certificates used by a business.

Certificates can fail for very simple reasons. It is up to security teams to come up with methods to make sure those preventable reasons are avoided.

 

Share this Article:
Larry Loeb

Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He wrote for IBM's DeveloperWorks site for seven years and has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange.