Digital security certificates have become a vital part of online communications. Combining cryptography with a standardized format, they have grown from simple assertions of identity to full authentication methods. But as important as they have become, security certificates remain fallible.

More Certificates, More Problems

According to a Venafi study, 79 percent of respondents suffered at least one certificate-related outage in 2016. Additionally, 38 percent suffered more than six, and 4 percent experienced 100 or more such outages last year. Unfortunately, response time is no better: 64 percent of respondents said that they were unable respond to a certificate-related security event in six hours or less.

All of this is exacerbated by the rise in the number of certificates that organizations use in their normal operations. This may be due to the increased number of devices that use corporate networks to connect to the internet. The more devices an organization has attached to its networks, the more certificates it will use.

Off Key With Certificate Management

When Venafi looked at the practices of some organizations, it was surprised to find that the average enterprise had over 16,500 unknown keys. That does not include the certificates or keys that were known to the organization — just the ones it did not realize it was responsible for.

The Venafi study also revealed that the vast majority of companies do not have control over their key and certificate inventory. Furthermore, these organizations do not use automation for the certificate renewal process. According to the study, this may be because two-thirds of companies have no existing centralized record of when their certificates will expire.

Even if a company does establish a central record of certificates, the study found that two-thirds of them use the visibility and security tools of the issuing certificate authority (CA). These tools are limited to certificates that have been issued by that CA, and there is no independent reliability check available to verify their efficacy.

The Scope of Security Certificate Struggles

Despite these concerns, Venafi vice president of security strategy Kevin Bocek remains hopeful. “The good news is that certificate-related outages are completely preventable, but you need to understand the scale and the scope of the problem,” he said in a press release.

The scope of the problem is at once simple and complex. Protecting a certificate from operational outage is simply a matter of ensuring that the certificate is valid and that it will be renewed before it expires. But it is difficult to know what certificates are in use inside an organization. These certificates can extend from the data center to the cloud and all the way to the Internet of Things (IoT) on the edge of networks. The scale of such a task calls for an automated process to discover, issue and remediate all the keys and certificates used by a business.

Certificates can fail for very simple reasons. It is up to security teams to come up with methods to make sure those preventable reasons are avoided.

 

More from Risk Management

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Too Much Caffeine? Phishing-as-a-Service Makes Us Jittery

Recently, investigators at Mandiant discovered a new software platform with an intuitive interface. The service has tools to orchestrate and automate core campaign elements. Some of the platform’s features enable self-service customization and campaign tracking. Sounds like a typical Software-as-a-Service (SaaS) operation, right? Well, this time, it’s Caffeine, the latest Phishing-as-a-Service (PhaaS) platform. A basic subscription costs $250 a month; all you need is an email to sign up. How Caffeine PhaaS is Different PhaaS vendors advertise and sell their…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…