Digital security certificates have become a vital part of online communications. Combining cryptography with a standardized format, they have grown from simple assertions of identity to full authentication methods. But as important as they have become, security certificates remain fallible.

More Certificates, More Problems

According to a Venafi study, 79 percent of respondents suffered at least one certificate-related outage in 2016. Additionally, 38 percent suffered more than six, and 4 percent experienced 100 or more such outages last year. Unfortunately, response time is no better: 64 percent of respondents said that they were unable respond to a certificate-related security event in six hours or less.

All of this is exacerbated by the rise in the number of certificates that organizations use in their normal operations. This may be due to the increased number of devices that use corporate networks to connect to the internet. The more devices an organization has attached to its networks, the more certificates it will use.

Off Key With Certificate Management

When Venafi looked at the practices of some organizations, it was surprised to find that the average enterprise had over 16,500 unknown keys. That does not include the certificates or keys that were known to the organization — just the ones it did not realize it was responsible for.

The Venafi study also revealed that the vast majority of companies do not have control over their key and certificate inventory. Furthermore, these organizations do not use automation for the certificate renewal process. According to the study, this may be because two-thirds of companies have no existing centralized record of when their certificates will expire.

Even if a company does establish a central record of certificates, the study found that two-thirds of them use the visibility and security tools of the issuing certificate authority (CA). These tools are limited to certificates that have been issued by that CA, and there is no independent reliability check available to verify their efficacy.

The Scope of Security Certificate Struggles

Despite these concerns, Venafi vice president of security strategy Kevin Bocek remains hopeful. “The good news is that certificate-related outages are completely preventable, but you need to understand the scale and the scope of the problem,” he said in a press release.

The scope of the problem is at once simple and complex. Protecting a certificate from operational outage is simply a matter of ensuring that the certificate is valid and that it will be renewed before it expires. But it is difficult to know what certificates are in use inside an organization. These certificates can extend from the data center to the cloud and all the way to the Internet of Things (IoT) on the edge of networks. The scale of such a task calls for an automated process to discover, issue and remediate all the keys and certificates used by a business.

Certificates can fail for very simple reasons. It is up to security teams to come up with methods to make sure those preventable reasons are avoided.


More from Risk Management

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Why consumer drones represent a special cybersecurity risk

3 min read - Cybersecurity staff at an East Coast financial services company last summer detected unusual activity on its internal Atlassian Confluence page originating inside the company’s network. The MAC address used locally belonged to an employee known to be currently using the same MAC address remotely, according to a security specialist named Greg Linares, who had secondhand information about the attack. So, the team used a Fluke AirCheck Wi-Fi Tester device to identify the device logged in, which led the team to…