Before your view becomes 20/20 from hindsight and you are too little too late, adopt an approach that gives 100% insight. Virtually all enterprises are unaware of how many certificates they have in their organization. Visibility is critical to properly manage certificates, avoid certificate-related outages, and secure your business and brand.
Visibility for Certificate Management
Without visibility, in today’s flooded wires of packet transfers, you will not really know how many certificates are in use within your organization. In 2015 research by the Ponemon Institute, 54% of IT security professionals admitted to not knowing where all of their keys and certificates are located. But I think this is grossly underestimated. I have never met an organization utilizing certificates who accurately knew the count of their digital certificate usage before using Venafi. Usually, we wind up finding at the least 3x what they thought they had.
Yet finding all of your certificates is just the beginning. To properly manage them, you’ll need visibility into all of these aspects:
- Who owns each of your certificates?
- What does each certificate do?
- Who is controlling your self-signed certificates?
- Where do all of your wildcard certificates live?
- Are all certificates being issued by the CAs you have approved?
Visibility to Avoid Certificate-related Outages
Another critical component to certificate visibility is the ability to identify approaching certificate expirations. At some point certificates expire, and at some point you need to renew that certificate and go replace it everywhere it belongs (1 year maximum if you are following best practices). But it’s important to do this before they expire and cause outages of critical business systems. We’ve already seen several examples of certificate-related outages in large global businesses in 2015, including in Google Gmail, Microsoft Azure, and Instagram. These outages can cost you millions. In research by the Ponemon Institute, IT security professionals set the average cost of a certificate-related outage at $15 million.
Visibility to Protect Your Business and Brand
Visibility into your keys and certificates isn’t just crucial for management—as the foundation to online trust, it’s also critical to securing your business and protecting the privacy of your customers and partners. Here are some questions you should be able to answer:
- Who is making sure that certificates with proper strength are being created?
- Has anyone stood up a rogue CA on your network?
- Are all certificates being issued by the CAs you have approved?
- Are stolen or rogue keys and certificates being used to hijack your brand?
Enterprises need to also realize that using encryption creates security blind spots. Cybercriminals are now using SSL/TLS to hide getting malware into organizations and to hide taking sensitive data out. Gartner estimates that by 2017, 50% of network attacks will use SSL/TLS. Organizations need real-time access to keys and certificates to decrypt SSL/TLS traffic and pass the content to security devices, such as Blue Coat, for further processing, analysis, and policy administration.
When the online trust established by keys and certificates is broken, businesses lose customers. Thank goodness solutions such as Google Certificate Transparency (CT) and Venafi TrustNet™ are out there to help add some visibility to our ever expanding use of digital certificates and keys.
Recently, Thawte CA had some of its employees issue unauthorized Google certificates. Fortunately, pre-certificate data gets sent to Google CT prior to actual issuance. In this case, the Google CT team was able to raise the red flag about these unauthorized certificates and alert the proper channels, allowing immediate corrections to be made. Venafi TrustNet combines information from Google CT with information from the Venafi sensory network to provide information on certificate issuance as well as throughout the entire certificate lifecycle on all certificates used on the internet.
Businesses rightly take encryption seriously. This means they care about the CAs they use, how long certificates are valid, and what hashes, algorithms, and protocols are used. We have seen companies with very strong policies on their certificates who have removed employees when a certificate that was unauthorized showed up via our discovery. How do you know whether your policies are being followed if you can’t see? It’s time to shed some light on your certificates. You can’t fix what you can’t see, and you can’t protect a door if you don’t know it exists.