It’s that time of year again—where we look back at 2019 and evaluate what went right and what went wrong. If certificate outages were on your “need-to-improve” list, then it’s time to set some New Year’s goals that will help improve your organization’s availability and productivity.
So. Outages. When was the last time you had to grapple with a certificate outage? Last week? Last month? Last year? It probably doesn’t make you feel any better that you’re not alone. Information security professionals have been dealing with certificate-related system and service outages for as long as the internet has been around. And even the most security conscious organizations can still struggle with these unexpected outages.
Why do certificate outages still happen?
For one, the race toward digital transformation has caused an exponential increase in the number of SSL/TLS certificates organizations need to manage and protect. The sheer volume of these new certificates exceeds the capacity of manual or semi-automated processes in many large organizations. So, almost all organizations are left with certificates that they don’t know about. And unknown certificates are prime candidates for unexpected expiration. On average, IT security professionals using Venafi found 57,420 additional SSL/TLS keys and certificates that were previously unknown.
At the same time, cybersecurity solutions are increasingly using SSL/TLS certificates to decrypt and inspect traffic, searching for signs of attackers and anomalies. Inspection of this traffic is now critical for cyber defense. But when a certificate-related outage impacts this security process, it can transform an availability issue into a major breach.
If you’ve had to deal with the aftermath of an outage triggered by an expired certificate in 2019, then here’s a shortlist of 6 resolutions that are likely to improve your quality of life in 2020.
- Resolution #1—Build Yourself a Certificate Outage Safety Net
Create an effective outage warning system that notifies organizational leaders rather than trying to track down individual owners of certificates. This will help you build executive awareness of impending outages and promotes action before sites, services and applications are crippled.
- Resolution #2—Implement the Right Technology to Prevent Outages
Make sure you’re building a proper foundation for outage prevention. Choose a solution that provides the visibility, intelligence and automation your organization needs to prevent certificate-related outages across server operations, network, InfoSec and PKI teams
- Resolution #3—Encourage Your Certificate Users to Make the Right Choices
Create a self-service portal for certificates that allows you to maintain control of cryptographic attributes and security policies across business silos. Plus, it will help certificate owners easily solve certificate-related issues themselves so they can run faster, experience fewer obstacles and achieve their goals more securely.
- Resolution #4—Make Sure You’re Using the Best Policies
Creating an enterprise-wide policy for machine identities will standardize practices and remove user guesswork for critical attributes, such as approved CA, required configuration and parameters for key lengths, algorithms and expiry dates.
- Resolution #5—Fine Tune Your Machine Identity Workflows
In designing workflows, you’ll want to integrate your certificate service with other systems like ticketing and ITSM solutions. Plus, you’ll want to document procedures for sign-off and override to sidestep any potential irregularities.
- Resolution #6—Train the Teams Who Will Help You Be Successful
Don’t forget to train and enable deployment teams to become experts in managing certificate lifecycles as part of your broader information security strategy. At a minimum, they should know how to onboard a certificate-owner team, enable notifications and set up policies, folders and workflows.
At Venafi, we’ve been helping the world’s largest organizations prevent certificate outages for the past 12+ years. And we can do it for you too. Guaranteed. The resolutions I’ve listed above are just part of a prescriptive guide that you can follow to prevent outages altogether. See the full list of steps you should follow to eliminate certificate outages. In fact, we’re so certain that if you follow these steps, we’ll guarantee that you will not experience certificate outages.
Are you ready to stop certificate outages forever? Read more about our guarantee here.
- Venafi Study: Are Financial Service Organizations More Likely to Suffer Certificate-Related Outages?
- Majority of Businesses Still Experience Outages: Are You Protecting Your Certificates?
- GAO Report: Expired Certificate Allowed Extended Exfiltration
- How Big Is Your Risk of Certificate-based Outages?