The average number of digital certificates owned by organizations has grown over the past few years. Across companies of all sizes, the average number of machine identities per organization at the end of 2021 was nearly 250,000 and was estimated to increase by 42% per year.
Larger organizations faced even greater challenges. On average, CIOs at organizations with more than 10,000 employees estimated that they had more than 320,000 machine identities in their enterprises at the start of 2022. If their growth rate stays constant for the next two years, that number will more than triple to around 1 million machine identities by 2024.
Such growth in part reflects the fact that many organizations have transitioned to a remote or hybrid work model following the events of 2020. It also highlights how organizations have been investing in bringing on new Internet of Things (IoT) devices, cloud services, and applications into their environment over the past few years. The result is that machine identities now far outnumber human identities. In fact, a recent CyberArk report showed machine identities outnumbering human identities by a factor of 45x1. Organizations need a way to secure all these resources along with the communication between them.
More certificates, more management problems
This increase in digital certificates has complicated certificate management, exposing organizations to greater risk of a certificate outage. In a recent Venafi study, we found that • 83% of organizations suffered a certificate-related outage during the last 12 months. 26% of the CIOs whose organizations experienced outages said these outages impacted business- critical systems.
But outages are not the only challenge for a growing population of certificates. In a report covered by Help Net Security, for instance, nearly two-thirds of enterprises said that they were concerned about how much time they were spending on managing certificates. Over a third (37%) said that their certificate management process involved more than three different departments in the organization, leading to confusion and complicating visibility.
These certificate management struggles have exacerbated two issues in particular. These are rogue certificates and shadow IT. Let’s explore both below:
- Rogue certificates
Just as a reminder, a rogue certificate is a legitimate certificate issued by a trusted Certificate Authority (CA) that someone has succeeded in compromising. It may also be the result of a trusted CA issuing a legitimate certificate to an incorrect entity. This is the objective of an impersonation attack where a malicious actor attempts to convince a Registration Authority (RA) that they’re someone else such as an employee at a targeted organization. They leverage that ruse to try to trick the RA into issuing them a certificate for that target.
Rogue certificates threaten organizations’ security because they enable threat actors to bypass traditional security solutions. Specifically, they provide attackers with access to the private key that’s necessary for securing communications and data against unauthorized use. Malicious actors can then misuse that trust to mimic a targeted organization and conduct follow-up attacks against its customers and/or partners.
- Shadow IT
Shadow IT is when someone in the organization connects hardware, software, or other Information Technology (IT) to the network without letting IT know. As such, shadow IT complicates certificate management by making it more difficult for teams to obtain comprehensive visibility over their employer’s resources. Indeed, the first two Critical Security Controls identified by the Center for Internet Security involve building an inventory of enterprise hardware and software for a reason. Security and IT personnel can’t defend what they don’t know about. This also applies to machine identities, keys, and certificates. Teams can’t renew or revoke what they don’t know about. With shadow IT, organizations are therefore at greater risk of suffering an outage, which increases their vulnerability to an attack.
How can organizations overcome these obstacles?
To address the challenges associated with rogue certificates, organizations can use automated tools that provide real-time threat intelligence and alerts. Those solutions can inform organizations of malicious actors attempting to obtain rogue certificates from other entities in their same industry, for example. Additionally, organizations might consider using a machine identity management platform to help them fulfill their evolving operational needs, emerging industry best practices, and compliance requirements on an ongoing basis.
As for shadow IT, organizations need to get ahead of the problem and invest in their ability to discover and manage all identities, regardless of whether they’re human or machine in nature. This first step involves admitting that shadow IT is an issue in the organization. From there, IT, security, and other key stakeholders can work together to address the problem and thereby bring greater visibility to keys and certificates across the enterprise.
(This post has been updated. It was originally published on June 20, 2022 by David Bisson.)