The average number of digital certificates owned by organizations has grown over the past few years. A Ponemon study sponsored by Entrust reported that the number of certificates reached 56,192 for the average enterprise in 2020. That’s 43% higher than it was the previous year at 39,197.
Such growth in part reflects the fact that many organizations have transitioned to a remote or hybrid work model following the events of 2020. Along the way, those entities have found themselves increasingly relying on digital technology and services to serve their business requirements. It also highlights how organizations have been investing in bringing on new Internet of Things (IoT) devices, cloud services, and applications into their environment over the past few years. The result is that machine identities now far outnumber human identities. Organizations need a way to secure all these resources along with the communication between them.
More certificates, more management problems
This increase in digital certificates has complicated certificate management, exposing organizations to greater risk of a certificate outage. In a recent report covered by Help Net Security, for instance, nearly two-thirds of enterprises said that they were concerned about how much time they were spending on managing certificates. Over a third (37%) said that their certificate management process involved more than three different departments in the organization, leading to confusion and complicating visibility. This is evident in organizations now having an average of 1,200 unmanaged certificates, per the study. It’s also apparent in how two-thirds of organizations revealed that they experienced outages caused by certificates expiring unexpectedly, with 25% going on to admit that they suffered as many as six outages between April and October 2021.
These certificate management struggles have exacerbated two issues in particular. These are rogue certificates and shadow IT. Let’s explore both below:
- Rogue certificates
Just as a reminder, a rogue certificate is a legitimate certificate issued by a trusted Certificate Authority (CA) that someone has succeeded in compromising. It may also be the result of a trusted CA issuing a legitimate certificate to an incorrect entity. This is the objective of an impersonation attack where a malicious actor attempts to convince a Registration Authority (RA) that they’re someone else such as an employee at a targeted organization. They leverage that ruse to try to trick the RA into issuing them a certificate for that target.
Rogue certificates threaten organizations’ security because they enable threat actors to bypass traditional security solutions. Specifically, they provide attackers with access to the private key that’s necessary for securing communications and data against unauthorized use. Malicious actors can then misuse that trust to mimic a targeted organization and conduct follow-up attacks against its customers and/or partners.
- Shadow IT
Shadow IT is when someone in the organization connects hardware, software, or other Information Technology (IT) to the network without letting IT know. As such, shadow IT complicates certificate management by making it more difficult for teams to obtain comprehensive visibility over their employer’s resources. Indeed, the first two Critical Security Controls identified by the Center for Internet Security involve building an inventory of enterprise hardware and software for a reason. Security and IT personnel can’t defend what they don’t know about. This also applies to machine identities, keys, and certificates. Teams can’t renew or revoke what they don’t know about. With shadow IT, organizations are therefore at greater risk of suffering an outage, which increases their vulnerability to an attack.
How can organizations overcome these obstacles?
To address the challenges associated with rogue certificates, organizations can use automated tools that provide real-time threat intelligence and alerts. Those solutions can inform organizations of malicious actors attempting to obtain rogue certificates from other entities in their same industry, for example. Additionally, organizations might consider using a machine identity management platform to help them fulfill their evolving operational needs, emerging industry best practices, and compliance requirements on an ongoing basis.
As for shadow IT, organizations need to get ahead of the problem and invest in their ability to discover and manage all identities, regardless of whether they’re human or machine in nature. This first step involves admitting that shadow IT is an issue in the organization. From there, IT, security, and other key stakeholders can work together to address the problem and thereby bring greater visibility to keys and certificates across the enterprise.