Over the past year, more and more CISOs and security architects have expressed concern over the lack of agility in their machine identity programs. Many teams are not prepared or equipped to respond quickly to changes, especially in regards to their digital certificates.
This situation should not come as a surprise. The security industry has become increasingly aware of issues with agility. For example, a pair of Gartner analysts I work with frequently, David Mahdi and Mark Horvath, have dedicated an entire research note to the topic: “Better Safe Than Sorry: Preparing for Crypto-Agility.” Why? Well, in this blog, I’ll examine the rising tide of events that has brought agility to the forefront of the encryption industry.
There are many reasons why Global 5000 organizations demand agility. First and foremost, cyber criminals, from fraudsters to nation state attackers, have taken advantage of the power of trusted certificates. Responding to these attacks requires organizations to quickly locate and replace compromised certificates, often in large batches.
Unfortunately, it is now easier than ever for cyber criminals to obtain fraudulent certificates. Recently, Let’s Encrypt issued over 14,000 certificates for PayPal phishing websites. This misuse of trust now requires average users to be cautious around the green, glowing padlock websites once used to display security confidence.
In addition, many organizations face operational challenges with certificate authorities (CAs) that have led to their businesses becoming untrusted for extended periods of time. In October 2016, for example, issues with GlobalSign locked users out of websites for days. In additional, GoDaddy recently reported and fixed a bug that required thousands of certificates to be revoked and replaced.
And finally, C-level employees are also closely examining p the recent agreement between Google and Symantec regarding the operational and browser compatibility of Symantec certificates. We have covered this story from the week it broke.
All of these issues highlight the challenge, and need, for organizations to have the capability to change, revoke and reissues certificates and CAs quickly and efficiently.
Hopefully, these challenges will serve as a wake-up call for organizations that haven’t focused on optimizing their CA business processes and dependencies.
What steps are you taking to build your CA agility?