Inadequate SSL Certificate Data Threatens IT Security
CIO — SSL certificates are a fundamental component of secure online transactions, but a majority of organizations admit that they have an inaccurate or incomplete inventory of their certificate populations, according to a new study conducted by Osterman Research on the behalf of enterprise key and certificate management (EKCM) provider, Venafi. Salt Lake City-based Venafi calls that a worst practice that presents a substantial risk for security and compliance incidents.
Osterman Research surveyed 174 IT and information security professionals and found that 54 percent of organizations have an inaccurate or incomplete inventory of their SSL certificate populations.
"People really don't have a good handle at all on what is going on in their environment with regard to SSL certificates and their management," said Jeff Hudson, CEO of Venafi.
And Hudson says the problem is really worse than that. While 54 percent of respondents admit they don't know, many others don't know what they don't know. Hudson pointed to one Venafi client, a large, well-regarded insurance company. The company was confident it had a complete inventory of its 3,000 SSL certificates. In its assessment, Venafi found a further 4,000 certificates the company owned that it didn't know about.
"The problem, numerically, is getting much worse," Hudson says. "Certificates are being used more and more. Just about any device that is being shipped now has certificates, up to and including printers. And printers have been compromised because of weak security. People were just watching all the output as it went out."
Manual Certificate Management Doesn't Cut It
Many organizations are also exhibiting worst practices when it comes to managing their certificates. Forty-four percent of the respondents said they manually manage their digital certificates using spreadsheets and reminder notes. That makes it difficult to track important information like expiration dates and the names of the certificate authorities (CAs) that issued the certificates. That's not an idle problem. Expired certificates can take business-critical websites offline for hours or even days.
"We found that nearly half of the respondents were not able to generate a report to tell management how many certificates would expire in the next 30 days," explains Michael Osterman, president of Osterman Research. "The fact that such a large percentage of people can't do something that should be very, very simple-they just can't do it."
Also, last year saw high-profile breaches of a number of CAs themselves, including RSA, Comodo and DigiNotar. And if a high-value target like a CA is breached, those responsible can use their access to create fraudulent certificates, Hudson explains. That means organizations have to know who the issuing authority is for all of their certificates and be prepared to swap them out as necessary. When these breaches happen, Hudson says, it's no longer just a security risk; it's a business-continuity risk. Finding affected certificates manually can take days or even weeks, but 72 percent of organizations do not have an automated process for replacing compromised certificates, according to the survey.
The lack of automated certificate management also poses audit and compliance risks, Hudson says. In addition to the large percentage of organizations that can't present automated, repeatable and on-demand methods for providing certificate-population reports to management and auditors, 62 percent don't have automated processes for ensuring corporate policy and regulatory compliance.
"People don't know the size of the problem," Hudson says. "They don't have mechanisms in place to quantify what's going on."
Scanning for Digital Certificates
To help organizations get a handle on what is going within their network, Venafi has launched Venafi Assessor, a free software tool that scans the network to locate and analyze deployed digital certificates and their associated encryption keys. The software then produces reports that detail the security, operational and compliance risks involved and presents remediation recommendations based on industry best practices.
The results could help convince organizations to address the problem before it leads to a bigger one.
"Organizations, when faced with a problem still won't do a lot about it," Osterman says. "They won't develop the policies they need or implement the technologies they need. They know intellectually what could happen, but until it hits home they tend not to do much about it."
He added, "What we find in our research of problems like this is that organizations can identify 10 or 15 major problems they need to remediate, but they only have budget for the top five. This is one of the areas they absolutely need to address. If you don't have certificates that are up to date, it's a major problem."
Thor Olavsrud is a senior writer for CIO.com. Follow him @ThorOlavsrud.