Skip to main content
banner image
venafi logo

$600 Million Dollar Question: Is Your Company’s IAM MIA?

$600 Million Dollar Question: Is Your Company’s IAM MIA?

May 7, 2015 | Patriz Regalado

Today, an increasing number of Identity and Access Management (IAM) strategies include the cryptographic keys and digital certificates for SSL/TLS, SSH, mobile WiFi, and VPN access that authenticate and authorize servers, devices, software, cloud, and privileged administrators and users.

This move to expand the enterprise security perimeter is laudatory because it closes the gap between the authentication and authorization established by keys and certificates and the protection provided for other credentials, such as usernames and passwords. But, without proper management and oversight, cryptographic keys and digital certificates could break that security perimeter wide open. For many companies, their IAM for keys and certificates may be missing in action (MIA).

Unlike passwords and user IDs, which are controlled with layers of automated monitoring policies, certificates and keys have been blindly trusted with inadequate, siloed processes. In many companies, there is no centralized visibility, policy enforcement, or incident tracking and remediation.

average enterprise has almost 24,000 keys and certificates according to Ponemon Institute

According to the 2015 Cost of Failed Trust Report, published this year by the Ponemon Institute and Venafi, an average enterprise has almost 24,000 keys and certificates in circulation. But 54 percent of corporate security professionals surveyed in the report admitted that they have no idea where all of their keys and certificates are located. As a result, thousands of certificates go missing in action every year, a recipe for disaster. Those certificates establish trusted access to critical servers, applications, mobile devices and cloud instances at the highest level of privilege, creating a situation ripe for exploitation.

Ask yourself these questions:

Would your organization tolerate a security situation where 24,000 passwords and user IDs were floating around the company without any awareness, policies, or control? Probably not. But your organization may be doing just that when it comes to keys and certificates. Just like passwords and user IDs, policies and automated controls need to be applied to keys and certificates such as rotation, validity periods, ownership, timely provisioning, and revocation.  Instead, outdated approaches limit visibility and policy enforcement and increase the risk of misuse, exposing enterprises to compliance failures and costly data breaches.

So if you were an enterprise hacker, where would you focus your attack efforts? Cybercriminals have already answered this question for you. In the Ponemon research, security professionals estimated the total possible impact per organization for all attacks using keys and certificates to be almost $600 million and this is up 50% from 2013.

It’s time to apply the same diligence we devote to usernames and passwords to keys and certificates, by deploying enterprise-wide policies and automated controls. Try these best practices:

  • Protect
    • Create visibility by inventorying the certificates you have in use today and verifying their ownership
    • Establish enterprise-wide use policies
  • Detect
    • Monitor and detect for anomalies
    • Enforce policies and establish management control
  • Respond
    • Automate key and certificate issuance, renewal, and installation
    • Replace keys and certificates based on a regularly scheduled inventory and review process
    • Remediate by replacing keys and certificates in the event of a CA compromise or new vulnerability such as Heartbleed

The six steps should give you a good starting point, but there’s plenty more you can do. You can read the Venafi solution brief, Close the Gaps in Identity and Access Management, or drop me a line if you’d like to learn how.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Patriz Regalado
Patriz Regalado
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more