As a long-term remote worker, Spotify has been one of my go-to apps. A great perk of working alone is the ability to blast music as loud as I want, until my downstairs neighbors complain at least. And I’m not the only one. Spotify has over 130 million paid subscribers and 44% of these users access the app on a daily basis. Overall, this means a lot of content is streamed every day, hour and minute.
For me personally, it would be frustrating if Spotify was inaccessible, even if it was for a relatively short period of time. As one of the most popular apps in the world, lockout would impact countless users. Unfortunately, the app suffered an hour-long outage on August 19 because, you guessed it, a certificate expired.
“Certificates have a finite lifespan and they lose validity the moment they hit expiration,” explained Pratik Salva, senior security engineer at Venafi. “Expired certificates can make sites and services inaccessible and have been the cause of various incidents over the last several years. Ultimately, if a certificate expires for a high impact service, like Spotify, it can potentially impact millions of users.”
Certificate outages are still surprisingly common and impact a large variety of organizations. Just last week, the state of California said an expired server certificate led to a backlog of nearly 300,000 lab records in the state’s coronavirus reporting system. In addition, a recent study revealed that 75% of global CIOs expressed concern about the security risks connected with the proliferation of certificates. Plus, over half of CIOs say they worry about outages and business interruptions due to expired certificates.
“Many large organizations often don’t know all the certificates they own and where they are all deployed because they don’t have an accurate and proper asset inventory,” continued Pratik. “These issues can lead to certain certificates slipping under the radar and expiring at any point, which leads to outage incidents.”
So what can organizations do to prevent future outages? “The first step is to make sure that you develop and continuously update a detailed certificate inventory that includes the following details: CA /Issuer, date of cert. issue and expiry, signature/encryption algorithms, key length, certificate history and ownership (this can be a group or individual),” says Pratik. “Next, expiry notifications should be setup to ensure it reaches the right owners ahead of time. This includes a set period starting at least a month before the expiry date for non-critical systems and starting with at least two months before the expiry date for systems deemed critical.”
“And finally, a proper security incident response policy should be in place so there is timely detection, reaction and response to security incidents.”