As encryption becomes more ubiquitous, organizations should prepare to react quickly to an increasing number of disruptive events, such as the recent GlobalSign SNAFU. A simple error in root certificate maintenance at GlobalSign last week left organizations everywhere asking, “What happened?” Very quickly, they were also asking “What can I do?” when thousands of sites were identified as insecure and became untrusted.
Even after GlobalSign issued intermediate certificates to rectify the problem, cached certificates could not be updated for up to four days. That’s a long time for a commercial website to be inaccessible to users.
In an article in InfoSecurity Magazine, Venafi Chief Strategy Officer Kevin Bocek talks about the impact of just one disruptive event. “It’s hard to know how many companies have been impacted, but with GlobalSign boasting over 25 million certificates rely on the public trust of the GlobalSign root CA certificate, the impact is undoubtedly huge.”
But the fix is surprisingly huge as well. Before organizations can remediate certificates that have been impacted, they need to identify them, isolate them and, finally, reissue them. Sounds simple, right? But this proves to be more difficult than many organizations anticipate. Most organizations do not have a response plan for an outage of this scale; especially one that originates with a trusted authority
In a world where most large organizations rely on multiple CAs in different regions or departments, they often lack the level of visibility required to make a smooth transition from one CA to another. In Dark Reading, Bocek highlights the questions that may have puzzled many organizations. “Do security operations teams know they use GlobalSign? Do they know where the servers that use GlobalSign certificates are located? Do they know how to add new CA certificates to application trust stores?”
The longer it takes to get the answers to these questions, the more revenue will be lost. Bocek estimates that revenue loss and reputational damage for the businesses affected may run into the millions of dollars.
Because of the potential fiscal impact, it’s important that businesses are adequately prepared to take immediate action when a problem arises. “Businesses must have an automated back-up plan – they cannot be at the mercy of any one CA,” advises Bocek in ComputerWeekly.com. He continues, “These types of issues will continue to happen but, when they do, firms need to be able to take control and immediately and automatically change out affected certificates.”
Was this an isolated event? Bocek responds, “The reality is that failures such as this and breaches involving certificates are becoming more frequent – not surprising, since the world is becoming encrypted. The impact though is completely unacceptable – you can’t have your site being untrusted or taken offline for days on end.”