Organizations are embracing digital transformation and emerging technologies at an increased rate. In fact, this rate has accelerated in 2020 to address a pandemic-driven move to online business. In addition, the proliferation of IoT devices, the migration of data in multi-cloud environments, and advances in virtualization and DevOps have skyrocketed the number of SSL/TLS certificates that enterprises hold.
More machines means more machine identities. And in addition to the increasing importance of digital certificates as machine identities, another crucial trend that is complicating machine identity management is the shortening of SSL certificate lifespans. As of September 2020, the lifespan of certificates has reduced to just 13 months or 398 days. This trend is expected to continue in the future, with some organizations already issuing certificates that are valid for only a few days or even hours.
Despite their importance, digital certificates are often left poorly managed. Because of weak certificate management practices, nearly every enterprise has experienced an outage due to an expired certificate. These outages have proven to cause great damages to affected businesses. Beyond the risk of certificate related outages, various cryptographic incidents, such as algorithm vulnerabilities and advances in computing, have enhanced the need for businesses to become crypto agile. Here are 6 key factors businesses need to consider for maintaining crypto agility:
How do you respond to these certificate management challenges to maintain crypto agility? The answer is by employing policies and practices for effective certificate management.
To effectively address the challenges related to the management of TLS certificates, everyone needs to be aware of the importance of these machine identities. Every employee who interacts with certificates in any way needs to understand the consequences of rogue certificates or the damage that happens when a certificate expires. Certificate related outages can cause reputational damage and cost businesses a lot. According to Gartner, network downtime costs roughly $300,000 per hour. Compromised or stolen certificates are being leveraged by cyber criminals to wreak havoc, exfiltrate sensitive data or launch DDoS attacks. They can also be used to impersonate legitimate websites, causing harm to potential customers, and loss of revenue due to damaged trust.
The foundation to every successful security program is to have visibility into your assets. An effective certificate management program should also start by establishing and maintaining clear visibility across all SSL/TLS certificates in a corporate environment. The inventory should focus on:
The process of identifying all SSL/TLS certificates in a business ecosystem should create a centralized inventory of all issued certificates. Additionally, it should identify certificate owners and map these certificates to the web servers and apps where they are being used.
The proliferation of DevOps, microservices, containers and IoT devices has created a new category of certificate owners. These frequent users are not knowledgeable about the best practices for managing the certificates they own. With security teams being outnumbered by the certificate owners in DevOps, it is imperative to enforce consistent policies and responsibilities across the board. Defining clear roles and responsibilities for certificate owners and ensuring consistent policies for every team involved in the certificate lifecycle is the only way to avoid “blame games” that result from gaps in certificate management. These policies should include:
Having visibility into the certificate ecosystem and assigning clear and consistent policies can assist organizations spotting vulnerabilities and mitigating them before becoming a threat. Poorly managed certificates that are close to expiration or weak cryptographic keys pose significant security risks. For example, an expired certificate disabled TLS inspection systems that enabled the notorious breach at Equifax. By continuously monitoring the status of the certificates and having an early warning system an organization can:
The sheer number of certificates and the complexity of effectively managing the entire certificate lifecycle make manual processes time consuming and error prone. Clearly, manual processes are not adequate for the modern business environment. Organizations need to invest on an automation solution to prevent certificate outages, free up IT resources and end-users from hours of manual tasks related to certificate requests, issuance, provisioning, and renewal. In addition, automated certificate management can enable self-service workflows for users to request and renew certificates prior to expiration, automate provisioning and installation of certificates on network endpoints and schedule reporting to certificate owners or PKI admins.
The Venafi TLS Protect solution can help discover all your TLS certificates and corresponding private keys so you can protect these machine identities across your infrastructure. By automating the replacement of expiring certificates, you can eliminate outages and quickly respond to vulnerabilities, CA compromise, or other errors.