In the first post in my Management Mayhem blog series, I wrote about how most CIOs don’t realize the full scope of their machine identity environment and where it may be exposed. In this post, I’d like to look at why managing that environment may cost more than you’d ever imagine.
Most organisations measure only the direct management cost of managing machine identities. That is, how many people do I have employed that renew, revoke, and approve certificate requests. But this approach is somewhat limiting and will give them a fiscal number that is far below their actual costs.
To understand the true cost of certificate management, let’s consider the real-life process of requesting or renewing a digital certificate in a typical enterprise environment. We also need to look at how involved a given business or operations person is in this lengthy process.
It’s fairly straightforward really. A user will send a ticket (often in the form of an email or message) to the PKI team to request/renew a certificate. The PKI team sends them back a link or information on how to do that. They will usually need to generate a certificate signing request (CSR), which is often a detailed and confusing process. The average user is qualified to run a line of business, not a PKI, so they often won’t know what a CSR is. So, they consult Dr Google, or seek advice from the Help Desk.
But that’s just the beginning of the process. Once they finally learn about how to generate a CSR, and create one and it goes to PKI team, there is a high likelihood that it will be rejected due to a user error. The beleaguered requester then fixes the error and resubmits. (This may occur multiple times).
Many take the short cut of copying and pasting their last CSR, which will be accepted as valid. However, this will only generate a new certificate it will not generate a new set of keys, so the requester’s system will still be vulnerable. The only possible upside to this less-than-ideal situation is that no one knows (about this security policy breach) including the requester, as the certificate won’t expire and create an outage. The certificate hides away and waits for its secret vulnerability to be discovered, most likely by someone who’s actually looking for it, or already found the keys previously, (such as…I don’t know…a cyber criminal?)
But let’s get back to the process. For an external certificate, the requester now needs approval before the CSR can be submitted to the CA provider for certificate generation. The requester may need multiple layers of approval for certain types of certificates or machine identities. As time is short, chasing approvals usually involves a call to the Help Desk.
Finally, the requester receives an email with a link to download the certificate which involves entering a password that the requester submitted several days ago. At this point, they have probably forgotten the password and…call the Help Desk. At last, the requester gets a new password, downloads the certificate and they are all done.
Well. No, they are not quite done.
The certificate has to be manually installed somewhere in a key store. Is that in the application, on the physical device or on the operating system? The old certificate may expire before the requester understands this step, which will trigger an outage. Either way, they call the Help Desk. In an attempt to be helpful, the Help Desk will talk the requester through the step-by-step process or send them a set of complex instructions, which need to be deciphered and followed.
Finally, the certificate will be safely installed and hopefully activated. Maybe, due to inexperience, the requester has provided their privileged system access to a help desk person (who happens to be unauthorised) to trouble shoot for them. This shared privileged access is unlikely to be revoked, and never expires.
Now, let’s look at the cost and productivity loss of this entire, convoluted process.
Productivity lost at the business layer: 1.5 hours up to 3 hours. Not tracked.
Cost of Help Desk time: 30 minutes up to 2 hours or more. Not tracked
Cost of PKI Desk time: 15-30 minutes. Most likely the only tracked cost.
In addition, time delays for approvals are most likely 24-48 hours, but I have many examples of 2 weeks for approval.
All of the above cost and productivity estimates exclude the hours that may be spent in war rooms solving unexpected certificate expirations, tracking down business owners who have changed positions (a very time-consuming problem to solve), identifying lost locations of certificate installation or unearthing locations where the copies of the certificate have been placed.
All told, you could be looking at around 2-6 hours per certificate per year. At a conservative hourly rate of $75 for a fully burdened IT professional, you’re absorbing a cost of up to $450 per certificate installation. And 25% of organizations have at least 10,000 certificates. So, you can easily anticipate hundreds of thousands of dollars wasted on manual certificate installation. But when you factor in certificates for cloud and DevOps, the number can reach millions.
Read my next blog to see how automating the certificate life cycle will help lower your costs to just a fraction of the amount we outlined above. Plus, you’ll relieve your business line managers of a tedious burden.
How much time can you save by implementing an automated self-service portal for your organization’s certificates?