Skip to main content
banner image
venafi logo

Management Mayhem, Part 2: Why Machine Identities Are Costing More than You’d Think

Management Mayhem, Part 2: Why Machine Identities Are Costing More than You’d Think

costs certificate management
November 13, 2018 | Terrie Anderson

In the first post in my Management Mayhem blog series, I wrote about how most CIOs don’t realize the full scope of their machine identity environment and where it may be exposed. In this post, I’d like to look at why managing that environment may cost more than you’d ever imagine.  

Most organisations measure only the direct management cost of managing machine identities. That is, how many people do I have employed that renew, revoke, and approve certificate requests. But this approach is somewhat limiting and will give them a fiscal number that is far below their actual costs. 

To understand the true cost of certificate management, let’s consider the real-life process of requesting or renewing a digital certificate in a typical enterprise environment. We also need to look at how involved a given business or operations person is in this lengthy process. 

It’s fairly straightforward really. A user will send a ticket (often in the form of an email or message) to the PKI team to request/renew a certificate. The PKI team sends them back a link or information on how to do that. They will usually need to generate a certificate signing request (CSR), which is often a detailed and confusing process. The average user is qualified to run a line of business, not a PKI, so they often won’t know what a CSR is. So, they consult Dr Google, or seek advice from the Help Desk.  

But that’s just the beginning of the process. Once they finally learn about how to generate a CSR, and create one and it goes to PKI team, there is a high likelihood that it will be rejected due to a user error. The beleaguered requester then fixes the error and resubmits. (This may occur multiple times).  

Many take the short cut of copying and pasting their last CSR, which will be accepted as valid. However, this will only generate a new certificate it will not generate a new set of keys, so the requester’s system will still be vulnerable. The only possible upside to this less-than-ideal situation is that no one knows (about this security policy breach) including the requester, as the certificate won’t expire and create an outage. The certificate hides away and waits for its secret vulnerability to be discovered, most likely by someone who’s actually looking for it, or already found the keys previously, (such as…I don’t know…a cyber criminal?) 

But let’s get back to the process. For an external certificate, the requester now needs approval before the CSR can be submitted to the CA provider for certificate generation. The requester may need multiple layers of approval for certain types of certificates or machine identities. As time is short, chasing approvals usually involves a call to the Help Desk. 

Finally, the requester receives an email with a link to download the certificate which involves entering a password that the requester submitted several days ago. At this point, they have probably forgotten the password and…call the Help Desk. At last, the requester gets a new password, downloads the certificate and they are all done.   

Well. No, they are not quite done. 

The certificate has to be manually installed somewhere in a key store. Is that in the application, on the physical device or on the operating system? The old certificate may expire before the requester understands this step, which will trigger an outage. Either way, they call the Help Desk. In an attempt to be helpful, the Help Desk will talk the requester through the step-by-step process or send them a set of complex instructions, which need to be deciphered and followed.  

Finally, the certificate will be safely installed and hopefully activated. Maybe, due to inexperience, the requester has provided their privileged system access to a help desk person (who happens to be unauthorised) to trouble shoot for them. This shared privileged access is unlikely to be revoked, and never expires. 

Now, let’s look at the cost and productivity loss of this entire, convoluted process.  

  • Productivity lost at the business layer: 1.5 hours up to 3 hours. Not tracked. 
  • Cost of Help Desk time: 30 minutes up to 2 hours or more.  Not tracked 
  • Cost of PKI Desk time: 15-30 minutes. Most likely the only tracked cost. 

In addition, time delays for approvals are most likely 24-48 hours, but I have many examples of 2 weeks for approval. 

All of the above cost and productivity estimates exclude the hours that may be spent in war rooms solving unexpected certificate expirations, tracking down business owners who have changed positions (a very time-consuming problem to solve), identifying lost locations of certificate installation or unearthing locations where the copies of the certificate have been placed.  

All told, you could be looking at around 2-6 hours per certificate per year. At a conservative hourly rate of $75 for a fully burdened IT professional, you’re absorbing a cost of up to $450 per certificate installation. And 25% of organizations have at least 10,000 certificates. So, you can easily anticipate hundreds of thousands of dollars wasted on manual certificate installation. But when you factor in certificates for cloud and DevOps, the number can reach millions.  

Read my next blog to see how automating the certificate life cycle will help lower your costs to just a fraction of the amount we outlined above. Plus, you’ll relieve your business line managers of a tedious burden.  

How much time can you save by implementing an automated self-service portal for your organization’s certificates?  

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

machine identity security automation

Are You Leaving Your Machines Naked and Afraid?

certificate management costs

Management Mayhem, Part 3: How to Avoid the Hidden Costs of Certificate Management

Australia encryption backdoor law

Australia’s New Encryption Laws Are Disappointing

About the author

Terrie Anderson
Terrie Anderson

Terrie Anderson writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat