Skip to main content
banner image
venafi logo

Management Mayhem, Part 3: How to Avoid the Hidden Costs of Certificate Management

Management Mayhem, Part 3: How to Avoid the Hidden Costs of Certificate Management

certificate management costs
January 15, 2019 | Terrie Anderson

When looking at the internal costs of issuing a certificate, management often measures only the 15-30 minutes spent by the PKI desk to issue a certificate. But that is not a complete representation of the costs. In fact, I have never once seen a true record that factors in the lost productivity across the enterprise. As I outlined in my last blog, I estimate that the average organization exhausts somewhere between 2 and 6 hours per certificate per event, which includes requests, renewals, revocations and retiring a certificate.

So now we have some additional data to estimate the cost per event. But that number will also be inflated by the frequency of certificate events, which is rising dramatically. As machine identities are now lasting between a few hours and 2 years, many certificates are being replaced several times a year. With security postures recommending moving to 90 days maximum validity, certificate events represent a cost with serious potential for blow out.

Not only that, but the demand for machine identities continues to sky rocket, driven largely by cloud and DevOps initiatives. Developers need security at speed, and that is not negotiable. However, current approval and renewal processes are not designed for today’s cloud and DevOps world.

As a result, developers often turn to self-signed certificates and shadow certificate authorities (CAs) to solve their fast IT needs. While these certificates are initially free, they may represent a potential productivity cost down the road as they are rarely tracked in enterprises that do not have an enterprise grade, role based machine identity platform. This behaviour results in an ever increasing vulnerability and risk of outages or breaches facing enterprises today.

All of these factors drive the average large enterprise to use at least 10,000 machine identities (this number can rise by orders of magnitude to hundreds of thousands in many enterprises). Even if we assume that you have only one event per certificate per year (and you could have many more), you are talking about a cost of between 20,000 and 60,000 hours per year! This represents productivity loss of millions of dollars in most large enterprises.

Let’s say you want to lower these costs. Reducing the number of certificates isn’t an option. The cold, hard reality is that if you don’t have this many machine identities, then you don’t have a good security posture!

The only way to prevent this kind of hidden productivity drain is to install a machine identity platform that allows you to maximise zero-touch certificate renewals where possible, and minimise human error and impact where you require some manual intervention. Utopia is, of course, for you to move to 100% automated management of machine identities, performed entirely by a machine (platform) that never makes an error or misses a deadline. But that is not feasible. Yet.

The best place to start is with the least-skilled stakeholders. They tend to spend the most time figuring out the nuances of the certificate life cycle and are more likely to make mistakes. Enabling a self-help certificate portal for business units will help to remove load from expensive help desk staff and improve the overall quality of your certificate attributes.

Even with high levels of self-service and automation, you’ll still need to monitor your complete universe of machine identities. To do this, you’ll need a single dashboard showing all your machine identities, and have access to information such as business owners, where the certificates and digital keys reside and a history of where they are used and copied. This intelligence can save you hundreds of hours if you experience a security event, such as an outage or CA distrust or compromise. Simply being able to locate all impacted certificates quickly will give you a faster route to mitigate large scale events.

Minimizing your exposure to a security event will lower potential productivity costs.  A complete 360 degree view should include security compliance issues such as key length, algorithm, duration and role-based authority. A robust management platform for all your keys and certificates that represent all your machine identities will also help you validate that you have no rogue identities, inactive certificates or exposed keys. You will also need access to historical data for the purposes of non-repudiation and forensics, access to old data and for compliance audits.

Just like in the physical world, copying keys is cheap. Allowing them to be used for illicit entry is expensive. But your real business value does not reside physically within your office walls. It’s in the connections and commerce of the digital world. Are you doing enough to protect the digital keys and certificates that comprise your machine identities?

Related posts

Like this blog? We think you will love this.
attaques de décapage ssl
Featured Blog

En quoi consistent les attaques SSL strip ?

  Un peu d'histoire

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Terrie Anderson
Terrie Anderson

Terrie is Country Manager (ANZ) for Forescout Technologies Inc., and a speaker and futurist in Digital Enterprise Leadership, Cyber Security Strategy and Workplace of the Future.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more