Skip to main content
banner image
venafi logo

Rogue Certificates and Shadow IT: The Underbelly of Digital Certificate Growth

Rogue Certificates and Shadow IT: The Underbelly of Digital Certificate Growth

June 20, 2022 | David Bisson

The average number of digital certificates owned by organizations has grown over the past few years. A Ponemon study sponsored by Entrust reported that the number of certificates reached 56,192 for the average enterprise in 2020. That’s 43% higher than it was the previous year at 39,197.

Such growth in part reflects the fact that many organizations have transitioned to a remote or hybrid work model following the events of 2020. Along the way, those entities have found themselves increasingly relying on digital technology and services to serve their business requirements. It also highlights how organizations have been investing in bringing on new Internet of Things (IoT) devices, cloud services, and applications into their environment over the past few years. The result is that machine identities now far outnumber human identities. Organizations need a way to secure all these resources along with the communication between them.

Tale of 3 Clouds eBook: How Venafi Creates Digital Transformation
More certificates, more management problems

This increase in digital certificates has complicated certificate management, exposing organizations to greater risk of a certificate outage. In a recent report covered by Help Net Security, for instance, nearly two-thirds of enterprises said that they were concerned about how much time they were spending on managing certificates. Over a third (37%) said that their certificate management process involved more than three different departments in the organization, leading to confusion and complicating visibility. This is evident in organizations now having an average of 1,200 unmanaged certificates, per the study. It’s also apparent in how two-thirds of organizations revealed that they experienced outages caused by certificates expiring unexpectedly, with 25% going on to admit that they suffered as many as six outages between April and October 2021.

These certificate management struggles have exacerbated two issues in particular. These are rogue certificates and shadow IT. Let’s explore both below:

  • Rogue certificates
    Just as a reminder, a rogue certificate is a legitimate certificate issued by a trusted Certificate Authority (CA) that someone has succeeded in compromising. It may also be the result of a trusted CA issuing a legitimate certificate to an incorrect entity. This is the objective of an impersonation attack where a malicious actor attempts to convince a Registration Authority (RA) that they’re someone else such as an employee at a targeted organization. They leverage that ruse to try to trick the RA into issuing them a certificate for that target.

    Rogue certificates threaten organizations’ security because they enable threat actors to bypass traditional security solutions. Specifically, they provide attackers with access to the private key that’s necessary for securing communications and data against unauthorized use. Malicious actors can then misuse that trust to mimic a targeted organization and conduct follow-up attacks against its customers and/or partners.

  • Shadow IT
    Shadow IT is when someone in the organization connects hardware, software, or other Information Technology (IT) to the network without letting IT know. As such, shadow IT complicates certificate management by making it more difficult for teams to obtain comprehensive visibility over their employer’s resources. Indeed, the first two Critical Security Controls identified by the Center for Internet Security involve building an inventory of enterprise hardware and software for a reason. Security and IT personnel can’t defend what they don’t know about. This also applies to machine identities, keys, and certificates. Teams can’t renew or revoke what they don’t know about. With shadow IT, organizations are therefore at greater risk of suffering an outage, which increases their vulnerability to an attack.
How can organizations overcome these obstacles?

To address the challenges associated with rogue certificates, organizations can use automated tools that provide real-time threat intelligence and alerts. Those solutions can inform organizations of malicious actors attempting to obtain rogue certificates from other entities in their same industry, for example. Additionally, organizations might consider using a machine identity management platform to help them fulfill their evolving operational needs, emerging industry best practices, and compliance requirements on an ongoing basis.

As for shadow IT, organizations need to get ahead of the problem and invest in their ability to discover and manage all identities, regardless of whether they’re human or machine in nature. This first step involves admitting that shadow IT is an issue in the organization. From there, IT, security, and other key stakeholders can work together to address the problem and thereby bring greater visibility to keys and certificates across the enterprise.

Click here for additional certificate management best practices.

Related Posts

Like this blog? We think you will love this.
Featured Blog

Lloyd's Backs Off Insurance for State-Sponsored Cyberattacks

Cyber related businesses are ‘e

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more