Certificate-Related Outages Affect 79 Percent of Businesses
February 2, 2017
New study from Venafi finds inadequate cryptographic controls significantly impact reliability and availability of critical services
Venafi, the leading provider of protection for cryptographic keys and digital certificates that protect machine-to-machine communication, today announced the results of a study1 into the scale, frequency and causes of certificate-related outages. Certificate-related outages negatively impact the reliability and availability of vital systems and services.
“Certificates and keys are identity and access management for machines, just like user names and passwords are for humans,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “Certificates allow machines to communicate securely and that makes them an essential, but underappreciated, part of every organization’s digital ecosystem and our global digital economy. When certificates expire unexpectedly, critical services can be impacted. Unfortunately, most businesses do not have the visibility or tools necessary to manage this fundamental element of cyber security and operational availability effectively.”
The primary study findings include:
The majority (79 percent) of respondents suffered at least one certificate-related outage in 2016.
Over a third (38 percent) suffered more than six certificate-related outages in 2016.
Almost one in twenty (4 percent) suffered 100 or more certificate-related outages in 2016.
Almost two-thirds (64 percent) said their organizations could not respond to a certificate-related security event in six hours or less.
One of the primary drivers behind the surge in certificate usage is the explosion in the number of IP-enabled devices on business networks. Another challenge organizations face is the adoption of DevOps and Fast IT development processes that dramatically increase the number of certificates needed. This increase in certificates and their corresponding keys compounds the serious security vulnerabilities associated with cryptographic key and digital certificate mismanagement.
Almost two-thirds (65 percent) of organizations do not manage all their keys and certificates centrally.
Of those that do manage certificates centrally, 65 percent rely on security controls from their Certificate Authorities (CAs), which limit their visibility to certificates provided by the issuing CA.
“The good news is that certificate-related outages are completely preventable, but you need to understand the scale and the scope of the problem,” continued Bocek. “As we use more cloud services, IoT devices and DevOps automation, certificate usage is skyrocketing. To keep up with this expanding problem, organizations must automate the discovery, issuance, lifecycle, and remediation of all keys and certificates from the data center to the cloud to the IoT edge of their networks. Failure to do so puts the reliability and availability of critical services at risk and dramatically increases cyber security risks.”