Venafi, the inventor and market leader of enterprise key and certificate management (EKCM) solutions, in conjunction with Osterman Research, today released the results of an extensive survey designed to determine how well organizations understand the risks associated with poor key and certificate management. Based on responses from 174 IT and information-security professionals, the survey reveals a significant lack of knowledge, understanding and oversight, resulting in a series of information-security vulnerabilities.
Fifty-four percent of respondents, for example, admit to having an inaccurate or incomplete inventory of their Secure Socket Layers (SSL) certificate populations. Deploying encryption solutions without maintaining comprehensive certificate and key inventories is a worst practice that jeopardizes vital business systems and processes, and exposes organizations to substantial risk of security and compliance incidents.
“The importance of sound certificate management practices is highlighted by the repeated certificate authority (generally referred to as CA) breaches over the past year,” said Michael Osterman, president of Osterman Research. “We were startled by the lack of urgency regarding the issue. When considered in tandem with the high-value target CAs represent to hackers, we can predict more CA breaches and more security threats than we saw in 2011.”
“Organizations protect mission-critical and often regulated data with hundreds or thousands of encryption keys and digital certificates,” said Jeff Hudson, Venafi CEO. “But as this survey reveals, too many companies have inaccurate or incomplete data about their security assets. The unquantified and unmanaged risks these certificates and keys pose is significant—risks magnified through the increasingly pervasive use in corporate data centers, cloud-based systems and mobile devices.”
Forty-four percent of respondents admitted to manually managing digital certificates with spreadsheets and reminder notes—another worst practice related to a lack of risk recognition. Certificates and keys require regular maintenance, monitoring, rotation and secure distribution for systems and applications to function properly. Manual handling makes it inherently difficult to track important information—such as certificates’ expiration dates and names of issuing certificate authorities (CAs). These challenges can result in unplanned outages that lead to millions of dollars in lost revenue and brand damage.
“To properly manage certificates, organizations must know when certificates are set to expire, what CAs issued them and their encryption-key strengths,” Hudson said. “Without knowing these attributes, enterprises have little hope of preventing certificates from unexpectedly expiring—a leading cause of unplanned system downtime. With 76 percent of respondents assuming that their certificate populations will grow in 2012, we know the risks will further escalate.”
The survey exposes the four primary types of risk associated with improper certificate and key management: operational, security, audit and compliance, and CA compromise.
Venafi publishes best practices for effective key and certificate management, and is the industry’s leading authority on the processes and practices that comprise the overall strategy for improved security and lowered risk. The EKCM best-practices portal is available for free to any organization.
Osterman Research was founded in 2011 and has become one of the leading analyst firms with expertise in research and survey methodology, providing analysis, white papers and other services to companies like Microsoft, IBM, Google, EMC, Symantec, Hewlett Packard and many others.
Get social with Venafi, interact on: