Four in five businesses suffered certificate-related outages last year, according to a report from Venafi. This was due to inadequate cryptographic controls significantly impact reliability and availability of critical services
Given how outages can impact vital services and systems such as payments or critical infrastructure, these results demonstrate how urgently businesses need to address the issue.
The global survey of 505 security professionals found that almost one in ten (8%) of British respondents said their business suffered over 100 outages last year, while a third of global businesses had at least six or more.
Almost two-thirds (64%) said their organisations could not respond to a certificate-related security event in six hours or less.
>See also: 3 steps to avoiding outage disasters
The leading cause of outages of this kind is that companies are simply missing the expiry date on their certificates and have no processes in place to automate renewal.
As the use of encryption explodes, the challenges connected with effective key and certificate management have proliferated. Recent research showed dramatic growth in the use of keys and certificates, especially among large organisations.
One of the primary drivers behind the surge in certificate usage is the explosion in the number of IP-enabled devices on business networks.
Another challenge organisations face is the adoption of DevOps and Fast IT development processes that dramatically increase the number of certificates needed.
This increase in certificates and their corresponding keys compounds the serious security vulnerabilities associated with cryptographic key and digital certificate mismanagement.
Many businesses are still unaware of the scale of this problem. Venafi customer data shows that the average organisation found over 16,500 unknown keys and certificates of which they were not previously aware.
Also, the new study shows that most companies do not have control over their key and certificate inventory, do not have an automated process for renewals and have no central record of when certificates are due to expire.
>See also: The cloud is great, but what happens when it goes down?
Almost two-thirds (65%) of organisations do not manage all their keys and certificates centrally.
Of those that do manage certificates centrally, 65% rely on security controls from their certificate authorities (CAs), which limit their visibility to certificates provided by the issuing CA.
“The good news is that certificate-related outages are completely preventable, but you need to understand the scale and the scope of the problem,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“As we use more cloud services, IoT devices and DevOps automation, certificate usage is skyrocketing. To keep up with this expanding problem, organisations must automate the discovery, issuance, lifecycle, and remediation of all keys and certificates from the data centre to the cloud to the IoT edge of their networks. Failure to do so puts the reliability and availability of critical services at risk and dramatically increases cyber security risks.”
