Certificate management: Remember to enforce PKI lifecycle automation

More often than we’d like to admit, we tend to underestimate the impact of every moving part within an organisation – especially those that seem small or insignificant. Usually, it’s not until we’re facing the fallout of neglecting that seemingly insignificant factor when we realise the significance of a mistake we’ve made. Take certificate management.

Mozilla, the open-source browser company,  failed to take care of a certificate renewal that disabled the Firefox browser add-ons for millions of Firefox users across the world on Saturday, May 4 2019. It was found that the root cause of the issue was an expired intermediate certificate, which the company was using to digitally sign Firefox extensions. This, apart from disabling the extensions for users, also prevented users from reinstalling or reactivating Firefox add-ons.

The cost of disregarded digital identities

This isn’t the first time an expired certificate has contributed to service outages. Tech giants such as Equifax, LinkedIn and Ericsson amongst others, have overlooked the importance of digital certificate management, falling victim to data breaches, service downtimes, and many other repercussions.

A recent Ponemon report clearly outlines the price organisations pay when they disregard these valuable digital identities, and certificate management.

● Out of 600 IT security professionals surveyed, 74% of respondents stated that unmanaged security certificates have caused and continue to be one of the predominant reasons for unexpected service downtimes
● The average expected cost for an organization experiencing service downtimes from expired certificates will be $11.1 million over the next two years
● Yet, 71 percent of respondents stated they don’t know how many keys and certificates their organizations hold

These figures indicate that although there’s awareness on the need for certificate life cycle management, when it comes to implementation, most organisations have a long way to go.

Machine identities, Venafi, and why being quantum ready is good strategy for today, and not just when quantum computers arrive

Quantum computing maybe be a few years off, but there is more to being quantum ready than preparing for that day. It boils down to machine identities, and finding a way to automate the process of changing these identities. We spoke to Venafi’s Kevin Bocek, an expert in threat detection, encryption, digital signatures and key management. He enlightened us further.

Automation is the best approach

Why automation? Because humans make mistakes—and lots of them.

Though certificate renewal isn’t rocket science, it’s an extremely critical task. But it can be challenging for administrators to manually keep track of the expiration dates of thousands of certificates deployed to hundreds of servers, especially in large organisations. Imagine having to discover all the active SSL certificates in your organisation manually, while keeping tabs on their usage and renewing certificates that are about to expire—all without missing a single one. Managing certificates manually is an extremely daunting and highly error-prone task.

Therefore, the best way to deal with this scenario is to enforce automation on all your certificate management operations. Ideally, your organisation’s certificate management strategy should include a solution that can streamline and automate the management of certificate life cycles. In addition to discovering all the existing certificates and consolidating them in a centralised repository, the solution should be able to request and acquire certificates from third-party certificate authorities, deploy the certificates to their respective end-point servers, and alert administrators when certificates are about to expire, all from a single pane of glass.

Data breach costs on the rise and the financial impact will be felt for years ⁠— IBM

You only have to look at recent record-breaking fines to Facebook, British Airways and Equifax to know that data breach costs are on the rise ⁠— and now IBM has confirmed it

Organisations should now be using platforms that allow for centralised control and automates life cycle management—from acquisition and deployment to tracking renewal, usage, and expiration—for all certificates within that organisation’s network.

Shwetha Sankari, Product Consultant, ManageEngine.

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at stubbenedge.com

Related Topics