Secure Socket Layers (SSL) certificates are an essential component of secure online transactions, and yet most (54 percent) of the 174 IT and information-security pros recently surveyed by Venafi admitted they have an inaccurate or incomplete inventory of their SSL certificate populations.
As Venafi points out, deploying encryption solutions without maintaining comprehensive certificate and key inventories is a worst practice that jeopardizes vital business systems and processes, while exposing organizations to substantial risk of security and compliance incidents.
But, hold on. The story gets even worse. The survey results also showed that:
More than four in ten (44 percent) of respondents manually manage digital certificates with spreadsheets and reminder notes another worst practice related to a lack of risk recognition. Certificates and keys require regular maintenance, monitoring, rotation and secure distribution for systems and applications to function properly. By contrast, manual handling makes it inherently difficult to track important information, such as certificates' expiration dates and names of issuing certificate authorities (CAs). Challenges like these can result in unplanned outages that lead to millions of dollars in lost revenue and brand damage, Venafi explains in a press release.
Nearly half (46 percent) of respondents indicated they could not generate reports to discover how many currently deployed digital certificates were set to expire within the next 30 days.
70 percent said their encryption systems were not integrated with their corporate directories.
43 percent of respondents said they do not have centralized corporate policies that mandate specific encryption-key lengths, certificate validity periods and private-key administration requirements. (To mitigate the threat of hackers, best practices and many regulations mandate strong encryption keys and two-year (maximum) certificate validity periods.)
More than half (54 percent) of respondents admitted to not having automated, repeatable and on-demand methods for providing certificate-population reports to organizational leadership and auditors which means it's impossible for them to maintain accurate and comprehensive certificate inventories.
62 percent said they did not have automated processes for ensuring corporate-policy and regulatory compliance.
72 percent do not have an automated process to replace compromised certificates if their CA vendor is compromised.
44 percent of these respondents acknowledged that they were worried, but had not yet re-evaluated their CA compromise and related business continuity strategies, while only 17 percent reported they had done so.
CA breaches are no longer just security risks. Clearly, they're also business continuity and compliance risks. And, it's time for businesses to start focusing on mitigating these increasingly significant threats.
"Organizations protect mission-critical and often regulated data with hundreds or thousands of encryption keys and digital certificates," said Jeff Hudson, Venafi CEO. "But as this survey reveals, too many companies have inaccurate or incomplete data about their security assets. The unquantified and unmanaged risks these certificates and keys pose is significantrisks magnified through the increasingly pervasive use in corporate data centers, cloud-based systems and mobile devices."