Fueled by the way in which our economy and society are becoming increasingly digitized, digital certificate volumes are rocketing. In 2019, the average company issued 39,000 certificates electronically. In 2020, that figure was 56,000.
- The rise is estimated to be in the order of 4.6% every year.
- Many certificate-heavy areas are booming, too, such as the IoT, Cloud and electronic signature sectors.
- New digital security frameworks like ZeroTrust and passwordless recommend digital certificates be used.
Digital certificates are now so central to IT security that managing their lifecycle and compliance has become a key priority.
In this article, we take a look at the six challenges inherent to managing electronic certificates, exploring everyday pitfalls security teams are forced to tackle using examples — and solutions.
1. MONITORING: 73% of IS departments say they have suffered service downtime linked to poorly-managed certificate expiry.
“ Three months ago, our e-commerce platform was down for several hours, and I thought: ‘never again’! The culprit was an expired digital certificate.”
Service downtime is probably the earliest and most visible consequence of failing to properly manage your digital certificates. The effects are felt immediately, and it’s a recurring topic on our Digitalberry blog. Here are just a few of the knock-on effects this can have:
- A single hour of service downtime costs around $300,000! If you don’t have a firm grip on your certificates, getting your application up and running again can take time. The average service downtime incident lasts from one to four hours. Which certificate is the problem? Where is it deployed? Who can solve the problem? If it’s a certificate issued by a public PKI, should you be calling your external supplier?
- The issue raises so many questions.The impact this can have on your brand image can be huge, too. If the downtime affects a website or app used by your end clients, things can get very messy, very quickly.
Around 60% of organizations have been hit by expired certificate-related service downtime over the past two years. But how do you prevent this from happening? If you don’t have in-depth knowledge of your infrastructure, if you manage your certificates manually and have thousands of them to juggle… Expect errors along the way.
2. INVENTORY: 71% of IS teams don’t have a clear overview of all their digital certificates.
“As things currently stand, I don’t have a clear idea of our digital certificates in terms of volumes, quality or uses. I don’t know all the places they are deployed, either.”
Security teams often end up having blind spots when it comes to their electronic certificates. How can you manage something you don’t know inside-out?
Let’s take a straightforward example that often crops up within organizations. Application operators frequently issue a bunch of digital certificates for specific teams and needs linked to the applications they manage. Often, these certificates aren’t inventoried correctly, and because security teams aren’t kept informed, they have no control over how they evolve (compliance and expiry dates).
Sound familiar? If so, there is a solution to this. Being in a position to scan your entire network, along with its devices and applications gives you a complete, inventoried snapshot of all your digital certificates. When you pair this with syncing up your private PKIs and public CAs, you’ll be equipped to identify all the digital certificates in use across your organization.
This is precisely what CLM (Certificate Lifecycle Management) solutions set out to achieve: mapping out and centralizing your certificates within an inventory.
3. AUTOMATION: Without a helping hand, managing an entire series of electronic certificates is incredibly time-consuming and labor-intensive.
“My teams have so much to do, keeping a document updated with all our external and internal certificates becomes a messy headache. These are time-consuming tasks nobody really wants to handle.”
Each new month seems to usher in a brand-new digital challenge. Cybersecurity is a fast-paced sector in which stacks and stacks of projects land on IS department desks, each seemingly more urgent than the last. For teams, everyday tasks become complex, littered with long-winded manual processes that lead to human error. Managing all your certificates and making sure they’re compliant takes time. Did you know that a third of IS teams still use Excel to manage their electronic certificates’ lifecycles?
Crypto agility is needed in response to issues surrounding certificate revocation, CA compromise, algorithm deprecation, and PKI migration.
More than just a solution, automation is becoming a non-negotiable in terms of security and managing all your digital certificates, allowing you to monitor expiry dates and revoke or deploy certificates. CLM (Certificate Lifecycle Management) tools boost IS team productivity by 50%.
4. STREAMLINING: Creating and streamlining processes for digital certificate renewal, request and deployment.
“We currently have no clearly defined process for managing our electronic certificates: we have multiple sources of information, nothing is centralized, and everybody just kind of freestyles.”
IS departments and operational teams need simplified processes and management systems. An example of this is needing processes for requesting, renewing and deploying certificates that are identical across the board, whether the certificates are internal or public PKI.
Using a one-stop-shop solution with a user-friendly interface lets you set up seamless workflows that allow teams to easily put in their requests by selecting what the certificate is to be used for, complete with pre-set technical parameters — all managed and approved by your security teams.
This is precisely what CLM solutions do in their role as control towers for digital certificates.
5. EXPERTISE: Mitigating a lack of expertise in digital certificates and PKI aspects more generally.
“The security engineer tasked with managing our internal PKIs and digital certificates left the company, taking his knowledge with him.”
There are no two ways about it: PKIs and digital certificates are a specialist subject, and are frequently mixed up within organizations: internal and external certificates, web and app certificates, and so on.
This often becomes all too apparent during service downtime incidents. As explained above, when this happens, you generally need very clear, very precise information: how do you find the certificate in question? Where is it deployed? How do you revoke or renew it?
How do you centralize all this information and keep it up-to-date? What you need is a single easy-to-use tool to serve as a real-time database of information: in other words, a CLM solution.
6. COMPLIANCE: How do you make sure your certificates comply with regulations and best practices?
“Our staff regularly receive security alerts for self-signed certificates: practices that undermine our organization’s security”.
Browsers are requiring new standards be met, such as shorter lifespans for SSL certificates. As well as a sharp rise in certificate volumes, we’re seeing an increase in management tasks for certificates, too. Lifespan as recommended by Browser Forum has dropped from two years to 13 months since September 2020, with browsers being swift to implement these guidelines, resulting in a plethora of new renewals emerging as necessary.
Compliance also affects certificate attributes such as DNS in SAN (Subject Alternative Name) and limits on the number of names per certificate. There’s also cryptographic keys and hash algorithms to contend with. Finally, security practices today feature built-in restrictions on aspects such as the use of wildcard certificates, and certificate blacklisting. In addition to certificate compliance, the ability to transfer, copy and re-use your cryptographic keys further undermines your organization’s IT security, too.
New initiatives such as Certificate Transparency and the use of TPMs (Trusted Platform Module) set out to make the certificate-issuing process even more secure.
A CLM solution lets you centralize your compliance policy and ensure your certificates remain compliant, keeping you responsive and agile in the event of compromise.
Using a CLM solution gives you complete control over your digital certificates!
As you’ll have gathered by now, CLM (Certificate Lifecycle Management) solutions are the best route to seamlessly managing all your digital certificates. There are just two figures worth remembering when it comes to CLM tools:
- +50% productivity
- -90% risk of downtime
At Digitalberry, we offer BerryCert, a turnkey certificate management software:
- Track down and map out all your digital certificates
- Centralize your processes
- Keep informed with the alert system
- Automate your certificate lifecycle