By Avesta Hojjati, Head of Research and Development, DigiCert
When it comes to PKIs and certificate management, close attention and careful scrutiny is required. Any one organisation needs to oversee scores, hundreds and thousands of certificates – each with their own specifications, lifespans and configurations. It’s a complex task which few are capable of on their own. What’s more is that failure – in the form of an unanticipated expiry or outage – comes with a high price.
Certificate outages are a common problem. In 2019, 60 percent of organisations experienced a certificate related outage.
New developments as well as old problems are forcing increased attention on certificate management. The adoption of new technologies – such as Internet of Things devices – are behind an exponential expansion in enterprise certificate needs. Furthermore, major browsers recently halved maximum certificate lifespans from two years to just one. If enterprises weren’t paying attention to certificates before, they have to now.
Automating certificate management is increasingly being looked to as a way to mitigate the threats involved in such a critically important task. But organisations frequently run into problems along the way and either stall their plans for automation, halt them entirely or at best fail to reap the rewards that automation offers.
The foremost problem that organisations encounter when trying to automate is knowing their own environment. In February, The Ponemon Institute released a study showing that 74 percent of organisations could not say which certificates they were using. It comes as little surprise that 55 percent of their respondents suffered over four certificate outages in the last four years.
However, that simply won’t do. Organisations need to know their environments inside and out – they need to know where their nodes are located, they need to know what kind of web servers and operating systems they use and they need to know how certificates are used within their environment. Many unfortunately don’t.
That’s not always an easy job either. There is a great amount of diversity within enterprise networks. While one department might use an Apache Web server, another might use nginX. Those kinds of nuances have to be accommodated too to spread automation throughout an environment.
That task is getting harder too. Enterprises are growing with a diverse set of new technologies such as the IoT or APIs. They too have unique requirements and configurations and have to be mapped and accommodated when planning for automation.
A recent survey found that 80 percent of organisations expect TLS usage to grow by 25 percent over the next five years. That’s partly due to that increasing complexity within the enterprise. That complexity comes with risks if improperly managed. Another survey revealed that 85 percent of CIOs believe that the growing complexity within IT systems is going to make certificate outages much more damaging.
Many organisations are unaware of these complexities within the corporate network. Without a concentrated effort they’ll find themselves missing out on automation’s promises, or risk the expiry and outages of undiscovered certificates.
Primarily they need to gain visibility into their environments, and specifically their certificates; which ones they have; how they are used and how they’re configured. A certificate management platform with discovery tools can help here.
Certificate Discovery tools use sensors and agents to scan a network in order to find all the TLS/SSL certificates within a given environment, regardless of the certificate authority that issued them. They’ll unearth a wealth of information including certificate statuses, issuing authorities, ports and IP addresses of the host, security ratings, expiration dates, vulnerabilities and other security issues. Because each certificate is unique, the information gleaned here can assist in mapping the rest of your environment.
Once all of your certificates have been discovered they can be organised on a central management platform and the work of automating renewal, revocation, request, provisioning and update functions can begin. From there, enterprises can start using standardized automation protocols such as Automated Certificate Management Environment (ACME), Simple Certificate Enrollment Protocol (SCEP) or Enrollment over Secure Transport (EST), or even via REST APIs to install certificate management agents on their now-discovered web servers. It’s those agents which will be used to automate the request, renewal and revocation of certificates.
As certificate lengths have now been shortened to one year, organisations can also consider investing in multi-year plans, so that certificates can be automatically renewed, avoid unplanned expirations, and ultimately outages.
Automation is going to have some huge benefits and when it comes to certificate management. Enterprises will save time, labor, money and so much more. They’ll avoid the creeping threat of certificate expiry, circumvent the costly outages that threaten the enterprise and be in a far better position to adopt new technologies. With cyberattacks increasing in India by as much as 500% since the COVID-19 lockdown was imposed in March last year protecting sensitive business data has become more important than ever. Hence, it has become an imperative for organizations to realize the full potential of automation along with the risk of exposing themselves to other threats.
