SSL certificates are cornerstone security elements for many enterprises. Yet new research shows that few organizations have deployed effective processes for securely managing those certificates.
A study from Osterman Research has found that the majority of enterprises don't have an accurate inventory of their SSL certificate population. For those that do track the certs they have, 44 percent of the survey's 174 IT security professional respondents admitted that their digital certs are manually managed with spreadsheets and reminder notes.
Furthermore, 46 percent admitted that they didn't have the ability to generate a report that would tell them how many certs are expiring in the next 30 days. Of particular concern is the finding that 72 percent did not have an automated process to replace any compromised certificates.
The issue of SSL certificate risk is not a theoretical one. SSL Certificate Authorities including Comodo and more recently DigiNotar have had their infrastructure attacked, leaving compromised certificates in their wake.
Some 70 percent of respondents also noted that their security certification systems were not linked to their corporate directories. As such, if there is employee turnover, notifications to certificate owners might not be properly directed. Key length is another issue which the Osterman survey found to be lacking. Forty-three percent said their organizations did not have a corporate policy around certificate encryption key length. That's a problem for items like PCI compliance, where 2,048 bit keys are required.
Inadequate Policies Increase Risk Exposure
For the study's author, the findings were not surprising.
"We find in general when we do studies of this sort that the majority of organizations really don't have policies that can keep up with modern needs," Michael Osterman, president of Osterman Research, told InternetNews.com.
The Osterman study was sponsored by enterprise key and certificate management vendor Venafi and helps to validate the need for their solutions.
Jeff Hudson, CEO of Venafi told InternetNews.com that there are several questions that he asks his potential customers. He asks if they know where the digital security certificates are deployed on their network as well as when they are set to expire. He also asks if the company knows how long it would take them to replace compromised certificates. According to Hudson, the inability to answer those questions means there is an increased risk of a breach or some kind of security outage.
Venafi is now launching a free solution called Assessor, which is an entry-level tool to help enterprises begin to better understand their security certificate situation. The Assessor technology is able to indentify where certificates are on a network and provides information on their status.
"Assessor helps to turn assumptions into hard data," Hudson said. After using Assessor to identify the level of risk, organizations can use Venafi's Director product to address the issue.
"What Assessor does is it gives a summary view of where the risks are and then if somebody decides they need to act they can engage with us and purchase Director which is our paid product," Hudson said. "Director provides really in-depth information that they can act on."