Do You Know Where Your Digital Certificates and Encryption Keys Are?

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Companies today are turning to encryption and digital certificates to secure their data and networks in dramatic numbers, but Venafi, a provider of Enterprise Key and Certificate Management (EKCM) solutions, says most of these security assets are lost, stolen or simply unaccounted for in epidemic proportions.

"One of the things we have experienced through our customers is this explosion in SSL certificates usage," said Jeff Hudson, chief executive officer of Venafi. "There is a groundswell need to make sure servers can identify themselves. When you have one certificate, you have one person managing it, and you have a policy, it's pretty easy. But as you grow, it gets out of control."

In its 2011 Venafi Encryption Key and Digital Certificate Management Report, released Tuesday, the company noted that a staggering 51 percent of respondents said they had experienced either stolen or unaccounted for digital certificates, or they were uncertain if their organizations had lost, stolen or unaccounted for digital certificates. Additionally, 54 percent reported they had experienced either stolen or unaccounted for encryption keys, or that they were uncertain if their organizations had lost, stolen or unaccounted for encryption keys in general.

Venafi compiled its results from market and analyst report research and a 471-respondent survey that included managers to C-level executives from enterprise organizations across a range of industries.

"Over half of the people who responded to this survey have unaccounted for digital certificates," Hudson said. "When they look, they have found certificates on that network they didn't know existed. Certificates on servers can enter the network and nobody knows."

Hudson noted that having unaccounted for digital certificates on a network is a bit like running a physical high-security facility and having unauthorized people walking around.

"It doesn't make a lot of sense for obvious reasons," he said. "Losing digital certificates is the same as putting great locks on your doors but then putting a key underneath the mat, giving one to the handy man, all the children, the delivery guy…all of a sudden you have no idea who has access to your house. They keys are all over the place."

It's the same with encryption keys, he said if the keys are not managed, it's not worth encrypting your data.

"If you want to do a good job encrypting you have to know who has the keys and be able to rotate them and expire them," he said.

While digital certificates and encryption keys are critical components of information security programs, they can become dangerous liabilities if they fall into the wrong hands. Hudson noted that it is well documented that digital certificates played a key role in the Stuxnet attack that destroyed multiple centrifuges in an Iranian nuclear facility in July 2010.

Much of the problem with managing digital certificates and encryption keys can be attributed to the explosive growth in their use. Venafi found that 46 percent of its respondents are managing at least 1,000 digital encryption certificates, and 20 percent are managing more than 10,000. Further, 88 percent of organizations have multiple administrators managing encryption keys, and 22 percent have more than 10 administrators managing the keys. In addition, 83 percent of organizations manage technologies from at least two different certificate authorities (CAs), and 18 percent deal with more than five CAs. Forty-two percent of organizations manage encryption technologies from at least four vendors, while eight percent are dealing with more than 10 vendors.

"One of the things we do when we work with prospects is we help them do a survey of where all their certificates are," Hudson said. "Then we sit down and go through what their current processes are for managing these things. Managing this stuff is hugely manually intensive. There are people in it everywhere. Sometimes they aren't even documented."

He added, " All these things are actually about the movement of keys and the movement of data around keys, and all of that can be done in an automated way."

To help manage the problem, Venafi on Tuesday announced Venafi Encryption Director 6, designed to automate management of digital certificates and encryption keys out of the box, with automated discovery, monitoring, validation, management and security. Hudson noted that it is designed for interoperability across heterogeneous environments, and to provide rapid scalability and orchestration capabilities.

Director 6 includes SSH Key Manager, Certificate Manager, Symmetric Key Manager, agent-based onboard discovery and monitoring, advanced management partitioning across firewall boundaries, enhanced operation network validation and alerting, expanded analysis and reporting of consolidated key and certificate management logs, and an actionable key and certificate management dashboard.

Venafi said Encryption Director 6 will ship in the second quarter of 2011.

Thor Olavsrud is a contributor to eSecurityPlanet.com and a former senior editor at InternetNews.com. He covers operating systems, standards and security, among other technologies.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.