More than half have incomplete or inaccurate inventory of their certs, new Osterman-Venafi report finds
Feb 23, 2012 | 03:41 PM | 4 Comments
By Kelly Jackson Higgins
Certificate authorities (CA's) are still reeling from the wave of hacks against them over the past year. And it turns out their most of their customers are struggling to keep on top of their SSL certificates despite the increased threats. A new survey found that 54 percent of organizations say they don't have a complete or correct accounting of their SSL certificates, and 44 percent manage their lifecycle manually -- with Post-It notes and spreadsheets.
Michael Osterman, president of Osterman Research, which was commissioned by key management vendor Venafi to conduct the survey, says he was shocked by the lack of a sense of urgency about properly managing and protecting digital certificates. "Organizations are already behind in properly managing their certificate population via manual policies. With the expected growth in certificates, we anticipate more incursions, certificate breaches and other risks than we saw in 2011," he said in a statement.
The survey of 174 IT and IT security pros had several red flags about digital certificate management. Some 72 percent of organizations don't have an automated process in place in case their CA is hacked, so they can't automatically replace digital certificates. The risk there, of course, is a website or application outage in the event of an expired certificate.
Many (46 percent) can't even generate a report on digital certificates that are about to expire; it's a manual process to track certs that are reaching their expiration date.
"The survey confirmed our suspicions" based on what we've seen out there, says Jeff Hudson, CEO of Venafi. "People don't know what the hell's going on out there [with their certificates]."
One insurance company Venafi had worked with said they had 5,000 digital certificates, but when Venafi surveyed their inventory, they actually had twice that many. "The survey mirrors the real-world of what we see," he says.
Nearly 45 percent say they were worried about their lack of an automated certificate replacement process but haven't yet revisited the issue. Some 17 percent say they have re-evaluated this process in case of a CA emergency.
Some 70 percent of the respondents say their encryption systems are not integrated with the corporate directory, and 43 percent say they have no policy on encryption-key lengths, certificate validity periods, or private-key administration. Meanwhile, 76 percent say their digital certificate use will increase this year.
Venafi today also released a free tool for organizations to run a check on their digital certificate inventory called Assessor that scans an organization's network for digital certificates and their encryption keys, and offers remediation recommendations. It's a software module that runs in a virtual machine environment.