Inadequate SSL Certificate Data Threatens IT Security

SSL certificates are a fundamental component of secure online transactions, but a majority of organizations admit that they have an inaccurate or incomplete inventory of their certificate populations, according to a new study conducted by Osterman Research on the behalf of enterprise key and certificate management (EKCM) provider, Venafi. Salt Lake City-based Venafi calls that a worst practice that presents a substantial risk for security and compliance incidents.

Osterman Research surveyed 174 IT and information security professionals and found that 54 percent of organizations have an inaccurate or incomplete inventory of their SSL certificate populations.

"People really don't have a good handle at all on what is going on in their environment with regard to SSL certificates and their management," said Jeff Hudson, CEO of Venafi.

And Hudson says the problem is really worse than that. While 54 percent of respondents admit they don't know, many others don't know what they don't know. Hudson pointed to one Venafi client, a large, well-regarded insurance company. The company was confident it had a complete inventory of its 3,000 SSL certificates. In its assessment, Venafi found a further 4,000 certificates the company owned that it didn't know about.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

SSL certificates are a fundamental component of secure online transactions, but a majority of organizations admit that they have an inaccurate or incomplete inventory of their certificate populations, according to a new study conducted by Osterman Research on the behalf of enterprise key and certificate management (EKCM) provider, Venafi. Salt Lake City-based Venafi calls that a worst practice that presents a substantial risk for security and compliance incidents.

Osterman Research surveyed 174 IT and information security professionals and found that 54 percent of organizations have an inaccurate or incomplete inventory of their SSL certificate populations.

"People really don't have a good handle at all on what is going on in their environment with regard to SSL certificates and their management," said Jeff Hudson, CEO of Venafi.

And Hudson says the problem is really worse than that. While 54 percent of respondents admit they don't know, many others don't know what they don't know. Hudson pointed to one Venafi client, a large, well-regarded insurance company. The company was confident it had a complete inventory of its 3,000 SSL certificates. In its assessment, Venafi found a further 4,000 certificates the company owned that it didn't know about.

"The problem, numerically, is getting much worse," Hudson says. "Certificates are being used more and more. Just about any device that is being shipped now has certificates, up to and including printers. And printers have been compromised because of weak security. People were just watching all the output as it went out."

Manual Certificate Management Doesn't Cut It

Many organizations are also exhibiting worst practices when it comes to managing their certificates. Forty-four percent of the respondents said they manually manage their digital certificates using spreadsheets and reminder notes. That makes it difficult to track important information like expiration dates and the names of the certificate authorities (CAs) that issued the certificates. That's not an idle problem. Expired certificates can take business-critical websites offline for hours or even days.

"We found that nearly half of the respondents were not able to generate a report to tell management how many certificates would expire in the next 30 days," explains Michael Osterman, president of Osterman Research. "The fact that such a large percentage of people can't do something that should be very, very simple-they just can't do it."

Also, last year saw high-profile breaches of a number of CAs themselves, including RSA, Comodo and DigiNotar. And if a high-value target like a CA is breached, those responsible can use their access to create fraudulent certificates, Hudson explains. That means organizations have to know who the issuing authority is for all of their certificates and be prepared to swap them out as necessary. When these breaches happen, Hudson says, it's no longer just a security risk; it's a business-continuity risk. Finding affected certificates manually can take days or even weeks, but 72 percent of organizations do not have an automated process for replacing compromised certificates, according to the survey.