Close to half of respondents said they manually manage digital certificates with spreadsheets and reminder notes, according to a survey of 174 IT and information security professionals from a range of industries.
“What the auditors are looking for is somebody to certify where the certificates are, where the keys are, and how long they have been in place. And they want an automated report, not something on a spreadsheet”, observed Jeff Hudson, chief executive officer of Venafi.
The survey identified four primary risks associated with improper certificate and key management: security, operational, audit and compliance, and certificate authority (CA) compromise risks.
A full 43% of respondents said they do not have centralized corporate policies that mandate specific encryption-key lengths, certificate validity periods, and private-key administration requirements.
“If you don’t have a policy, people make their own decisions on what is good enough security”, Hudson observed. “Somebody might say, ‘We don’t have to separate the ownership of the public key from the private key because it is easier to administer a system if we don’t do that.’ But the security guys would say, ‘No, we have to do that. If we don’t do that, we are going to run afoul of PCI compliance or Sarbanes-Oxley.’ So these are the problems you can run into”, Hudson told Infosecurity.
Around 46% of respondents indicated that they could not generate reports to discover how many currently deployed digital certificates were set to expire within the next 30 days. Venafi is offering a product, called Venafi Assessor, that enables organizations to quantify certificate populations and qualify risks based on industry best practices, Hudson explained.
According to the survey, 70% of respondents said their encryption systems were not integrated with their corporate directories; 54% of respondents admitted to not having automated, repeatable, and on-demand methods for providing certificate-population reports to organizational leadership and auditors; and 62% did not have automated processes for ensuring corporate-policy and regulatory compliance.
Close to three-quarters of respondents did not have an automated process to replace compromised certificates if their CA vendor was compromised, such as the cases last year of compromises at Comodo affiliates and DigiNotar. A full 44% of these respondents acknowledged that they were worried, but had not yet re-evaluated their CA compromise and related business continuity strategies, while only 17% had.
“People are starting to recognize that they don’t have a way to replace compromised certificates if the certificate authority they use is compromised. This is a big business continuity issue. If the certificate authority you are using is compromised, the question is, ‘Are the certificates you received from them a valid security instrument?’ If they are not, you either run in a compromised mode or you shut down”, Hudson noted.
“When a business continuity problem intersects with an operational risk, a compliance risk, or a reputational risk, people start moving on it”, he concluded.