Bad certificate, encryption key management plagues organizations

Some companies have more than 10,000 digital certificates deployed, and they are managing them manually on spreadsheets, according to a survey of 471 managers and C-level executives conducted by Venafi. Fifty-nine percent of respondents worked at organizations with more than 5,000 employees.

A full 46% of respondents are managing at least 1,000 digital certificates, and 20% are managing more than 10,000.

Jeff Hudson, Venafi CEO, told Infosecurity that the number of digital certificates has been "exploding", growing at a rate of 150% to 200% per year. “And these certificates are not being managed well”, he said.

Hudson explained that if these certificates are not managed properly and are allowed to expire, this can disrupt servers and other systems, and open up networks to hackers.

“If you don’t manage certificates, unauthorized certificates can get in there and somebody can act as an authenticated entity on the network, when in fact they are not”, he said. Regulations, such as the Health Insurance Portability and Accountability Act (HIPPA), require organizations to manage their digital certificates, he added.

The survey also found that 83% of organizations are managing technologies from at least two different certiificate authorities; 18% percent are dealing with more than five.

The survey also found that 88% of organizations have multiple administrators managing encryption keys, and 22% have more than 10. Also, 42% of organizations manage encryption technologies from at least four vendors; 8% manage technologies from more than 10 vendors.

“If you encrypt information, you have to give employees encryption keys. But if you don’t rotate them, if you don’t expire them, if you don’t know who has them and what they are doing with them, you get in a situation where you might as well not have them”, he said. The risk from unaccounted for encryption keys and certificates is “unquantified and unmanaged”, he added.

Venafi’s new Director 6 platform enables organizations to automate the discovery, monitoring, validation, management, and security of digital certificates and encryption keys. New to Director 6 is symmetric key and SSH key management. “This is what are customers are asking for….Bad management of encryption keys and certificates causes big problems”, Hudson said.

What’s Hot on Infosecurity Magazine?