So why don’t enterprises automate their certificate management functions? There is ample reason to. Certificates are used within the enterprise for authentication, identity and often both. Considering their essential applications throughout the enterprise - any one enterprise uses potentially thousands of certificates from minute to minute.
Out of that handful comes a variety of problems too. Chief among them is how to manage this ever growing sprawl of certificates - keeping them fit for purpose, up to date and correctly configured. Even small mistakes can become huge problems down the line. The Equifax breach for example - was left undetected for months because of an expired certificate.
Certificate mismanagement is hardly the preserve of high profile and spectacular failures. In fact, it’s very common. Far too common.
On the back of this trenchant problem, one thing that you might expect enterprises to consider is automation. After all, with such a legion of certificates underpinning the workings of every network - automation could take up a lot of the heavy lifting.
Many relent. While automation solutions often make things easier - they can often complicate matters. Certain solutions require manual interventions which can alienate users and add complexity to a process which is supposed to mitigate it.
One of the huge barriers to implementing automation is that so many organizations don’t know their own environment well enough. Basic questions like where your nodes are located, what kind of operating systems you’re using and what kind of certificates you require are hard to answer for some.
Furthermore, enterprise environments are growing rapidly based on diverse technologies. These environments are often large and different teams will often prefer different types of application, which require different security practices. Wide spanning automation has to be tailored to each part of an environment. Where you use different web servers, for example, you’ll need to provide support and specific certificates for each.
The fear of the unknown marks these barriers. Potential adopters view these new technologies with suspicion and might not want to invite the risks that new innovations bring with them.
These are worthy concerns, but are quickly eclipsed by the benefits that automation can provide and the quickly growing demands of certificate management.
Our reliance on TLS is soon set to ramp up. As you read this, enterprises all over the world are onboarding new users, they’re deploying APIs, they’re rolling out IoT networks, they’re increasing their burst capacity for remote workers. IT is growing rapidly within the enterprise and as environments get larger and more complex, certificates become ever more important.
Don’t take our word for it. A recent survey showed that 80 percent of organizations think that TLS usage will grow by 25 percent over the next five years. Combine that with the fact that large organizations can lose around $5600 per minute on the back of an outage and that 60 percent of organizations faced a certificate related outage in 2019 - you’ve got a rather risky proposition. Also, 85 percent of CIOs, according to another survey from Venafi, believe that the growing complexity of IT systems is going to make outages even more damaging.
So what are enterprises to do? They’re faced with too many certificates to effectively and securely manage and on the other hand - they worry that automation may introduce yet more complexity and potential security problems down the road.
The headline argument for automation is that it will mitigate the risk of human error and supersede their ability by carrying out tasks on a larger scale than would ever otherwise be possible.
The argument for certificate management automation is becoming stronger by the day. The Certificate Authority Browser (CAB) forum has recently announced the significant shortening of certificate lifespans from two to just one year. It’s likely that they’ll be further decreased and the chances that your private keys have been exposed are always increasing. That necessitates a renewed focus on certificate management and given the incredible span and complexity of certificate deployments within any one enterprise that is far from easy.
With those oversights come a cascading series of familiar risks. Breaches, the exposure of personal information, visibility gaps, unauthorized access. Beyond those lie the typical fallout of a security incident: productivity loss, revenue busting downtime, customer alienation, reputational damage and then the potential legal action and regulatory blowback that come with all of that. Certificate mismanagement is not some minor technical slip up, as many seem to treat it, but the first small step in a long series of security and business outcomes.
It’s not just about protecting the network from user mistakes, but about protecting users from it too. Their talent, their time and their energy should be used in areas where they can be used to their fullest - not on something that a machine could do better and quicker.
Whatever the dilemma around automation, an intricate task like certificate management requires the kind of attention that only a machine can handle.