Why Don’t You Have a Certificate Manager?

Written by

Digital Certificates sit at the heart of any secure enterprise. The myriad of connections and identities governed by an enterprise demand a level of attention and expertise to keep them secure. The price for that lack of attention is mismanagement. It’s not a word that’s quite as dramatic as breach or “massive irretrievable data loss”, but can lead to both quite quickly.

The Equifax breach - in which the data of 1.5 million people was potentially exposed - serves as a prime example of this. The US government’s post-mortem of the breach found that the breach remained undiscovered for 76 days because a certificate expired and malicious traffic was allowed to pass through Equifax’s network unmonitored.

That’s just one example. In 2019, a supposed 60 percent of organizations became victims of a certificate related outage that impinged upon their business. That is to say, certificate management is important and few enterprises have the necessary talent and expertise, or dedicated positions to adequately do the job.

A dedicated position for certificates - a certificate manager - could stop a lot of certificate related mishaps. It’s a worthwhile pursuit for any organization that considers itself serious about certificates and serious about security. However, there are some potential problems that might obstruct the search. 

The Cyber skills gap

The yawning crevasse at the center of cybersecurity - its widening edges form the ever-intensifying demand for talent and the hole is, well, the hole.

A recent survey found that only ten percent of technology workers in Europe have the relevant skills they need to fill cyber roles. The study, carried out by Vacancysoft and recruitment firm Robert Walters, also found that 70 percent of organizations cannot find the necessary cyber talent. This is just one statistic of many - one need not look at the data to know that demand for cybersecurity skills vastly outpaces their supply.

Those demands have largely survived the global pandemic and ensuing economic downturn. While IT positions have fallen by 40 percent, the demand for cyber positions stubbornly grew by six percent over the first half of 2020.

The specializations within the broad field of cyber, quite predictably - suffer even worse  than their parent category. Within that crevasse, sit similarly wanting “cloud security skills gaps” and IoT security skills gaps” and of course, the TLS skills gap.

The crevasse gets bigger

Our reliance on TLS and the skills and ability to manage those things will only increase. As time progresses and the technological landscape evolves, TLS is going to drive itself further into the heart of enterprise security.

The first factor is just the growth of IT in the enterprise. Every day organizations are onboarding new identities and users, taking on more data and furthering their requirements for secure connections. Another factor is the problematic question of the IoT. While the IoT’s wide ranging problems are well known, enterprises cannot turn down the massive advantages it offers. While those devices might arrive at the office door with security problems baked into them, enterprises can use Public Key Infrastructures with certificates and lean on best practices to protect themselves.

The other factor is the cloud - enterprises are extending their environments further and further out into the ether and should rely on certificates to keep those connections secure and those identities trusted.

The data bears it out. A recent survey showed that 80 percent of organizations estimate that TLS usage is going to grow by a quarter in the next five years. Furthermore, 85 percent of CIOs believe that the growing complexity of IT systems is going to make outages all the more damaging.

For many people, this is a problem that's left unaddressed. Without finding the necessary skills or technology - many are going to find themselves with problems that they won’t be able to fix, let alone address.

While we wait….

We can’t wait for the gap to close - not while attackers are constantly looking for the small mistakes that can bring an organization crashing down.

One option is training staff up themselves. Without expertise readily available in the job market, you can try getting it from your current pool of talent.

Even for a dedicated specialist - the sprawl of certificates that makes up a network is hard to handle. That’s why it’s a good idea to use a certificate platform. Such a platform should be able to discover all the certificates held by the enterprise, wherever they lie.

Where they can assist in providing the expertise to an organization, is the ability to monitor those certificates, investigate, remediate problems when they arise and centrally manage them through one single pane. Those certificate deployments can further be customized according to the unique needs of the environment and their lifecycle processes be automated so that every certificate is tracked and renewed when it comes to the end of its life.

The centrality of certificates to enterprise security will only continue to grow with the increasing complexity of IT, the transformation of the enterprise and the introduction of new devices. From that point of view - enterprises need expertise to effectively govern these growing environments.

It is, unfortunately, in short supply. That said, enterprises can look inward to nurture and specialize pre-existing cyber and IT talent within the enterprise. Thankfully, the right platform can allow the effective management of an entire certificate ecosystem through one panel, making the process easy - even for amateurs.

What’s hot on Infosecurity Magazine?