#HowTo: Optimize Certificate Management to Identify and Control Risk

As the quantity of users, devices, servers and applications connected to the internet balloons and workforces become hyper-distributed, efficient certificate management is becoming more vital, yet staggeringly more complex. With the proliferation of devices connected to networks, email communications and enterprise applications, the number of certificates authenticating each one multiplies exponentially. Not to mention that certificates have varying validity lifetimes, making it even trickier to ensure protection and avoid critical outages.

Neglecting certificate discovery or renewals could leave even the most sophisticated organizations at risk. However, when certificate management is done correctly, enterprise security leaders can leverage full visibility and lifecycle control over all digital certificates and keys—provided they are using an automated certificate management solution.

Why Opt for Certificate Automation?

Modern enterprises rely on digital certificates as the gold standard for encryption and passwordless authentication of users, devices, servers and application identities. But the reality is that keeping track of even hundreds, let alone tens of thousands, of certificates is a mammoth task. In an age when even one expiration can lead to business and reputational damage, it’s certainly not something to be brushed under the carpet.

For instance, in 2018, an expired certificate in software belonging to telecommunications giant Ericsson caused downtime for millions of cellular users of the O2 network in Europe and Japan. Overall, 32 million people were left without service in the UK and millions more in Asia. That’s not a good look for a company that has approximately 40% of the world’s mobile traffic flowing through its networks.

More recently, in August 2020, 271 million Spotify users around the world experienced an hour-long outage due to an expired certificate.

It’s common to see enterprises today with tens of thousands of private and public certificates, often from different vendors, being used across a complex architecture of loosely centralized environments. There are simply not enough hours in a day to manually manage them all, leaving the risk of outages due to certificate expirations or errors unacceptably high.

Leveraging PKI to Pivot at Pace

End-to-end certificate management gives businesses complete visibility and lifecycle control over any certificate in their environment, helping them reduce risk and control operational costs. Even in the most complex enterprise environments, certificate automation offers speed, flexibility and scale.

Full visibility over all digital certificates and keys means that even the largest enterprises can have a centralized view of digital identities and security processes. Security leaders can then access expiration dates and maintain cryptographic strength while avoiding the time-consuming, demanding, and risky task of manually discovering, supervising, and renewing certificates.

As organizations continue to grow and evolve, so does the range of certificates deployed and the set of people deploying them, which increases the potential for certificates to be installed in your environment that are out of sight of IT security teams and left unmanaged. To avoid being blindsided by these “rogue” certificates, enterprises are turning toward automated universal discovery. This way, there’s no certificate left unaccounted for, with certificate discovery reaching far beyond what a spreadsheet might show. Gone are the days of maintaining error-prone spreadsheets. It’s time to usher in the era of a mature certificate management platform that provides enhanced visibility.

Bringing Certificate Management into the 21st Century

Modern enterprise security leaders need to focus on four fundamental elements to identify and control risk. These will help mitigate threats and better protect the business against widespread disruptions.

  1. Single pane of glass management: Enterprises need one certificate management platform—one pane of glass—to discover, deploy, monitor and renew ALL digital certificates. This speeds and simplifies the discovery, issuance, deployment and renewal/revocation/replacement of all certificates, regardless of where they are located in the enterprise.
     
  2. Universal discovery: There’s an exploding number of public and private certs, and when previously unknown certificates expire, they can bring down systems and stop business from happening. It’s critical to be able to discover issued certificates, report on certificate attributes/ownership and send notifications before expiry.
     
  3. Automatic renewals: Outages (such as Ericsson and Spotify, mentioned above) degrade customer trust, and even the biggest and most trusted brands can lose customers and fail to meet SLA requirements. Amid shortening certificate lifecycles, certificate management tools that leverage IETF-standard protocols such as Automated Certificate Management Environment (ACME) can set expiring certificates to automatically renew—preventing damage and costly outages before they happen.
     
  4. Time savings: Whether an enterprise deploys a single SSL certificate for a web server or manages thousands of certificates across all its networked device and user identities, the end-to-end process of certificate issuance, configuration and deployment is often untenably time-intensive. Moving from spreadsheets to automation means realizing massive time savings.

Securing the Modern Enterprise

The continued growth of an enterprise will inevitably bring astronomical operational risk in the absence of proper technology solutions. By combining the passwordless authentication and encryption capabilities of PKI certificates and proper due diligence, organizations can rest easy that they won’t be the latest casualty of faulty certificate management. This strategy can completely transform the landscape of a modern enterprise’s security for users, devices, servers and application identities.

What’s Hot on Infosecurity Magazine?