The time to automate your digital certificate management has arrived
By Avesta Hojjati, Head of Research and Development, DigiCert
When it comes to PKI and certificate management, it requires a lot of attention and careful scrutiny. Any organization needs to monitor scores, hundreds and thousands of certificates, each with its own specifications, lifespan, and settings.
It is a complex task that few are capable of on their own. That failure, in the form of unforeseen expirations or outages, comes at a high price.
Certificate outages are a common problem. In 2019, 60 percent of organizations experienced a certificate-related outage.
New developments, as well as old problems, are forcing greater attention to certificate management. The adoption of new technologies, such as Internet of Things devices, is behind an exponential expansion in business certificate needs. Additionally, major browsers recently halved the maximum certificate lifespan from two years to just one. If companies weren’t paying attention to certificates before, they must now.
Automating certificate management is increasingly being looked to as a way to mitigate the threats involved in such a critically important task. But organizations often run into trouble along the way, stalling their automation plans, stopping them altogether, or, at best, failing to reap the rewards automation offers.
The main problem that organizations encounter when trying to automate is knowing their own environment. In February, The Ponemon Institute published a study showing that 74 percent of organizations could not tell which certificates they were using. Not surprisingly, 55 percent of its respondents have suffered more than four certificate outages in the past four years.
Organizations need to know their environments inside and out: they need to know where their nodes are located, they need to know what kinds of web servers and operating systems they use, and they need to know how certificates are used within their environment. Many, sadly, do not.
Nor is it always an easy job. There is great diversity within business networks. While one department can use an Apache web server, another can use nginX. Those kinds of nuances also need to be tailored to spread automation throughout the environment.
That task is also becoming more difficult. Companies are growing with a diverse set of new technologies, such as IoT or APIs. They also have unique requirements and configurations and must be mapped and adapted when planning for automation.
A recent survey found that 80 percent of organizations expect TLS usage to grow 25 percent over the next five years. That’s due in part to this growing complexity within the company. That complexity carries risks if it is managed improperly. Another survey revealed that 85 percent of CIOs believe that increasing complexity within IT systems will make certificate outages that much more damaging.
Many organizations are unaware of these complexities within the corporate network. Without concentrated effort, you will lose the promises of automation or risk the expiration and outages of your undiscovered certificates.
Mainly, they need to gain visibility in their environments, and specifically in their certificates; which ones do they have; how they are used and how they are configured. A certificate management platform with discovery tools can help here.
Certificate discovery tools use sensors and agents to scan a network to find all TLS / SSL certificates within a given environment, regardless of the certificate authority that issued them. They will discover a wealth of information, including certificate statuses, issuing authorities, host IP addresses and ports, security ratings, expiration dates, vulnerabilities, and other security issues. Because each certificate is unique, the information collected here can help you map the rest of your environment.
Once all of your certificates have been discovered, they can be organized in a central management platform and the work of automating renewal, revocation, request, provisioning and update functions can begin. From there, companies can start using standardized automation protocols such as Automated Certificate Management Environment (ACME), Simple Certificate Enrollment Protocol (SCEP), or Secure Transport Enrollment (EST), or even through REST API to install certificate management agents on your discovered web servers. It is these agents that will be used to automate the request, renewal and revocation of certificates.
Automation is going to have huge benefits as well, as far as certificate management is concerned. Companies will save time, work, money and much more. They’ll avoid the creeping threat of certificate expiration, they’ll avoid costly outages that threaten the business, and they’ll be in a much better position to adopt new technologies. With cyber attacks increasing in India by up to 500% since the COVID-19 lockdown was imposed in March last year, protecting sensitive business data has become more important than ever. Therefore, it has become an imperative for organizations to harness the full potential of automation along with the risk of exposing themselves to other threats.