Log Management Authors: Dana Gardner, Pat Romanski, Elizabeth White, David H Deans, Carmen Gonzalez

News Feed Item

New Research Reveals More Than Half of Enterprises Have Unquantified Security Risks From Poor Insight Into, and Lack of Control Over, SSL Certificate Populations

Additional 44 Percent Acknowledge Vital Security Instruments Are Manually Managed; Situation Jeopardizes Critical Business Systems, Applications and Processes

SALT LAKE CITY, UT -- (Marketwire) -- 02/23/12 -- Venafi Inc., the inventor and market leader of enterprise key and certificate management (EKCM) solutions, in conjunction with Osterman Research, today released the results of an extensive survey designed to determine how well organizations understand the risks associated with poor key and certificate management. Based on responses from 174 IT and information-security professionals, the survey reveals a significant lack of knowledge, understanding and oversight, resulting in a series of information-security vulnerabilities.

Fifty-four percent of respondents, for example, admit to having an inaccurate or incomplete inventory of their Secure Socket Layers (SSL) certificate populations. Deploying encryption solutions without maintaining comprehensive certificate and key inventories is a worst practice that jeopardizes vital business systems and processes, and exposes organizations to substantial risk of security and compliance incidents.

"The importance of sound certificate management practices is highlighted by the repeated certificate authority (generally referred to as CA) breaches over the past year," said Michael Osterman, president of Osterman Research. "We were startled by the lack of urgency regarding the issue. When considered in tandem with the high-value target CAs represent to hackers, we can predict more CA breaches and more security threats than we saw in 2011."

"Organizations protect mission-critical and often regulated data with hundreds or thousands of encryption keys and digital certificates," said Jeff Hudson, Venafi CEO. "But as this survey reveals, too many companies have inaccurate or incomplete data about their security assets. The unquantified and unmanaged risks these certificates and keys pose is significant -- risks magnified through the increasingly pervasive use in corporate data centers, cloud-based systems and mobile devices."

The Risks of Manual Management
Forty-four percent of respondents admitted to manually managing digital certificates with spreadsheets and reminder notes -- another worst practice related to a lack of risk recognition. Certificates and keys require regular maintenance, monitoring, rotation and secure distribution for systems and applications to function properly. Manual handling makes it inherently difficult to track important information -- such as certificates' expiration dates and names of issuing certificate authorities (CAs). These challenges can result in unplanned outages that lead to millions of dollars in lost revenue and brand damage.

"To properly manage certificates, organizations must know when certificates are set to expire, what CAs issued them and their encryption-key strengths," Hudson said. "Without knowing these attributes, enterprises have little hope of preventing certificates from unexpectedly expiring -- a leading cause of unplanned system downtime. With 76 percent of respondents assuming that their certificate populations will grow in 2012, we know the risks will further escalate."

Survey Results Expose Additional Risks in the Enterprise
The survey exposes the four primary types of risk associated with improper certificate and key management: operational, security, audit and compliance, and CA compromise.

  • Operational Risk
    • Forty-six percent of respondents indicated that they could not generate reports to discover how many currently deployed digital certificates were set to expire within the next 30 days. This lack of automation visibility increases the likelihood that expiring certificates will trigger unplanned system outages that last for hours or even days.
    • Seventy percent said their encryption systems were not integrated with their corporate directories. Directory integration enables a certificate management solution to seamlessly integrate and automatically escalate notifications when certificate owners are unreachable or unresponsive to notification and action requests. Given the high rate of turnover in positions with responsibility for certificate management, lack of integration is causing outages.

  • Security Risk
    • Forty-three percent of respondents said they do not have centralized corporate policies that mandate specific encryption-key lengths, certificate validity periods and private-key administration requirements. Best practices and many regulations mandate strong encryption keys and two-year (maximum) certificate validity periods. Failure to enforce these best practices increases an organization's risk of security breaches -- such as brute-force attacks on weak encryption keys. Weak keys leave organizations vulnerable to hackers.

  • Audit and Compliance Risk
    • Fifty-four percent of respondents admitted to not having automated, repeatable and on-demand methods for providing certificate-population reports to organizational leadership and auditors. The inability to run such reports makes it impossible to maintain accurate and comprehensive certificate inventories.
    • Sixty-two percent said they did not have automated processes for ensuring corporate-policy and regulatory compliance. The inability to automatically ensure compliance increases the risk of failing internal and external audits. Such failures can result in steep fines, potential employment termination and brand damage. In some cases, regulators can prohibit failing organizations from conducting business online.

  • Risk of CA Compromise
    • 72 percent do not have an automated process to replace compromised certificates if their CA vendor is compromised. In the case of a CA compromise, every minute counts. Finding all affected certificates manually can take days or weeks, but not replacing them immediately can incur significant costs and in the worst case scenario results in a company going out of business.
    • Forty-four percent of these respondents acknowledged that they were worried, but had not yet re-evaluated their CA compromise and related business continuity strategies, while only 17 percent had.

Effective Remediation Strategies
Venafi publishes best practices for effective key and certificate management, and is the industry's leading authority on the processes and practices that comprise the overall strategy for improved security and lowered risk. The EKCM best-practices portal is available for free to any organization.

About Osterman Research
Osterman Research was founded in 2011 and has become one of the leading analyst firms with expertise in research and survey methodology, providing analysis, white papers and other services to companies like Microsoft, IBM, Google, EMC, Symantec, Hewlett Packard and many others.

About Venafi
Venafi is the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions. Venafi delivered the first enterprise-class solution to automate the provisioning, discovery, monitoring and management of digital certificates and encryption keys -- from the datacenter to the cloud and beyond -- built specifically for encryption management interoperability across heterogeneous environments. Venafi products reduce the unquantified and unmanaged risks associated with encryption deployments that result in data breaches, security audit failures and unplanned system outages. Venafi also publishes best practices for effective key and certificate management at www.venafi.com/best-practices. Venafi customers include the world's most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Media Contact:
Justin Gillespie
Trainer Communications
Email Contact

More Stories By Marketwired .

Copyright © 2009 Marketwired. All rights reserved. All the news releases provided by Marketwired are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials is strictly forbidden, including but not limited to, posting, emailing, faxing, archiving in a public database, redistributing via a computer network or in a printed form.

IoT & Smart Cities Stories
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
DSR is a supplier of project management, consultancy services and IT solutions that increase effectiveness of a company's operations in the production sector. The company combines in-depth knowledge of international companies with expert knowledge utilising IT tools that support manufacturing and distribution processes. DSR ensures optimization and integration of internal processes which is necessary for companies to grow rapidly. The rapid growth is possible thanks, to specialized services an...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...