The rapid growth of internet connected users, devices, machines, and applications has seen the number of SSL/TLS certificates needed to secure connections and communications skyrocket.
Much like passwords and multi-factor authentication we rely on to secure our personal digital identities, TLS/ SSL certificates act as the set of credentials to authenticate and secure communications and machine-to-machine (M2M) connections. The role that SSL/TLS certificates play to secure your organisation has become critically important as you depend on secure connections to support distributed workforces a nd as digital transformation initiatives continue to accelerate.
Exponential growth in certificate usage combined with industry standards which continue to reduce SSL/TLS lifetime validities has made efficient certificate management not only necessary but also increasingly complex for the following reasons:
MANUAL PROCESSES
Managing your certificates using manual process is not only time consuming, its also prone to human error. The concern with manual processes like spreadsheets is that all certificate information must be manually kept up-to-date and accurate. Repetitive work and tedious tasks increases the risk of error and oversight. Whilst you might fully rely on this DIY certificate management method it is not effective and here is why:
- Reporting: Evidently you can’t manage the unknown, and whilst a spreadsheet may account for your known certificates, outages are caused by the unknown certificates which are untracked and shows that the humble spreadsheet is not an effective reporting tool to track certificates and expirations.
- Labour Intensive: As certificate validity periods continue to reduce, the frequency of certificate renewals is increasing, which has a direct impact on the workload of the resources who are responsible for managing your SSL/TLS certificates. There is simply not enough time to manually renew growing volumes of certificates and manually maintain an accurate record of certificate data, especially if there is no central procurement processes in place.
- Error-Prone: Manual process may increase the risk of certificate outages, from a missed certificate expiration to misconfiguration on an endpoint.
LACK OF VISIBILITY
The number of (public and private) certificates used by your organisation is increasing. Our research indicates that there is often not a centralised certificate procurement function and as a result different department within your business purchase certificates from different certificate authorities (CA)’s.
This means that you will not have full visibility, or a consolidated view of all certificates used across your organisation:
To quantify your exposure ask yourself the following questions:
- Do I know how many certificates are in use within my organisation?
- Do I know which CA’s actively issue certificates to my organisation?
- Am I aware of where a certificate is installed, and which department or owner is responsible for the certificate?
- Have my certificates been configured and installed correctly, should I be concerned about any potential weaknesses or vulnerabilities in the certificates (e.g SHA1. TLS 1.1, MD5)
It is apparent that to reduce the risk of certificate related outages, your organisation needs to mature its certificate management processes and move from manual to proactive methods facilitated by certificate lifecycle automation.
WHAT SHOULD YOU FOCUS ON?
Modern security leaders should be focusing on FOUR certificate management fundamentals:
- VISIBILITY: To avoid being blindsided by unmanaged certificate expirations, its essential to incorporate automated certificate discovery tools into your certificate management practices. This will discover all issued certificates, improving your visibility, management control and your ability to accurately report on SSL/TLS certificates attributes. Certificate discovery will also find where each certificate is installed within your network. This is important where there are instances where one certificate is installed across multiple domains and is provisioned to multiple servers.
- CENTRALISED MANAGEMENT: A centralised management dashboard lets you consolidate all your certificates (public and private). Multi-CA support and simplified dashboards provide a holistic view of your certificates, giving you the ability to find, control and manage the complete lifecycle of your certificates within one browser-based user interface.
- SELF-SERVICE: Providing a self-service portal or certificate request form which is available through most CA’s not only improves productivity and saves time it also reduces the certificate request burden on your teams and allows application owners to easily request and obtain certificates as they need from a centralised management platform.
- AUTOMATION: All it took was a stone to bring down Goliath, don’t underestimate the impact and damages a single expired or compromised certificate can have on your organisation. Unplanned certificate expirations have been the reason behind some of the biggest and most expensive outages and data breaches affecting some of the most trusted global brands. Creating a renewal process supported by certificate lifecycle automation eliminates the risk of human error ensuring that you have ultimate control over the installation, configuration and validation of certificates. Automated workflows, self-service and integrations with existing ITSM tools like ServiceNow will result in significant savings in time and will address your scalability and performance needs.
AND FINALLY…USE MANAGED SERVICES TO HELP CLOSE THE SKILLS GAP:
Skills shortages should not prevent you from implementing effective certificate management practises. SSS has the skills and expertise in providing crypto-services and has helped enterprises across the world on their journey towards achieving certificate lifecycle automation
