IT managers using post-it notes and spreadsheets to manage millions of security instruments

Venafi finds vital security certificates that could close entire online presences are 'lost' in Cyberspace

(PresseBox) ( London, )
Given the recent catastrophic data breaches suffered by third-party trust providers, including a number of certificate authorities (CAs), the findings of a new survey from Venafi Inc., the inventor and market leader of enterprise key and certificate management (EKCM) solutions, in conjunction with Osterman Research, make shocking reading. The findings shed light on truly careless management of crucial security instruments.

A staggering 72% of survey respondents admitted that they have no automated process to replace compromised certificates. This means that if their CA vendor is compromised they will be ignorant of where the offending certificates are and have no way of automatically locating and replacing them. This could bring all business operations of the respondent's organisations to an immediate halt given that their existing manual processes would require weeks to identify the vulnerable certificates, with no consideration of how to replace them en masse. This is particularly worrisome when you discover that 76 percent of respondents also expect their certificate population to grow in 2012.

Fifty four percent of respondents admitted to having an inaccurate or incomplete inventory of their SSL certificates, with 44 percent admitting that their digital certificates are manually managed with spreadsheets and reminder notes. This is the equivalent of leaving a post-it note on your front door informing would-be burglars that your home is empty and ready to be robbed.

"Organisations protect mission-critical and often regulated data with hundreds or thousands of encryption keys and digital certificates," said Jeff Hudson, Venafi CEO. "But as this survey reveals, too many companies have inaccurate or incomplete data about their security assets. The unquantified and unmanaged risks these certificates and keys pose is significant-risks magnified through their increasingly pervasive use in corporate data centres, cloud-based systems, and mobile devices."

Forty three percent of respondents said that they did not have a centralised corporate policy covering encryption-key strengths or lengths, validity periods, and private key administration and access requirements for proper segregation of duties. This may allow vulnerable, weak encryption keys to be hacked or compromised, and result in data breaches and the ensuing brand damage. The survey data uncovers worrying complacency on the part of senior management about their stewardship of their own digital assets and information security mechanisms.

Sixty-two percent said they did not have automated processes for enforcing internal, corporate policies or regulatory compliance for how digital certificates and encryption keys are managed. This means that they would fail internal and external audits with risks of steep fines, potential employment termination and brand damage.

Forty-six percent of respondents said that they would not be able to generate a report to discover how many digital certificates they owned and 70 percent admitted that they did not have a certificate management system which would remind them if the certificate renewal request failed, resulting in costly unplanned outages and system downtime.

The survey also reveals that 54 of respondents do not have an automated, repeatable and on-demand way of providing a senior manager, vice president or auditor with a report of exactly how many certificates are present in the entire environment. This means that senior management is being kept in the dark about an unquantifiable risk to their businesses, which could potentially cripple them.

Effective Remediation Strategies

Venafi publishes best practices for effective key and certificate management, and is the industry's leading authority on the processes and practices that comprise the overall strategy for improved security and lowered risk. The EKCM best-practices portal is available for free to any organization.

About Osterman Research

Osterman Research was founded in 2011 and has become one of the leading analyst firms with expertise in research and survey methodology, providing analysis, white papers and other services to companies like Microsoft, IBM, Google, EMC, Symantec, Hewlett Packard and many others.

The unquantified and unmanaged risks these certificates and keys pose is significant-risks that are magnified through the pervasive spread of certificates and keys in corporate data centers, cloud-based systems, and onto mobile devices.
The publisher indicated in each case is solely responsible for the press releases above, the event or job offer displayed, and the image and sound material used (see company info when clicking on image/message title or company info right column). As a rule, the publisher is also the author of the press releases and the attached image, sound and information material.
The use of information published here for personal information and editorial processing is generally free of charge. Please clarify any copyright issues with the stated publisher before further use. In the event of publication, please send a specimen copy to