Rogue certificates 'affecting businesses as much as authorities'
Almost three-quarters of businesses have no capability to detect or locate a rogue certificate.
According to a survey of 175 businesses by enterprise key and certificate management (EKCM) solutions vendor Venafi, 72 per cent of respondents admitted that they had no automated process to replace compromised certificates; this means that if their certificate authority (CA) were compromised, they would be ignorant of where the offending certificates were and have no way of automatically locating and replacing them.
As with the case of Diginotar last year, where it was hacked and rogue certificates were issued for legitimate websites, the Venafi survey found that existing manual processes would require weeks to identify the vulnerable certificates; 76 per cent of respondents expected their certificate population to grow in 2012.
More than half (54 per cent) admitted to having an inaccurate or incomplete inventory of their SSL certificates, with 44 per cent admitting that their digital certificates are manually managed with spreadsheets and reminder notes.
Also, 46 per cent said they would not be able to generate a report detailing how many digital certificates they owned, and 70 per cent admitted that they did not have a certificate management system that would remind them if a certificate renewal request failed.
Jeff Hudson, CEO of Venafi, said: “Organisations protect mission-critical and often regulated data with hundreds or thousands of encryption keys and digital certificates. As this survey reveals, too many companies have inaccurate or incomplete data about their security assets.
“The unquantified and unmanaged risks these certificates and keys pose is significant, risks magnified through their increasingly pervasive use in corporate data centres, cloud-based systems and mobile devices.”
This week Venafi launched the Assessor tool that scans an organisation's network to locate and analyse deployed digital certificates and the associated encryption keys. According to the company, Assessor produces a series of reports that detail the security, operational and compliance risks derived from the data it collects and provides remediation recommendations based on industry best practices and the aggregate experience of Venafi customers.
“With Assessor, organisations can quantify the extent of their risks, turning assumptions about their certificates and encryption keys into hard data. We are now providing this capability to organisations at no cost,” said Hudson.