80% of businesses hit by certificate-related outages

News by Greg Masters

A new study has found that inadequate cryptographic controls significantly impact reliability and availability of critical services.

A new study has found that inadequate cryptographic controls significantly impact reliability and availability of critical services.

The study, released on Thursday by Venafi, a provider of protection for cryptographic keys and digital certificates, examined the scale, frequency and causes of certificate-related outages and determined that certificate-related outages negatively impact the reliability and availability of vital systems and services. In fact, the study found that 79 percent of businesses were affected by certificate-related outages.

“Certificates and keys are identity and access management for machines, just like user names and passwords are for humans,” Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said in a statement. “Certificates allow machines to communicate securely and that makes them an essential, but underappreciated, part of every organisation's digital ecosystem and our global digital economy."

When certificates expire unexpectedly, he added, critical services can be impacted. "Unfortunately, most businesses do not have the visibility or tools necessary to manage this fundamental element of cyber-security and operational availability effectively.”

The primary findings from a new Venafi study include:

79% of respondents suffered at least one certificate-related outage in 2016. 

suffered more than six certificate-related outages in 2016. 

suffered 100 or more certificate-related outages in 2016. 

said their organisations could not respond to a certificate-related security event in six hours or less.

The study, which was conducted by Dimensional Research and canvassed 505 IT professionals responsible for cryptographic assets across the US and Europe, found that enterprises, as well as personal users, are seeking simpler and more efficient solutions to key and certificate management as the use of encryption grows. 

A leading motivation behind the increase in the use of certificates is a rapid spike in the number of IP-enabled devices tethered to business networks, the study explained. Businesses are also seeing their need for certificates grow as DevOps and Fast IT development processes are integrated into their operations.

However, along with these increased needs, comes increased vulnerability to mismanagement of cryptographic keys and digital certificates

Customer data from the Venafi study illustrates the point, showing that the average organisation found more than 16,500 unknown keys and certificates using Venafi of which they were not previously aware. Additionally, most companies surveyed did not have adequate control over their key and certificate inventory, did not have an automated process for renewals, and had no central record of when certificates were due to expire.

Further, nearly two-thirds (65 percent) of enterprises do not manage all their keys and certificates centrally. Of those that do manage certificates centrally, the same percentage depend on security controls from their Certificate Authorities (CAs), which limit their visibility to certificates provided by the issuing CA, the study found.

“The good news is that certificate-related outages are completely preventable, but you need to understand the scale and the scope of the problem,” Bocek said. “As we use more cloud services, IoT devices and DevOps automation, certificate usage is skyrocketing. To keep up with this expanding problem, organisations must automate the discovery, issuance, lifecycle and remediation of all keys and certificates from the data centre to the cloud to the IoT edge of their networks."

Failure to do so puts the reliability and availability of critical services at risk, he added, and dramatically increases cyber-security risks.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop