Nearly two-thirds of businesses (60 percent) suffered a severe certificate-related outage within the past 12 months, according to a report recently published by Venafi.
The study of 550 CIOs around the world found that outages have become an executive issue with more than a quarter (27 percent) of CIOs admitting they were worried about having to explain why an outage had occurred to the board of the company.
The vast majority (85 percent) said that the growing complexity of IT systems makes outages even more likely in future. While, more than half (55 percent) believe the number of certificates their organisation uses will increase by at least 50 percent over the next five years, creating more opportunities for unexpected outages to occur.
Kevin Bocek, vice president, security strategy and threat intelligence at Venafi, said that a recent machine identity-related outage impacted 32 million cellular customers in the UK, and estimates suggest this could have cost the company over US$ 100 million (£75 million).
"Ultimately, companies must get control of all of their certificates; otherwise, it’s simply a matter of time until one expires and causes a debilitating outage. CIOs need greater visibility, intelligence and automation of the entire life cycle of all certificates to do this," he said.
Digital certificates are used by systems as a form of identity in order to communicate securely with other machines and gain authorised access to applications and services.
The report said that this year, organisations will spend over US$ 10 billion (£7.5 billion) to protect and manage passwords, but they will spend almost nothing to protect and manage machine identities.
Most organisations do not have a clear understanding of how many machine identities are in use, which devices are using them, and when they will expire. This lack of comprehensive visibility and intelligence leads to outages, the survey’s findings said.
"Since certificates control authentication and communication between machines, it is important not to let them expire unexpectedly. And because the symptoms of a machine identity-related outage mimic many other hardware and software failures, diagnosing them is notoriously time-consuming and difficult," said Bocek.
Ed Williams, director, EMEA, SpiderLabs at Trustwave, told SC Media UK that organisations need to pay close attention to all supply chains or risk being infected.
"Following good basics will help; ensure that appropriate inventory on all equipment and devices attached to the network are kept, incorporate robust vulnerability management and pen testing to vastly improve security maturity. Once a degree of maturity has been established, look to undertake red/purple teaming engagements. It’s key to remember that security is an ever evolving process, there is no destination to secure, just a constant journey," he said.
Tim Callan, senior fellow at Sectigo, told SC Media UK that automation of certificate lifecycle management – including renewal – is key. "A good automated platform can track certificates, notify IT professionals when they’re due to expire, and even automatically replace them with new certificates," he said.
"In addition to automation, certificate discovery is key. Outages can occur when developers embedded in lines of business operations or other skunkworks projects obtain certificates without the knowledge of central IT and then move on to new tasks or otherwise fail to monitor the lifecycle of these certificates."