Careless management of crucial security instruments

A staggering 72% of respondents to a Venafi survey admitted that they have no automated process to replace compromised certificates. This means that if their CA vendor is compromised they will be ignorant of where the offending certificates are and have no way of automatically locating and replacing them.

This could bring all business operations of the respondent’s organizations to an immediate halt given that their existing manual processes would require weeks to identify the vulnerable certificates, with no consideration of how to replace them en masse.

This is particularly worrisome when you discover that 76 percent of respondents also expect their certificate population to grow in 2012.

Fifty four percent of respondents admitted to having an inaccurate or incomplete inventory of their SSL certificates, with 44 percent admitting that their digital certificates are manually managed with spreadsheets and reminder notes. This is the equivalent of leaving a post-it note on your front door informing would-be burglars that your home is empty and ready to be robbed.

“Organizations protect mission-critical and often regulated data with hundreds or thousands of encryption keys and digital certificates,” said Jeff Hudson, Venafi CEO. “But as this survey reveals, too many companies have inaccurate or incomplete data about their security assets. The unquantified and unmanaged risks these certificates and keys pose is significant – risks magnified through their increasingly pervasive use in corporate data centers, cloud-based systems, and mobile devices.”

Forty three percent of respondents said that they did not have a centralized corporate policy covering encryption-key strengths or lengths, validity periods, and private key administration and access requirements for proper segregation of duties.

This may allow vulnerable, weak encryption keys to be hacked or compromised, and result in data breaches and the ensuing brand damage. The survey data uncovers worrying complacency on the part of senior management about their stewardship of their own digital assets and information security mechanisms.

Sixty-two percent said they did not have automated processes for enforcing internal, corporate policies or regulatory compliance for how digital certificates and encryption keys are managed. This means that they would fail internal and external audits with risks of steep fines, potential employment termination and brand damage.

Forty-six percent of respondents said that they would not be able to generate a report to discover how many digital certificates they owned and 70 percent admitted that they did not have a certificate management system which would remind them if the certificate renewal request failed, resulting in costly unplanned outages and system downtime.

The survey also reveals that 54 of respondents do not have an automated, repeatable and on-demand way of providing a senior manager, vice president or auditor with a report of exactly how many certificates are present in the entire environment. This means that senior management is being kept in the dark about an unquantifiable risk to their businesses, which could potentially cripple them.