Why certificate automation is no longer just “nice to have”

We’ve all heard the shocking stories about the outages at what should have been bullet-proof organizations like Microsoft, Spotify, and a California Covid-19 testing site. These (and many other) recent outages are attributed to undocumented installations or surprise certificate expirations. Such costly outages are easily avoidable, yet they happen, again and again, sparing no industry or geography.

As internet standards groups look to boost trust and security through new requirements for shorter certificate lifecycles and online privacy acts introduce increasingly punitive regulatory mandates, the business risks of certificate management are only increasing. It’s time to bring error-prone manual processes and spreadsheets to an end.

How the four pillars of certificate automation are shaping the next normal

Certificate automation is talked and theorized about more often than it’s put into practice. IETF protocols and third-party tools have helped, yet many organizations have gaps in the process, making efficient certificate management challenging at best. With complete certificate automation, enterprises reduce their risk of exposure to breaches and outages if certificates expire or are unknowingly deployed in their environment and can respond quickly and with agility as the security and business landscape continues to evolve.

There are four pillars of certificate automation designed to bring enterprises from tactical to strategic: discovery, deployment, lifecycle management, and renewal.

Pillar #1: Discovery

Securing a modern enterprise begins with finding and cataloging all of your certificates. There are likely rogue certificates lingering in your environment that weren’t directly issued by the IT or network security teams. These seemingly non-critical certificates are ticking time bombs, and if forgotten or ignored, leave massive security vulnerabilities. By using automated discovery that regularly scans an entire environment, every certificate is identified, and there are no rogue certificates that go undiscovered until it’s too late.

Pillar #2: Deployment

Manually provisioning or registering a certificate at the right time for the right purpose is an incredibly time-intensive task. Merely deploying an SSL certificate on just one server could take up to 2 hours! And that’s just the beginning – subtasks such as documenting each certificate’s location and purpose, configuring certificates according to a myriad of endpoint devices and varying operating systems, and then confirming that each performs correctly adds to the required time and effort.

Today’s enterprises need to be quick-moving and agile to keep up with constant flux and rapid change. Beyond time saved, automated deployment means reduced human-error and increased reliability and consistency. Fortunately, IETF standards, like Automated Certificate Management Environment (ACME) protocol, are gaining traction and cover most use cases for end-to-end certificate management.

Pillar #3: Lifecycle management

Certificates include the requirements and policies that enterprises use to define trust within their organization, extending the security of using only highly trusted key architectures. To ensure a certificate is always in its best possible state, organizations need to be able to quickly and efficiently revoke and replace certificates on demand and without a hefty time-intensive process. Spending 2+ hours per certificate is unreasonable: it needs to happen seamlessly and at scale.

Automated lifecycle management makes revoking and replacing certificates a touch-free process. And administrators aren’t waiting until the expiration date to make critical certificate upgrades. Instead, they can simply make the order, provision new valid certificates, and revoke old certificates. Everything is automatically switched out with no downtime.

Pillar #4: Renewal

All certificates have an expiration date. It’s a fundamental trust element of a certificate that it is time-bound and will need to be replaced. Effective September 2020, browsers further shortened certificate validity to a 397-day period, putting organizations still managing hundreds or thousands of certificates via spreadsheets into a tailspin. When certificates expire without having been replaced, that’s when we start to see headlines about outages or breaches. Timely certificate renewal is a cornerstone of cybersecurity.

Some organizations claim to be automated because part of their process is automated, such as receiving email notifications about the impending certificate expiration. Sadly, many of these helpful emails end up in a flooded inbox, a spam folder, or to someone on vacation or who is no longer with the organization. More importantly, an email is just an alert. It doesn’t actually renew and install the new certificate.

While it’s essential for organizations to know that renewals are coming, the most significant value of automation of renewals is that the entire process is scheduled to run without interference from individual contributors. More manual labor equals a higher risk of error.

Get prepared with certificate automation

Enterprises are best served by using one certificate management platform—a single pane of glass—to discover, deploy, manage lifecycles, and renew all digital certificates. Visibility is the critical capability enterprises need to enable and enhance the four pillars. This speeds up and simplifies certificate management and the complexity therein of various certificate types, vendors, public and private certificates, and life cycles that require revoke and renewal at different times. Visibility is also the basis for sound corporate governance of trust policies and compliance audits.

The concept of visibility appears throughout the four pillars of certificate automation, from knowing which certificates exist to understanding the PKI (Public Key Infrastructure) behind those certificates. With a single pane of glass visibility, security teams need only take a quick look to absorb information such as whether keys comply with key length and cryptographic requirements, and whether there are non-compliant certificates based on deprecated hashing algorithms.

The more automated your certificate management, the better off and more secure your organization and those you serve will be. Automating the discovery, deployment, lifecycle management, and renewal of certificates is how enterprises move from tactical to strategic.