It’s been two years since the pandemic changed the cybersecurity landscape, with shutdowns forcing people to work, shop, and study online, and businesses to embrace new ways of working via digital in a matter of weeks. Many organizations have innovated and thrived in the hybrid environment, but the changes have expanded their attack surfaces and opened them to new risks.
Beyond accelerating digital transitions, the pandemic also put a plethora of devices and digital identities into play—and with them, an influx of digital certificates. The greater number of digital identities in use has made it harder for organizations to keep track of digital certificates, which have become an overlooked threat to cloud operations. Whether it’s protecting a website, the network, or IoT devices, digital certificates play a foundational role in securing virtually every line of business by verifying the identity of a device and/or user and allowing for encrypted connections via the internet.
While they are not necessarily considered the most nefarious of threats, expired certificates can result in outages—ranging from a single user unable to gain Wi-Fi access to global service disruptions that can affect millions of customers. Despite not being considered the gravest of threats lurking in cyberspace, expired certificates plague enterprises around the world, with 88% of companies reporting that they have experienced at least one outage in the past 24 months related to an expired certificate.
Those outages are more than an inconvenience—they can impact revenue, reputation and recovery. And because of the increasing reliance on digital transactions, it’s likely we’ll see a surge in outages and breaches related to expired certificates.
Client certificates go unchecked
Let’s unpack this a bit more. Digital certificates allow online transactions by sharing public keys used for authentication and encryption. There are two types of SSL/TLS certificates: A server-side certificate ensures the security of the connection between a client computer and a server, and gets used in almost every web-based connection on the internet today; in the case of a website, it gives the browser some assurance that it’s in the right place. But a growing number of TLS connections – especially those involving web services – also leverage client-side certificates, that mutually authenticate the client that initiated the connection with a website.
With the proliferation of digital transactions—fueled by DevOps development, microservices, edge computing, cloud architectures, and IOT—client certificates have become more common. In fact, they often outnumber their server-side counterparts more than 1,000:1. And they are running rampant because many certificate management tools concentrate exclusively on server-side certificates. This creates a “blind spot” for organizations when it comes to protecting against outages resulting from expired certificates.
The importance (and risks) of expired certificates
Beyond this, the shelf life of a digital certificate has been shortened over the past decade: from five years in 2012 to a little over two years in 2018, and then to 398 days as of July 2020. While handling expiring certificates can be a pain, certification expirations are very necessary. The alternative option— having infinite life or non-expiring certificates – can present more complications. While there are lots of reasons for this, cryptography tends to grow “stale” with age: the National Institute of Science and Technology (NIST) has guidelines for how long security teams can use keys of certain types, sizes, and exposure levels to help maintain an adequate security posture. In the same way we renew other credentials, like passwords, and even driver’s licenses and passports, limiting certificate lifespan offers a net benefit for security because it helps ensure the accuracy and viability of a digital identity in our ever-changing online world.
Of course, this also complicates the task of renewing certificates. While short-lived certificates are safer in our fast-changing environment, they also increase the burden on teams responsible for issuing and renewing them. If a certificate expiration goes unnoticed and website owners forget to renew the certificate in time, an outage is soon to follow.
The impact expired digital certificates have on an organization are often far-reaching. A joint Keyfactor and Ponemon survey of about 2,400 respondents found that the average company with global operations spends roughly $15 million recovering from a certificate outage. Of the organizations that experienced an average of two certificate-related outages over a two-year period, half reported losing customers as a result of unsecured certificates.
The existence of a growing number of expired certificates also has contributed to a number of security breaches. In September, for example, security experts discovered a significant attack that used a fake alert about an expired certificate on websites using Windows Internet Information Services. On some pages, users saw an error page urging them to install an update, which instead downloaded a fake installer update with malware that gave attackers full remote access to the device that downloaded it.
Even if the teams responsible for renewing certificates get ahead of the expiration date, human error resulting from manually managing certificates has become a major cause. This can create a variety of vulnerabilities if not done right. Mismanaged certificates can expose an organization to spoofed content, denial-of-service, phishing, and man-in-the-middle attacks. In the process, attackers could issue rogue certificates to impersonate domains, applications, or trusted networks, thereby compromising the integrity of all certificates in that certificate authority’s (CA) chain.
The need for automated certificate management
The unnoticed expiration of digital certificates and the vulnerabilities created by human errors often stem from managing certificates in a manual, ad hoc manner. With organizations adopting digital transformation at a faster pace than ever, organizations should not handle digital certificates manually, where there’s a great margin of error. Instead, organizations should adopt a robust, automated PKI certificate management application.
A centralized, automated certificate management system offers organizations the following benefits:
- Certificate discovery: It’s important to find each and every certificate in use in the organization and bring all of them into a central inventory. While it’s useful to perform network scans for certificates, it won’t help organizations find client-side certifications. These often require other methods of discovery, such as gathering them from CAs or scanning devices or file systems. With a complete, single view of all certificates, organizations can quickly and easily search and filter their inventory and monitor certificate status for configuration, expiration, and compliance.
- Tracking and renewing: As more digital certificates are distributed across an organization, visibility becomes an increasingly difficult obstacle. If an organization can’t see all of its certificates, there’s no way it can replace them before expiring. With an up-to-date inventory, organizations can then group certificates by business need, application, or team and create automated alerts to renew certificates proactively before they expire – lowering the likelihood of website failures and service downtime caused by invalid certificates.
- Enabled self-service: With certificate automation, organizations can offer their security teams more control to generate, request, and issue certificates from any CA. This includes the decision of whether to automatically push and install certificates on endpoints, which significantly reduces administrative obstacles, deployment times, and manual mistakes.
While moving from manual to automated processes has historically been challenging for many organizations, new automation tools and protocols have made it easier to transition from manual to automated control. However, organizations should establish clear guidelines and policies for when to use automation and when to use manual control based on operational or organizational constraints.
Online operations and transactions have never been more important to businesses and other organizations. Ensuring the validity of the digital certificates that make those connections happen has become paramount to preventing outages and breaches that can damage businesses. In today’s world, effective certificate management has become an essential step to ensuring continued and uninterrupted operations. It’s time for enterprises to take an honest look at their IT environments and make the switch to automated certificate management.
Ted Shorter, chief technology officer, Keyfactor