Most people would be shocked to learn the degree to which secrets power everything in their lives. There is nothing sinister about these secrets—in fact, just the opposite. They come in the form of the digital certificates used to safely authenticate users, devices, applications and other identities—which means they help keep everything from laptops and phones to passports and credit cards secure from outside interference. Although they have been used for decades, digital certificates remain the most effective way to keep a secret in an increasingly digital world—and the vast majority of people don’t even know they exist.
The Covid-19 pandemic precipitated a massive shift to remote work, and securing an increasingly distributed workforce is now a top priority for organizations. Other changes, including the growing complexity of IT architecture and the rise of cloud and multi-cloud environments and DevOps practices, combined with shortened certificate lifetimes, have contributed to a massive increase in the number of certificates the average organization must manage. With certificate counts continuing to skyrocket and the trend showing no signs of slowing, understanding how digital certificates work and how to manage them effectively will only become more important for modern organizations.
What Makes Digital Certificates So Important?
Certificates are everywhere. For businesses, each employee usually generates at least three certificates: one for their user identity, one for their phone and one for their laptop. Of course, that’s just for employees—most businesses also need certificates for things like web servers, cloud applications, point-of-sale devices and countless other use cases. An organization with 1,000 employees will have at least 3,000 certificates to manage from its employees alone, and most will have significantly more than that. Remember, each new user, device or application connecting to the network means at least one more certificate.
Remote work has necessitated VPNs, remote access tools and other applications that require certificates. The rise of DevOps development has also had a major impact, with certificates used to secure DevOps containers which may only remain valid for a matter of hours. There are more cloud-based applications than ever, and new use cases like passwordless access and remote authentication are becoming commonplace.
For modern enterprises, the number of certificates in use can be staggering—but necessary. Any entity attempting to authenticate onto a network needs to be able to demonstrate it is who or what it claims to be—otherwise, bad actors could operate with impunity. Using digital certificates to verify valid user, device and other identities allows the system to identify who is connecting to the network and what they are attempting to do. This is important, because even if an attacker gets a foothold in the network using stolen credentials, they still won’t have the user’s certificate. This means when they attempt to move within the network, red flags will start to surface. Modern intrusion detection and prevention tools are focusing more and more on detecting those red flags.
Unfortunately, while those responsible for managing these certificates understand how important they are, that information doesn’t always make its way up the organizational ladder. Business leaders tend to think of encryption as part of the plumbing—something they expect to “just work” without much direct interference. But as the number of certificates in use rises, the consequences of poor certificate management are growing more apparent. The need for comprehensive Certificate Lifecycle Management (CLM) is more pressing than ever.
The Consequences of Poor CLM—and How to Avoid Them
Digital certificates have fixed term lengths, although these terms can vary widely depending on the purpose of the certificate. For instance, while DevOps certificates have a fleeting lifespan, other, less sensitive certificates may remain active for a year or more. Incidents of key compromise are rare, but they do happen, and certificates that expire after a certain amount of time provide an extra layer of security. Certificates that expire automatically also allow organizations to rotate their private keys and adapt to new threats as they emerge. This means that shorter term lengths provide greater security—but they also necessitate more frequent renewals. Given today’s growing certificate volumes, this can be cumbersome for many organizations.
In the past, IT personnel might have been able to manage certificate renewals using a simple spreadsheet. But with certificates now numbering in the thousands and millions, this sort of manual management is no longer possible. When a certificate is allowed to accidentally expire, there can be significant consequences, including service outages and downtime. Recent estimates indicate a single hour of downtime can cost an average organization more than $150,000—which means a day-long outage could be enough to put some enterprises out of business. High-profile outages like the O2 mobile disruption further drive home the seriousness of the issue.
Organizations are turning to automation to solve this problem. Automating the CLM process helps prevent the costly consequences of certificate expirations and streamline the process of certificate management across the DevOps and cloud environments and the countless other areas today’s enterprises need to secure. The discovery process alone can be eye-opening for organizations that likely do not even know how many certificates they have in use—or which Certificate Authority (CA) issued them. Modern, CA-agnostic CLM tools can help establish clear rules for the issuance, management, renewal and revocation of certificates, regardless of use case, term length or issuing CA.
Prioritizing CLM Is a Must
It’s difficult to overstate how important visibility and automation tools are to modern certificate management—or how damaging the consequence of poor management can be. Although outages caused by certificate expirations have plagued even major enterprises like Microsoft, too many business leaders remain unaware of the ticking time bomb poor certificate management represents. This needs to change. Digital certificates are too essential to modern network architectures to be overlooked any longer, and organizations that value safety, security—and, yes, secrecy—should make strong CLM a top-level priority.
