Management Mayhem, Part 3: How to Avoid the Hidden Costs of Certificate Management
Tue, 01/22/2019 – 06:30
Not only that, but the demand for machine identities continues to sky rocket, driven largely by cloud and DevOps initiatives. Developers need security at speed, and that is not negotiable. However, current approval and renewal processes are not designed for today’s cloud and DevOps world.
As a result, developers often turn to self-signed certificates and shadow certificate authorities (CAs) to solve their fast IT needs. While these certificates are initially free, they may represent a potential productivity cost down the road as they are rarely tracked in enterprises that do not have an enterprise grade, role based machine identity platform. This behaviour results in an ever increasing vulnerability and risk of outages or breaches facing enterprises today.
All of these factors drive the average large enterprise to use at least 10,000 machine identities (this number can rise by orders of magnitude to hundreds of thousands in many enterprises). Even if we assume that you have only one event per certificate per year (and you could have many more), you are talking about a cost of between 20,000 and 60,000 hours per year! This represents productivity loss of millions of dollars in most large enterprises.
Let’s say you want to lower these costs. Reducing the number of certificates isn’t an option. The cold, hard reality is that if you don’t have this many machine identities, then you don’t have a good security posture!
The only way to prevent this kind of hidden productivity drain is to install a machine identity platform that allows you to maximise zero-touch certificate renewals where possible, and minimise human error and impact where you require some manual intervention. Utopia is, of course, for you to move to 100% automated management of machine identities, performed entirely by a machine (platform) that never makes an error or misses a deadline. But that is not feasible. Yet.
The best place to start is with the least-skilled stakeholders. They tend to spend the most time figuring out the nuances of the certificate life cycle and are more likely to make mistakes. Enabling a self-help certificate portal for business units will help to remove load from expensive help desk staff and improve the overall quality of your certificate attributes.
Even with high levels of self-service and automation, you’ll still need to monitor your complete universe of machine identities. To do this, you’ll need a single dashboard showing all your machine identities, and have access to information such as business owners, where the certificates and digital keys reside and a history of where they are used and copied. This intelligence can save you hundreds of hours if you experience a security event, such as an outage or CA distrust or compromise. Simply being able to locate all impacted certificates quickly will give you a faster route to mitigate large scale events.
Minimizing your exposure to a security event will lower potential productivity costs. A complete 360 degree view should include security compliance issues such as key length, algorithm, duration and role-based authority. A robust management platform for all your keys and certificates that represent all your machine identities will also help you validate that you have no rogue identities, inactive certificates or exposed keys. You will also need access to historical data for the purposes of non-repudiation and forensics, access to old data and for compliance audits.
Just like in the physical world, copying keys is cheap. Allowing them to be used for illicit entry is expensive. But your real business value does not reside physically within your office walls. It’s in the connections and commerce of the digital world. Are you doing enough to protect the digital keys and certificates that comprise your machine identities?
When looking at the internal costs of issuing a certificate, management often measures only the 15-30 minutes spent by the PKI desk to issue a certificate. But that is not a complete representation of the costs. In fact, I have never once seen a true record that factors in the lost productivity across the enterprise. As I outlined in my last blog, I estimate that the average organization exhausts somewhere between 2 and 6 hours per certificate per event, which includes requests, renewals, revocations and retiring a certificate.
So now we have some additional data to estimate the cost per event. But that number will also be inflated by the frequency of certificate events, which is rising dramatically. As machine identities are now lasting between a few hours and 2 years, many certificates are being replaced several times a year. With security postures recommending moving to 90 days maximum validity, certificate events represent a cost with serious potential for blow out.
*** This is a Security Bloggers Network syndicated blog from Rss blog authored by kdobieski. Read the original post at: https://www.venafi.com/blog/management-mayhem-part-3-how-avoid-hidden-costs-certificate-management-0