Businesses are deploying increasing numbers of digital certificates and encryption technologies, but these security assets are also becoming lost, stolen and unaccounted for in epidemic proportions, a survey has revealed.
More than half of over 400 US respondents said digital certificates had either been lost or stolen in their organisations or they were uncertain if they had, and 54% said encryption keys had been lost or stolen or they were uncertain if they had.
Digital certificates and encryption keys are critical components of all information security programs, but they become dangerous liabilities when they go missing and find their way into the wrong hands, the 2011 Venafi Encryption Key and Digital Certificate Management Report says.
"It is well documented that digital certificates played a key role in the Stuxnet attack that destroyed multiple centrifuges in an Iranian nuclear facility, and it is widely accepted that lost encryption keys can provide malicious insiders access to valuable corporate information revealed on high-profile whistle-blower sites such as WikiLeaks," said Jeff Hudson, chief executive of key and certificate management firm Venafi.
Exacerbating the problem, the report says, is the volume and diversity of encryption technologies and certificate authorities organisations must deal with on a daily basis. The number of encryption assets in their inventories grows regularly, and scattered individuals and teams frequently manage them.
Some 46% of organisations are managing at least 1,000 digital encryption certificates, and 20% are managing more than 10,000.
Most are working several certificate authorities, with 83% dealing with at least two, and 18% dealing with more than five.
Similarly, 88% of organisations have multiple administrators managing encryption keys, and 22% have more than 10. Some 42% manage encryption technologies from at least four suppliers, while 8% are dealing with more than 10.
Respondents' organisations spanned a wide range of industries, including high tech, telecommunications, financial services, energy, government, aerospace, manufacturing and retail.
Reliance on antiquated, resource-intensive manual management processes is not only exacerbating security and compliance problems, but also leaving expired certificates in place, which lead to costly systems downtime and outages, the report says.
There is a lack of understanding and guidance when it comes to available best practices and solutions that can eliminate unquantified and unmanaged risk, the report concludes.