Most companies are risking downtime of their critical business systems in the light of recent data breaches suffered...
by third-party digital certificate authorities (CAs), a survey has revealed.
Digital certificates are used mainly to verify the identity of a person or device, authenticate a service or encrypt files.
Some 72% of about 170 US companies polled, admitted that they have no automated process to replace compromised secure socket layer (SSL) digital certificates.
This could bring all business operations to an immediate halt, according to enterprise key and certificate management firm Venafi, which commissioned the survey.
Manual processes typically take weeks to identify the vulnerable certificates, but then there is is still the problem of replacing them, the company said.
More than half of respondents admitted to having an inaccurate or incomplete inventory of their digital certificates, with 44% admitting that their digital certificates are managed using spreadsheets.
The survey also revealed that the problem is a growing one, with 76% of respondents indicating that they expect the number of certificates used by their organisation to grow in 2012.
“Organisations protect mission-critical and often regulated data with hundreds or thousands of encryption keys and digital certificates,” said Jeff Hudson, chief executive of Venafi.
“But as this survey reveals, too many companies have inaccurate or incomplete data about their security assets," he said.
According to Hudson, the unmanaged risks these certificates and keys pose is significant, particularly because of their increasingly pervasive use in corporate data centres, cloud-based systems, and mobile devices.
The survey found that 43% of respondents' organisations did not have a centralised corporate policy covering encryption-key strengths or lengths, validity periods, and private key administration and access requirements for proper segregation of duties.
This may allow vulnerable, weak encryption keys to be hacked or compromised, and result in data breaches and the ensuing brand damage, said Hudson.
"The survey data uncovers worrying complacency on the part of senior management about their stewardship of their own digital assets and information security mechanisms," he said.
Some 62% did not have automated processes for enforcing internal, corporate policies or regulatory compliance for how digital certificates and encryption keys are managed.
"This means that they would fail internal and external audits with risks of steep fines, potential employment termination and brand damage," said Hudson.
Nearly half of respondents said that they would not be able to generate a report to discover how many digital certificates they owned and 70% admitted that they did not have a certificate management system which would remind them if the certificate renewal request failed, resulting in costly unplanned outages and system downtime.
The survey also reveals that 54% of respondents do not have an automated, repeatable and on-demand way of providing a senior manager, vice president or auditor with a report of exactly how many certificates are present in the entire environment.
"This means that senior management is being kept in the dark about an unquantifiable risk to their businesses, which could potentially cripple them," said Hudson.