IT complexity raises concerns of certificate-related outages

Chief information officers (CIOs) admit that critical business applications and services are routinely affected by outages related to digital certificates, a study has revealed.

In fact, six in 10 respondents admitted their organisation experienced certificate-related outages in the past year, while 74% said they had been affected in the past 24 months, according to a study by machine identity protection provider Venafi.

The study of the scale and frequency of certificate-related outages polled 550 CIOs from the US, UK, France, Germany and Australia. Certificate-related outages harm the reliability and availability of vital network systems and services while also being extremely difficult to diagnose and remediate, the report said.

The majority of respondents (85%) believe the increasing complexity and interdependence of IT systems will make outages even more painful in the future, while nearly 80% estimate certificate use in their organisations will grow by 25% or more in the next five years, with more than half predicting minimum growth rates of more than 50%.

While 50% of CIOs are concerned that certificate outages will have an impact on customer experience, 45% are more concerned about the time and resources they consume, the study shows.

“Recently, a machine identity-related outage impacted 32 million O2 mobile customers in the UK, and estimates suggest the 24-hour outage could have cost the company $100m,” said Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi.

“Ultimately, companies must get control of all of their certificates; otherwise, it’s simply a matter of time until one expires and causes a debilitating outage. CIOs need greater visibility, intelligence and automation of the entire lifecycle of all certificates to do this.”

While humans rely on usernames and passwords to identify themselves and gain authorised access to applications and services, machines use digital certificates to serve as machine identities to communicate securely with other machines and gain authorised access to applications and services.

In 2019, organisations are expected to spend more than $10bn to protect and manage passwords, but, according to Venafi, they will spend almost nothing to protect and manage machine identities. At the same time, Venafi said most organisations do not have a clear understanding of how many machine identities are in use, which devices are using them and when they will expire.

This lack of comprehensive visibility and intelligence leads to outages, the report said.

“Since certificates control authentication and communication between machines, it is important not to let them expire unexpectedly,” said Bocek. “And because the symptoms of machine identity-related outages mimic many other hardware and software failures, diagnosing them is notoriously time-consuming and difficult without the necessary monitoring and remediation systems in place.”