Enterprise key and certificate management firm Venafi, in conjunction with Osterman Research, recently released the results of a study, which showed that most organizations fail to understand the risks associated with improper implementation and management of SSL deployments.
The sample size for the study, 174 IT / InfoSec professionals, is rather small, but the data collected by Venafi is relevant nevertheless.
Fifty-four percent of respondents, for example, admitted to having an inaccurate or incomplete inventory of their Secure Socket Layers (SSL) certificate populations. Forty-four percent of respondents admitted to manually managing digital certificates with spreadsheets and reminder notes—another worst practice related to a lack of risk recognition. Forty-six percent of respondents indicated that they could not generate reports to discover how many currently deployed digital certificates were set to expire within the next 30 days.
Seventy percent said their encryption systems were not integrated with their corporate directories. Forty-three percent of respondents said they do not have centralized corporate policies that mandate specific encryption-key lengths, certificate validity periods and private-key administration requirements. Finally, forty-four percent of these respondents acknowledged that they were worried, but had not yet re-evaluated their CA compromise and related business continuity strategies, while only 17 percent had.
“The importance of sound certificate management practices is highlighted by the repeated certificate authority (generally referred to as CA) breaches over the past year,” said Michael Osterman, president of Osterman Research.
“We were startled by the lack of urgency regarding the issue. When considered in tandem with the high-value target CAs represent to hackers, we can predict more CA breaches and more security threats than we saw in 2011.”