News

11:57 AM
Connect Directly
RSS
E-Mail
50%
50%

Expired Digital Certificates: A Management Challenge

Hacks on certificate authorities like DigiNotar and Comodo draw headlines, but there's a bigger threat lurking right in your company.

Much has been made of the security compromises at digital certificate authorities (CAs) such as DigiNotar and Comodo, leading some industry experts to question the validity of certificates in general.

But a research report by Gartner identifies a more widespread risk to businesses and other enterprises: certificates that expire because the organization does a poor job of keeping track of them. An expired certificate leads to blocked access to a server, website, or other program, which, if it's an internal service, means headaches and downtime, and if it's an external-facing service, can tarnish an organization's reputation.

"Trust is the linchpin for everything we do in our digital world," said Eric Ouellet, a Gartner analyst and co-author of the report "X.509 Certificate Management: Avoiding Downtime and Brand Damage." X.509 is the industry standard format for creating digital certificates, which he likened to a passport or a state-issued drivers license.

Certificates lapse because there are so many of them within an organization and managers often have to manually check a spreadsheet to identify them, determine their expiration dates, and actively renew them so they don't expire. The report says tracking certificates can become unwieldy if there are 200 or more of them within an organization.

[ Concerned about your certificate tracking plan? Don't miss these 4 SSL Certificate Tips to keep your website in the clear. ]

Certificates can be difficult to track if someone creates a certificate and doesn't tell anybody about it, Ouellet said. An example may be a developer who creates a test certificate while writing an application and leaves it there when the app is deployed. In other situations, the developer, the business unit using the app, a system integrator, or an IT security person each engage in finger-pointing with the others over who's responsible for the certificate.

"You need to track these certificates, especially the external-facing ones, because what happens is that if you don't keep track ... they can expire without you being aware of it," Ouellet said.

Manual spreadsheet tracking can also fail if the CA isn't identified, he added. This particular problem has affected users of the DigiNotar CA in the Netherlands. In 2011, 531 stolen DigiNotar certificates endangered popular Internet sites such as Google, Facebook, Twitter, and Skype, as well as government intelligence services such as the CIA (United States), MI6 (Great Britain), and Mossad (Israel).

The result is that DigiNotar went out of business and every certificate it ever issued was instantly invalidated, Ouellet said. Furthermore, all of the leading Web browsers, such as Internet Explorer, Google Chrome, and Firefox, were modified to block DigiNotar certificates. He said it was the equivalent of someone's name being placed on the FBI's No Fly List.

The CA Comodo was also breached in 2011, but that breach was more contained than DigiNotar's, he said, so Comodo certificates are still valid.

But if an organization doesn't track the CA issuing its certificates, it may have invalid DigiNotar certificates and not realize it.

There are automated certificate management systems to discover certificates on a network, identify who issued them, determine their validity, and, in some cases, automatically renew them.

The Gartner report identifies the Venafi Director Series, the Trustwave Certificate Lifecycle Manager, and the Verisign Certificate Intelligence Center as examples. However, while the Venafi and Trustwave offerings manage certificates regardless of the CA that provided them, Verisign's service only manages certificates issued by Verisign, whose certificate business was acquired by Symantec in 2010. (See Comodo Warns Of VeriSign SSL Vulnerability.)

Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BDouglas
50%
50%
BDouglas,
User Rank: Apprentice
1/17/2012 | 7:59:55 PM
re: Expired Digital Certificates: A Management Challenge
To BPrince's question, I think that it's a problem that has been under the radar and bubbling up without a lot of thought and dedicated resources. Homegrown solutions, spreadsheets, and even scripting for email reminders only work up to a certain point before the amount of certificates becomes to much to handle. It also seems that the process is a silo in every department of every organization, thus proving a challenge to manage centrally.
Every company should start looking into these automated key and certificate management options - not only for security purposes, but for audit/compliance and operational benefits as well.
Dave24
50%
50%
Dave24,
User Rank: Apprentice
1/17/2012 | 4:02:23 PM
re: Expired Digital Certificates: A Management Challenge
The recent growth in the volume of digital certificates has exacerbated the issues mentioned above. CA Technologies provides a certificate lifecycle management solution (CA Arcot RegFort)

This digital ID management system automates the process of digital ID issuance and management by supporting a range of registration options, credential types, certificate authorities....and there has been increased interest in this solution in recent months.
Bprince
50%
50%
Bprince,
User Rank: Apprentice
1/17/2012 | 2:49:38 PM
re: Expired Digital Certificates: A Management Challenge
Curious as to what is leading to the apparent lack of uptake in automated certificate management systems to track this issue. @readers: Thoughts?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Research: 2014 State of the Data Center
Research: 2014 State of the Data Center
Our latest survey shows growing demand, fixed budgets, and good reason why resellers and vendors must fight to remain relevant. One thing's for sure: The data center is poised for a wild ride, and no one wants to be left behind.
Video
Twitter Feed