SSL certificates are cornerstone security elements for many enterprises. Yet new research shows that few organizations have deployed effective processes for securely managing those certificates.
A study from Osterman Research has found that the majority of enterprises don’t have an accurate inventory of their SSL certificate population. For those that do track the certs they have, 44 percent of the survey’s 174 IT security professional respondents admitted that their digital certs are manually managed with spreadsheets and reminder notes.
Furthermore, 46 percent admitted that they didn’t have the ability to generate a report that would tell them how many certs are expiring in the next 30 days. Of particular concern is the finding that 72 percent did not have an automated process to replace any compromised certificates.
The issue of SSL certificate risk is not a theoretical one. SSL Certificate Authorities including Comodo and more recently DigiNotar have had their infrastructure attacked, leaving compromised certificates in their wake.
Some 70 percent of respondents also noted that their security certification systems were not linked to their corporate directories. As such, if there is employee turnover, notifications to certificate owners might not be properly directed. Key length is another issue which the Osterman survey found to be lacking. Forty-three percent said their organizations did not have a corporate policy around certificate encryption key length. That’s a problem for items like PCI compliance, where 2,048 bit keys are required.