Preparing for digital transformations

How to fend off the manual certificate management tsunami

Brian Trzupek
© Shutterstock / Robert Avgustin

New data from DigiCert’s 2021 State of PKI Automation survey shows what a huge job certificate management can be. The headaches involved in managing such a complex web of certificates are quite understandable. They’re often the cause of security mishaps and sometimes operational paralysis.

Certificates can be a double-edged sword. On one hand, they’re crucial to protecting modern and complex networks. On the other, they can pose an incredible burden to manage. But they don’t have to.

New data from DigiCert’s 2021 State of PKI Automation survey shows what a huge job certificate management can be. Our survey shows that the average enterprise has to deal with over 50,000 certificates with a wide range of uses from document signing to user certificates to mobile devices, server certificates and more.

Over a third – 37 percent – have at least three separate departments managing those certificates and 61 percent of respondents worried about the amount of time it would take to manage the load. The headaches involved in managing such a complex web of certificates are quite understandable. They’re often the cause of security mishaps and sometimes operational paralysis.

SEE ALSO: “The DevOps platform is becoming increasingly accessible and user friendly”

Survey respondents told us that on average around 1200 of their certificates go unmanaged and nearly half of them – 47 percent – have said that they frequently run across rogue certificates. The scope of this problem goes further than our survey – another report from Ponemon in 2020 revealed that 71 percent of organisations did not know which certificates they were using or how many.

Given the sensitivity of what certificates protect, even one rogue certificate can spell trouble for an organisation. In fact, this happens all too regularly. A quarter of our respondents reported that they had experienced 5-6 outages in the last six months and two-thirds said that they had experienced downtime as a result of expired certificates.

These kinds of mishaps can lead to service outages, compliance penalties and sometimes catastrophe. One of the principal examples of this happened in December 2018 when Swedish telecoms giant Ericsson accidentally let a certificate expire, leading to outages in 11 countries. In the UK, 32 million mobile customers lost service as a direct result of the outage.

That’s an extreme example, but it is not exactly an outlier either. That same 2020 Ponemon report showed that the average cost of outages over two years comes to nearly £50 million from lost productivity, reputational damage, remediation and all of the other costs that come from these kinds of security mishaps and service outages.

If certificate management is a problem now, then it’s just a taste of the problems that could arise in our fast transforming digital world. Our survey showed that the number of PKI certificates that any one enterprise has to manage has risen by nearly 50 percent.

Digital transformation is one of the main currents of the modern age. Digital enterprises are expanding at a fast pace – and every passing day sees more users, identities, devices and endpoints onboarded onto networks. An exponential growth here necessitates an exponential growth in certificates too. As the digital enterprise expands, so will the problems associated with certificate management.

At the same time, certificate lifespans are shrinking. Ten years ago, certificates lifespans could run as high as a decade. In 2012, that was cut in half to just five years. Last year, major browsers decided to cut the maximum lifespan of certificates from two years to just 398 days. We can see the burden of certificate management mount up as time has gone on and if history is anything to go by, then those lifespans may be cut again.

Furthermore, the transformations of the near future will require a kind of agility that manual certificate management might forbid. Quantum computing, for example, poses benefits as well as threats. The most grave of them being quantum’s ability to defeat most of modern day encryption. In order to defend against those threats, organisations need to be able to quickly identify and change certificates that can’t protect against quantum threats and swap in quantum algorithms that can. That kind of crypto-agility will be a troublesome task for anyone who is stuck manually managing their certs when Quantum arrives.

SEE ALSO: The Trends Shaping Natural Language Processing in 2021

The problems that enterprises currently face, as well as ones that are on the horizon, boil down to a central problem: Manual certificate management. It seems obvious that managing tens of thousands of certificates, each of which uphold a key part of an individual network’s security, might be a stressful, time-consuming and hazardous job.

But this problem isn’t going unnoticed. In fact, 91 percent are moving toward automating certificate management. This will allow them to request, provision, renew, and revoke their certificates. All the while, it can mitigate the risk of potentially catastrophic outages and enable the kind of scalability that future digital transformations will require. Given that, 70 percent say that they expect to implement some kind of PKI automation in the next 12 months and 25 percent have already started that process.

It’s a welcome change too. Manual certificate management is a herculean task and it doesn’t need to be. By automating the certificate lifecycle, organisations can relieve themselves of this burdensome task and prepare themselves for future digital transformations.


Brian Trzupek

Brian Trzupek is SVP of Product at DigiCert. A crypto and security tech by day and night, Brian brings nearly two decades of expertise on many security subjects to the team. He’s constantly innovating use cases for enterprise PKI, which are facilitated by the industry-leading DigiCert PKI Platform.

Inline Feedbacks
View all comments