Now is the right time to automate certificate managementJanuary 13, 2022 No Comments
Featured article by Avesta Hojjati, Head of R&D at DigiCert
Automation is transforming certificate management for the better. Those who embrace the change and incorporate certificate automation into their everyday workflows enjoy the benefits of expediting the pace of production. Certificate automation has never been more important than it is today and operationalizing it is becoming the difference between companies who maintain the status quo and companies that want to stay a step ahead.
As automation increasingly saturates digital business, it is becoming imperative for companies and technology divisions who want to remain competitive in the marketplace. Converting manual processes has several advantages:
1. Streamlining productivity
Manual and repetitive tasks are an enormous source of wasted productivity in the digital world. A survey done by McKinsey & Company found that in nearly 60% of jobs, one-third of tasks that individuals are responsible for could be automated. However, it should be noted that rarely does one person on the IT or security team have time to only manage certificates and nothing else. Through automation, they can focus on the most important certificate tasks, including auditing to make sure policies and best practices are followed. This, in turn, helps them free up time for all the other important tasks on their plate, leading to less human error, more job satisfaction, and more productivity.
2. Managing the certificate lifecycle
Today’s publicly trusted certificates have lifespans that only last for an average of one year, and the cost of operating with an expired certificate is climbing. Privately trusted certificates may last longer but may also lurk in areas with less visibility so that an expiration may shut down access to network resources or a huge volume of connected devices used by employees or customers. Companies often maintain hundreds, if not tens of thousands, or even millions of separate certificates that each expire on a different day, creating a challenge that simply cannot be adequately addressed using an excel spreadsheet and outlook reminders.
Such a tedious task simply must be automated, and especially with the high price of expiration that leaves little room for error. Nonrenewal can result in data breaches that reach into the millions of dollars, and the money will continue to hemorrhage until the company is made aware of the breach and repairs it. Automation is a low-cost, high-return mechanism that companies can use to mitigate such a risk.
3. Risk management
Even more damaging than the financial risks related to certificate expiration are the omnipresent incoming security risks that come from bad actors. Hackers have the same, if not more advanced, technologies at their fingertips and the threat that they pose is increasing exponentially, even for the largest and most heavily protected companies.
The threat is only compounded by the advent of quantum computing that is accelerating faster than once ever thought possible. The networks where the certificates are not crypto-agile are going to be at risk due to quantum computers. At this time, Google and IBM are leading the charge to quantum superiority.
With a process as transformative as automation has been in the world of certificate management, many people’s first instinct is to take full advantage and automate everything in their purview, with the understanding that it will optimize their workflow and create fast and perfect results.
To be clear, that is the wrong way to automate.
Perhaps even more important than automation itself is the thoughtful decisions that go behind it about what should be automated and what should be left for the sound judgment of people, who can make determinations while understanding subtleties.
Marquees of a task that should be automated
Consider automating tasks that are tedious, reoccurring, and time-consuming. Tasks that bear such hallmarks are often also the ones that incur human error because people simply do not need to apply the practical thinking that comes with tasks that vary and require judgment.
Periodic or time-sensitive tasks are also categories that can be automated with ease and doing so will prevent them from slipping through the cracks.
In the process-driven world of certificate management, tasks that fit the criteria are plentiful and exist throughout the certificate lifecycle, beginning with a certificate request. By automating each, companies and IT divisions can focus on other tasks at hand.
Risk reports should also be automated, and proper notification can send alerts when vulnerabilities and issues are detected that need to be addressed by the digital team. For instance, this could mean that when there are expired certificates, a person knows that they need to go ahead and replace it. Similarly, automation can revoke certificates that show problems that make them unusable, limiting risk by not having to wait for the judgment of a human. For instance, anomaly detection such as the issuance of rogue certificates could be quickly tracked, and notifications could then be sent to the right person.
Code signing also falls into the automation category. With API integration, companies are able to do code signing and sign their releases in a CI/CD environment. Security teams can better manage keys offline and put signing at the fingertips of developers and within their standard workflows, helping ensure signing of every engineering process is standardized.
What should not be automated
It bears repeating that not everything should be automated. A good rule of thumb is that if a decision needs to be made during the completion of a task, leave it to a person.
Customer service is at the top of that list. Nothing is more frustrating to customers than being managed by a machine, especially after they are already likely having an issue that they came to deal with in the first place. Nothing can—or should—replace the thoughtfulness of a person.
Also on that list are tasks on either side of the spectrum of importance. Low-volume processes that have minimal impact on a company are simply not worth the resources that they would need to be allocated in order to automate them. On the other hand, processes that are mission-critical and of high importance should also be overseen by a person, because errors on that level, no matter how small, are always problematic.
The sweet spot for automation is right in the middle, and companies that do the work to find it will be able to reap the benefits for years to come. Practically speaking, not only will it make day-to-day responsibilities and tasks easier, but it will also keep them one step ahead of the competition, and ready to address the next challenges that digital transformation will inevitably have in store.
Avesta Hojjati, Head of R&D at DigiCertFeatured Articles