Survey: The typical enterprise manages 50,000+ certificates, thousands outside IT’s control

Featured article by Avesta Hojjati, Head of R&D at DigiCert

Manually managing public key infrastructure (PKI) certificates can feel as stressful as hosting an annual holiday party – especially if the guest list grows exponentially each year. Instead of making sure holiday guests have been welcomed, shown the snacks and introduced to other guests, IT managers are issuing new digital certificates, verifying identities and handling a myriad other management tasks.

PKI uses software and hardware in combination with other services to protect the authenticity and integrity of online communications and business transactions, providing trusted connections and encrypted communications on networks. The most common ones are user and server certificates. Other common types are for web servers, mobile devices, digital documents, IoT devices and email. These certificates are both publicly and privately trusted, depending upon the use case, with both experiencing strong growth.

How much more challenging has it become for enterprises to manage PKI certificates? DigiCert commissioned market research firm ReRez Research to find out by surveying IT managers responsible for PKI managements at 400 enterprises worldwide.

Consider these statistics from DigiCert’s 2021 report “State of PKI Automation”:

– The typical enterprise manages more than 50,000 certificates.

– The number of PKI certificates increased by 43% year-over-year.

– Almost 66% of enterprises are concerned about the time it takes to manage certificates.

One way to ease the management burden is by automating the process for certificate lifecycle management and the workflows for certificate deployment. There are a number of important reasons why PKI automation is a smart move for security-minded organizations.

Certificate expirations can be an unwelcome surprise

While the massive volume of PKI certificates means more work for IT, it also means that important certificate details inevitably slip through the cracks. DigiCert’s study found that as many as 1,200 certificates are unmanaged and IT doesn’t even know about the 47% that are “rogue” certificates. One key aspect that can slip through is the expiration date. In fact, two-thirds of enterprises have experienced outages caused by certificates expiring unexpectantly.

Keeping PKI certificates current is a matter of security. Expired certificates are such a serious problem that Forbes headlined an article about them “The Costly Slip That Can Ruin Your Company.” The article shares the story of a Fortune 500 company that had an expired PKI certificate for months and suffered because hackers were stealing company data undetected.

One of the biggest risks happens when Transport Layer Security (TLS) certificates expire. TLS certificates – a type of PKI certificate – is a cryptographic protocol that offers communications security over a computer network. Some of the biggest outages, at companies like LinkedIn, Microsoft and Google, have happened because of certificate expirations. Complicating matters is the fact that publicly trusted TLS certificates now expire after 398 days, less than half the previous 825 days. That’s better for security but makes it harder for IT to stay on top of, especially if the process involves manual spreadsheets.

“It seems strange that such huge consequences would hang upon something as mundane as renewing a certificate,” according to the Forbes article. “And yet, here we are, in a world where, among other things, a partial U.S. government shutdown led to multiple expired security certificates that took down more than 80 federal websites.”

Enterprise interest in PKI automation grows

To address the challenges of PKI certificates – including certificate overload, rogue certificates and confusion over expiration dates – enterprises are considering automation. A whopping 91% are discussing PKI automation and 70% expect to implement an automation solution within 12 months, according to the DigiCert study. This involves automating the functions of PKI certificate management, including discovering current digital certificates, enrolling client certificates, verifying identities and entering certificates into LDAP and Exchange.

The survey also revealed a correlation between enterprises that are the most serious about PKI automation and those deemed to be PKI leaders. Based on survey respondents’ answers to PKI questions, we characterized them as leaders, midrange or laggards. Laggards struggle the most with PKI certificates, even facing severe penalties for management mistakes. They are challenged by compliance and security issues, lost productivity and delays. These companies may be losing customers and revenue. And their IT teams may feel overworked as they struggle to manually manage PKI certificates.

In contrast, leaders are more committed to more efficiently managing PKI certificates. They’re twice as concerned about the time it takes to manage PKI certificates as the laggards. They’re also two or three times better at critical PKI tasks like minimizing PKI security risks, avoiding PKI downtime, managing digital certificates, minimizing rogue certificates and complying with standards. In fact, they were six times as likely to have already implemented PKI automation.

Consider PKI automation to lower certificate stress

Expired PKI certificates can have serious security consequences and limit your enterprise’s ability to become a cybersecurity leader. Take control of your certificates with a four-step plan of identifying your certificates, remediating as necessary, protecting the integrity of the certificates and monitoring the entire process.

Any PKI automation solution should include workflow automation to identity unmanaged or manual certificates, monitor certificates and centralize and manage certificate workflows. This can significantly boost your chances of avoiding certificate issues – including missed expiration dates – and set you on the path to becoming a PKI leader. And that’s good reason to celebrate.