2022 must sign the end of the manual management of digital certificates. The reason ? The public key infrastructure (PKI, or PKI in English) and its certificates are today essential elements of the digital landscape and contribute to securing many elements of our daily life: websites, smartphones, credit cards, passports, emails…
Yet despite its importance, the PKI remains a technology relatively unknown to the general public, but also to many organizations. And at a time when the digital ecosystem is becoming an increasingly important part of our lives and the number of certificates is skyrocketing, it is essential that IT teams are no longer the only ones to understand the consequences of a mismanagement of certificates, and how to protect against it, in particular through automation.
Each user generates at least three certificates
The number of digital certificates an organization manages varies, but to establish a baseline, each employee is typically responsible for at least three certificates: laptop, phone, and user ID (often tied to email or VPN access). An organization with 10,000 employees must therefore manage at least 30,000 certificates, which must be constantly updated.
All this without taking into account the web certificates, IoT devices, DevOps containers, industrial control systems and other assets that the PKI helps to secure. Thus, some organizations generate and manage hundreds of thousands or even millions of certificates!
This exponential use has made certificate management a major challenge for IT teams, because each certificate has a limited validity period, after which it must be renewed or revoked: since September 1, 2020, the certificate lifecycle Public SSL/TLS has been reduced to just one year. However, an oversight can have serious consequences for the organization.
A computer failure can be equivalent to $150,000 lost per hour
According to a 2021 Ponemon Institute study, 71% of professionals say their organization doesn’t know the volume of certificates in use, and 74% say their company doesn’t know what certificates are in use, where to find them, or when they expire. However, poor management of certificates can create breaches that are very difficult to repair.
In a modern network architecture, information systems are constantly communicating with other systems, and it is not always easy to know where a failure has occurred. It’s a bit like a Christmas wreath: if a bulb burns out, you have to test each bulb to find out which one has failed. And certificate management failures work analogously. The system simply does not work anymore and it is up to you to determine how and where an error could have occurred.
Recently, these failures have been increasingly publicized because they open the door to all kinds of failures or cyberattacks, ultimately affecting millions of users. For example, in November 2021, Microsoft Teams crashed due to expired certificates taking many Windows 11 features offline. According to a 2020 report from Information Technology Intelligence Consulting, 98% of enterprises believe downtime costs over $150,000 per hour. And while large companies, like Microsoft, are able to afford these costs, others cannot.
Remember that the interruption of the website is not the only consequence of a certificate failure. If a pizzeria’s computer stops working, it is no longer able to deliver. If an order is placed on an e-commerce site, a downstream certificate failure may prevent the package from reaching the truck. In short, the cascading consequences of poor certificate management are numerous, and it even becomes difficult to quantify the potential damage, as it is immense.
The importance of automation
According to a McKinsey study, more than 40% of employees spend a quarter of their working week on repetitive manual tasks, and 60% believe they could save at least six hours a week by implementing process automation.
But certificate automation isn’t just about maximizing the efficiency of IT teams or making their day-to-day lives easier. It is also about avoiding the consequences of certificate failures, protecting the reputation of companies and organizations and their bottom line… And thus ensuring that a technology designed to protect the identities of devices and users does not end up not ultimately becoming a major problem.
PKI may therefore not be (re)recognized, but its impact is felt by all organizations and all sectors. Without PKI technology, the Internet as we know it could not work. So in 2022, it’s time to offload IT professionals and forget about PKI for good by opting for automation!