In the last six months, internet traffic has doubled as businesses shifted online to maintain operations
Almost every organisation now relies on the transfer of data to maintain business-as-usual operations alongside mission-critical functions.
In the health sector, the flow of data over the internet enables major healthcare systems to provide both routine care and run critical medical equipment that saves lives. Yet this safe transfer of data, which is the lifeblood of all enterprises, is being put at risk by poor management of website security certificates, resulting in unforeseen site outages, that can do immense damage to an organisation’s operational efficiency and reputation.
From only http in the past, most of the internet is now secured with https. Major browser vendors played a big role in securing the internet by compelling websites to implement SSL / TLS certificates that ensure data in transit between servers and clients is protected from hackers by encryption. SSL/TLS certificates play a major role in all this. There are many commercial certificate authorities (CAs) like Digicert, Sectigo, and numerous others, that distribute digital certificates that are accepted and trusted by browsers across the world. There are also free ACME based providers like Let’s Encrypt, BuyPass, and FreeSSL.
The surge of short-lived SSL/TLS certificates
Commercial vendors in the past issued certificates that were valid for relatively a longer period of time, usually between two to-five years. This was convenient for implementation but less secure. Given the security issues with longer duration certificates, Apple’s Safari and Google’s Chrome browsers will no longer trust SSL/TLS certificates with validity of more than 398 days. (This is the equivalent of a one-year certificate plus the renewal grace period). ACME based providers like Let’s Encrypt issue certificates with validity for 90 days.
Unforeseen certificate expiry poses a huge problem for online businesses
According to a recent Ponemon Institute study, 73% of organisations have fallen victim to unexpected certificate outages, and 55% of organisations have faced four or more certificate-related outages in the past two years alone. When an SSL/TLS certificate bound to a business domain expires, browsers flag the website as unsafe for visitors to share their personal data. This is because when a certificate expires, it is no longer held valid by its issuing certificate authority, jeopardizing encryption and mutual authentication which form the pillars of internet security. The greatest impact faced by organisations because of such unforeseen certificate expirations is the loss of brand credibility among their prospective clientele. The red security warnings thrown by indisputably authoritative browser companies such as Google and Apple overshadow the reputation a business has built, driving visitors to alternate websites, eventually causing web traffic to plummet. There have been major incidents in the recent past where certificate renewals were missed and businesses went down, such as the LinkedIn SSL certificate lapse, Microsoft Teams outage etc. One common reason for organisations overlooking certificates is the lack of automation. The challenge is minimal for small and medium sized businesses (SMBs) that operate by deploying a handful of certificates (at most) for carrying out their business operations. While on the other hand, large enterprises experience a different scenario with a relatively larger IT infrastructure of sprawling networks and myriad connected devices. It is at this scale that central monitoring and automation becomes crucial. Enterprises essentially need to identify gaps in visibility, create and streamline a certificate management workflow that aligns with their requirements and resource availability. The inventory of certificates, validity checks, notification to certificate owners for timely renewal and deployment, and periodic scan for vulnerability serve as the building blocks for better management of the critical digital assets to ensure uninterrupted service to customers.
Not just for public facing web apps
There’s no doubt that managing the lifecycles of SSL/TLS certificates is of paramount importance to ensure business uptimes for industries like ecommerce and other public hosted web applications. However, the scope of SSL/TLS certificates extends far beyond just online businesses. The severity of outages caused due to expired certificates is critical in industries like healthcare, as lives are at stake if equipment fails. Imagine a certificate expiry for a system that provides instructions to a ventilator, a cloud service going down while the patient data is being fetched to determine the next course of treatment, or critical systems like imaging services during surgeries. The proliferation of certificates usage and the shorter validity periods only reiterates the need to manage certificates as a ‘must-do’ now, rather than a ‘good to have’ as they would have been in the past.
Another area where certificate management is gaining increased traction is the DevOps. The importance of code signing certificates in DevOps was driven by the recent tampering of updates of popular software products. The software vendors are forced to implement much stricter security measures to ensure that the software distributed is not infected with malicious code. Generating unique keys and certificates for each software package, storing these digital assets securely, and managing validity of the certificates are important to ensure that the products/package is secure and tamper proof. Reuse of the same keys and certificates for multiple products/packages is best avoided to minimise the attack vector.
Given the ever-growing digital dependency and the need to keep web communications secure, enterprises in almost every sector must pay the closest attention to effective management of SSL/TLS certificates. With relatively short periods of validity for certificates now standard, it’s now all the more overwhelming for businesses to manually monitor certificate usage and life cycles that includes maintaining a central inventory of certificates, streamlining validity checks, alerting certificate owners for timely renewal and deployment, and running periodic scans to detect and remediate vulnerabilities in SSL/TLS configuration and so on. Automating certificate management is the need of the hour for any business that is keen on strengthening its online brand reputation and credibility, failing which will result in mistrust among major browser companies and in the worst case, even data breaches. Without automation to take care of certificate management, any organisation could quickly discover it is no longer trusted by the major browsers or business partners, or is unable to share or use its data, even in the most critical systems.
About the Author
Vasudevan Seshadri is Product Manager at ManageEngine. ManageEngine crafts the industry’s broadest suite of IT management software. We have everything you need—more than 90 products and free tools—to manage all of your IT operations, from networks and servers to applications, service desk, Active Directory, security, desktops, and mobile devices.