Here are 5 reasons to stop.
By Ryan Sanders, Product Manager, Keyfactor
The proliferation of devices and applications like IoT, DevOps, and cloud has dramatically increased the number of digital certificates in any given organization. Most of the applications and systems we rely on today use digital certificates to authenticate and secure connections, which makes the task of managing certificate requests, issuance, and renewal much more challenging.
For years, InfoSec teams have relied on basic tools like Excel spreadsheets to track and log certificates, but today’s certificate volumes, combined with its certain rise as more devices are added to the network, make spreadsheets an archaic and error-prone system. From a security perspective, consider that even just one missed device or server certificate can shut down your entire network or worse – lead to a potential breach.
InfoSec teams have options when it comes to certificate management tools. Most of those options have the ability to discover and automate the lifecycle of X.509 certificates, yet many teams still use spreadsheet-based tracking and manual processes. While well-meaning, the combination of complex ecosystems and manual processes almost always lead to undocumented installations and risk exposure.
Like any IT security initiative, the best place to start is with an updated system audit to help you assess where your tools and processes rank in terms of efficacy and security. Regardless of the program, you’ve got in place Gartner suggests program managers conduct a periodic evaluation of certificate usages, volume and expected use-case expansion. Inevitably more use cases mean more risk – security and risk managers should consider a certificate management solution over spreadsheet-based methods.
Still, think spreadsheets are the right tool for your organization? Here are five reasons to reconsider spreadsheets as your primary certificate management tool:
By 2022, organizations that leverage X.509 certificate management tools will suffer 90% fewer certificate-related issues and will spend half the time managing these issues, compared with organizations that use spreadsheet-based management methods. ~ Gartner
Gartner cited a certificate management tool vendor who recently pointed out that when it observes clients executing on a discovery process, clients typically see five to 10 times more certificates in their environment than expected.
Reason #1: Spreadsheets don’t scale
Spreadsheets can’t natively scale alongside your Public Key Infrastructure (PKI) program and its growing number of digital certificates. The manual effort required to maintain spreadsheets never decreases, especially as new certificates are regularly deployed on the network. Growing certificate counts and shorter validity periods make spreadsheet-based tracking infeasible for most organizations today.
Reason #2: Spreadsheets aren’t audit-ready
To prove compliance, you need to be able to demonstrate that you have complete visibility to all digital certificates, detailed information about the algorithms they use, where they were issued from, where they’re installed, who owns them and what applications rely on them. It’s next to impossible to capture that level of detail and updates with a manual spreadsheet.
Reason #3: Spreadsheets lack automation
Many organizations underestimate the care and feeding required to continuously manage their certificates. The issuance process alone typically takes three to six hours which includes generating a key pair on a server, exporting the public key, ensuring certificate authority certification (thereby converting it into X.509 certificate format), installing it, verifying that it’s active and finally returning the server to live operation. That doesn’t account for time spent continually tracking down assets with certificates, general maintenance, and updates.
Reason #4: Spreadsheets create visibility gaps
It’s not the certificates you track that will cause your next outage – it’s the one’s you haven’t yet discovered. Spreadsheets only allow you to account for and track the certificates you know about. The reality is that most organizations don’t actually know how many keys and certificates they have. Known certificates account for a small percentage of an organization’s overall inventory. As a result, unknown or rogue
certificates create significant exposure to unexpected outages and downtime.
Reason #5: Spreadsheets are a time-suck
Organizations that have roughly 100 or more X.509 certificates and use manual processes typically need a full-time, dedicated resource to manage certificates within their business. In most organizations, responsibility is juggled between several team members. This isn’t only a time-suck, it’s a budget drain, too – the reality is that IT and security resources are already spread thin. InfoSec teams juggle multiple responsibilities at any given time, which creates more room for error and oversight when it comes to certificate management.
If you’re starting to reconsider the way you manage your digital certificates, consider these criteria:
- Scale – do you have more than 100 digital certificates?
- Complexity – do you use multiple certificate authorities (CAs), network devices and cloud platforms?
- Resources – does your staff spend too much time on certificate-related tasks rather than IT priorities?
- Outages – have you experienced certificate-related outages over the last two years?
If you answered yes to any one of these criteria, you may want to consider certificate lifecycle automation to lessen the burden on your in-house team. An automated platform not only streamlines your certificate management process, but it also monitors and reports on certificate status for compliance, saves time, and mitigates security risks posed by manual processes. And with the number of choices available, onboarding an automated platform is a lot easier than managing your digital certificate spreadsheets.
About the Author
Ryan Sanders is a Toronto-based product lead with Keyfactor, a leader in providing secure digital identity solutions for the Global 2000 Enterprises. Ryan has a passion for cybersecurity and actively analyzes the latest in compliance mandates, market trends, and industry best practices related to public key infrastructure (PKI) and digital certificates. For more information visit: www.keyfactor.com or follow @Keyfactor on Twitter and LinkedIn.