Managing X.509 certificates by spreadsheet too risky, says Gartner

Poor management of the X.509 certificates that underpin SSL security could explain a growing number of mysterious system outages, a Gartner report has suggested.

The biggest problem is simply the number of certificates which many businesses find themselves using for e-commerce and machine-to-machine communication which according to Gartner many still manage using manual spreadsheets.

In X.509 Certificate Management: Avoiding Downtime and Brand Damage, Gartner reckons that organisations managing as few as 200 certificates manually will need to employ need one full-time member of staff to cope with the workload of basic provisioning and renewal.

As this rises to thousands of certificates in large organisations, a certification management system becomes necessary to automate basic processes.

In Gartner’s view the effect of expired X.509 certificates on service failures is probably now being underestimated.

“Many organisations that have an unplanned certificate expiry typically focus on other systemic causes, such as hardware or software issues, long before they begin to consider an expired X.509 certificate as the source of troubles,” the authors believed.

As well as unexpected X.509 expiry, the report also notes that a number of certificate authorities have been compromised by hackers in the last year which puts further pressure on companies using such certificates to react quickly in the event of a breach.

Branded authorities suffering problems have included Comodo, DigiNotar, RSA, GlobalSign, largely at the hands of Iranian hacker ‘Comodohacker’, who single-handedly embarrassed a previously rock-solid certificate industry worth billions.

“This is what happens with organic growth. X.509 are implemented silo by silo,” said Jeff Hudson, CEO of Venafi, along with Trustwave and VeriSign, one of three companies Gartner mentions as selling automated management systems.

According to Hudson, the sheer scale of the X.509 infrastructure companies are now managing has crept up on them over time. Organisations should develop business continuity for this in the light not only of its scale but it recent insecurity.

“It is totally manageable. These are machines talking to machines. It can be automated,” he said.

Gartner recommends that organisations automate provision and renewal, introducing some form of validation using certificate revocation lists (CRLs) to ensure their security. Certificates should be carefully audited to ensure that they have installed or de-installed correctly.

Article source:

View full post on National Cyber Security » Computer Hacking