Digital Trust 09-20-2022

Measuring Success with Digital Trust

Diana Jovin

Digital trust is what enables us to build, participate in and grow the connected world that we now live in. It allows us all to have confidence that the things we are doing online — whether interactions, transactions or business processes — are secure.

In Digital Trust as an IT Imperative, we talked about the four building blocks of digital trust:

  • Industry and technology standards that define what constitutes trust
  • Compliance and operations that govern delivery of trust, with a foundation in PKI
  • Software that provides management of public/and or private trust within an organization, with centralized visibility and control over digital certificate lifecycles
  • Extension of trust through ecosystems, such as across device lifecycles, software supply chains, consortiums and more

But what constitutes digital trust success? And how do you measure it?

Within IT departments, there can be multiple stewards of digital trust, among them:  PKI administrators, identity and access managers, and information/product security architects. Each of these IT departments has metrics that measures success — or a path to success — of digital trust initiatives. And some of these metrics make it to the boardroom, underscoring the importance of digital trust to business objectives.

These metrics may fall in four core areas:

1. Outages

What is being measured: Outages caused by unintended certificate expiration are highly visible, particularly if they occur in mission-critical systems. Outages can have multiple causes. They can occur due to oversight, particularly if certificates are tracked manually. They can be caused by human error, due to incorrectly configured certificates. Or they can be caused by rogue activity, that is, ungoverned certificates purchased outside of the purview of IT management.

Metrics can include:

  • the number of outages due to unintended certificate expiry (for many, this target number is zero), 
  • the financial impact of the outage, and/or
  • time to resolution if such an outage occurs.

Who is measuring it: Outages affect multiple groups, but are meaningful to IT operations, site reliability engineering, and application engineering.

How to address: Methods to reduce the number of or potential for outages can include centralizing certificate management and automating certificate renewal.

2. Adoption/usability/security

What is being measured: Adoption is also a key metric. Are users installing certificates where they are needed? Are they calling tech support for configuration help? Are certificate issues keeping employees from being productive on onboarding or creating security gaps between employee departure and system access revocation?

Metrics can include:

  • Adoption rate
  • Tech support load
  • Time to provision/revoke

Who is measuring it: These kinds of considerations are important to identity and access managers responsible for system access and provisioning of services such as VPN, wireless or email security. They may also be important metrics for centralized IT operations serving the needs of IT departments in other business units or subsidiaries.

How to address: IT professionals view automation as a key strategy for addressing adoption, usability and security concerns. Automation can make credential provisioning and management invisible to the end-user and seamless with onboarding and offboarding, improving adoption rates, reducing tech support load and eliminating provisioning gaps.

  Adoption  Usability  Time to provision/revoke 
Before automation  Low  High tech support load, errors  Delays 
After automation  100%  Invisible to the user  Immediate 

 

3. Agility/vulnerability

What is being measured:  IT professionals tasked with vulnerability management may be concerned about crypto-agility — the ability to respond to threats or to prepare for changes in compliance or cryptographic standards. These professionals require a comprehensive view of cryptographic assets and their associated vulnerabilities or cryptographic profiles.

Metrics can include:

  • A cryptographic asset inventory
  • Algorithm profiles
  • Keys and certificate profiles and status

Who is measuring it:  Security operations, IT operations and information security professionals who need to respond quickly to threats can benefit from a centralized cryptographic asset inventory delivering visibility and control over their environment.

How to address: Discovery tools that inspect and inventory the cryptographic assets in a company’s environment can provide a centralized repository. Vulnerability assessment tools provide security ratings and identify out-of-date algorithms to prioritize remediation. Automation tools can help speed desired remediation or streamline response to compliance changes.

4. Risk/compliance

What is being measured: IT professionals concerned with risk may be concerned about compliance, privileged access, attack surfaces, threat intelligence and trust indicators.

Metrics can be defined as key risk indicators that track risk posture and tolerances in one or more of these areas.

Who is measuring it: IT departments focused on systems, application or network engineering; security operations; IT operations.

How to address: Tools governing authentication, privileged access, network inventories and monitoring can support the objectives of these teams. Strategies to prevent rogue certificate purchases can also play a role. Certification Authority Authorization (CAA) domain locking can prevent purchase of rogue certificates, which can play a role in man-in-the-middle attacks.

CT log monitoring can be an effective means of monitoring for the presence of rogue certificates in corporate networks.

Digital trust and the boardroom

Some IT professionals note that they are most successful when digital trust metrics are kept out of the board room — meaning there are no outages caused by unintended certificate expiration, credential provisioning is automated, Key Risk Indicators are within stated tolerances, and cryptographic vulnerabilities are addressed in a timely way. However, to achieve this objective, strategies that reduce outages, improve adoption, streamline operations, maintain compliance and reduce risk are paramount. Executive leaders may wish to review metrics that show progress towards these goals.

Bringing in a partner who is an expert in digital trust, such as DigiCert, can be a highly effective way to manage digital trust objectives. In addition to its robust digital trust portfolio and active engagement in standards bodies, DigiCert’s support provides companies with someone to lean on for emergency resolution, minimizing downtime and keeping metrics on track for success.

Ask DigiCert

Want to learn more about DigiCert’s platform for digital trust? Email us at pki_info@digicert.com for more information or to set up a sales consultation.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min