In a recent survey DigiCert found that about two-thirds of enterprises are concerned about how much time they spend managing certificates and about half said that they frequently discover rogue certificates. Combined with the growing volume of certificates that the average organization manages (50,000) and shrinking lifetimes for publicly trusted certificates, this could spell disaster if enterprises don’t get control of their certificates soon. One in four of the companies we surveyed experienced PKI-related outages in the previous six months.
As we’ve consistently observed, now is the time to start planning for automation and luckily, 91% of respondents said they are at least discussing PKI automation and 70% plan to implement automation within the next 12 months. The main reasons organizations say they are considering PKI automation are to improve security, compliance, agility, productivity and to reduce downtime and costs.
At the same time, we recognize that PKI automation will not happen overnight. Furthermore, the trend towards automation does not mean you must automate everything at once. Just like a marathon, it’s about training for the long run. Most people don’t wake up ready to run a marathon, but you can start by walking, running a mile and eventually working up to running the full marathon. Similarly, in PKI automation, focus on areas that are a priority to automate until you feel comfortable fully adopting automation in the long term.
We also recognize that there are some challenges in getting started with automation. Respondents reported concerns about the cost associated with PKI automation and the lack of staff expertise in PKI automation, as well as a resistance to change from both IT staff and management. Additionally, PKI automation needs to be done correctly to avoid compliance issues.
Although there may be initial pushback, in the long run PKI automation can minimize risks, reduce downtime and delays, and save time. Two-thirds of the enterprises we surveyed are concerned about how much time they spend managing certificates, and many of them lack visibility. We recommend building a plan to adopt PKI automation within the next six to 12 months to avoid these issues.
To help modern enterprises start the process of PKI automation, we recommend a few steps to start to automate and manage a certificate infrastructure.
For certificate management, that means identifying the current certificate landscape and creating an inventory, remediating any keys and certificates that are not compliant, protecting certificates with best practices and continuously monitoring.
Additionally, the certificate workflow can be automated by identifying any unmanaged or manual processes, adopting automation software and monitoring with centralized control.
The first step is to create an inventory of your organization’s current certificate landscape. According to our survey, the average enterprise manages over 50,000 public and private PKI certificates, and larger organizations may have even more. Additionally, 37% of enterprises have more than three departments managing certificates, which makes it difficult to gain full visibility.
Start by identifying the full scale of your certificate inventory, and consider every area where you may have certificates, including the following:
Next, remediate any keys and certificates that are not compliant with corporate policy. Nearly half of the enterprises we surveyed reported that they frequently discover rogue certificates, or certificates that were implemented without IT’s knowledge. It is important to ensure that all certificates are compliant to reduce costly outages, security issues and downtime.
We found that PKI leaders that are doing the best at PKI management are 40% more concerned about rogue certificates and are experiencing fewer compliance issues, delays, reduced productivity and lost revenue. These PKI leaders also say that PKI automation is important to the organization’s future and are taking the steps necessary to start automating.
After creating a certificate inventory and remediating any noncompliant keys and certificates, you should implement best practices to protect your certificate inventory. This includes implementing a standardized, automated process for enrollment, issuance and renewal. Often, customers will integrate this with existing change management processes via ITMS systems. We suggest what certificate management tasks you should automate in a previous blog.
Finally, once your certificate automation infrastructure is in place, you should continually monitor to maintain it. That way, if there are any unexpected changes, your team can respond quickly and efficiently.
Similarly, your first step to automating certificate workflows is to identify any unmanaged or manual certificate workflows. The typical enterprise has up to 1,2000 certificates that go unmanaged.
Next, adopt automation with software that centralizes and manages certificate workflows. This can reduce costs and save time because instead of three or more departments managing certificates separately, certificate management is centralized.
Again, the final step is to monitor for changes continuously. We recommend using a platform with centralized visibility and control. The DigiCert ONE™ platform offers tailored solutions to fit PKI management workflows. For example, DigiCert CertCentral® for TLS/SSL certificate management has discovery and automation tools to help managers gain and maintain control over their certificate inventory.
91% of companies are looking to implement an automation solution within the next 12 months, so make this the year you identify ways to use automation in your PKI management. Automating your entire PKI inventory won’t happen overnight, but you should start planning now because automation in PKI is becoming more and more necessary. Using automation throughout your PKI infrastructure can help to simplify certificate management and make you more agile against future threats. If your company is planning to utilize PKI automation, DigiCert automation solutions are built to be simple to implement and manage. Visit https://www.digicert.com/solutions/security-solutions-for-automation to learn about DigiCert’s automation solutions.
The survey was conducted by ReRez Research of IT professionals within 400 enterprise organizations of 1,000 or more employees in North America, EMEA, Asia Pacific and Latin America. To get the full report, visit https://www.digicert.com/campaigns/pki-automation.
The digital world is turning into a sprawling mesh of connection points. Learn more about how to unify and simplify your expanding security environment in our new webinar. Register now.