“Achieving full maturity within the model leads to a fully automated, centralized approach to replacing expiring certificates and depreciation management. CISOs working toward maturity are looking how they can dovetail quantum-resistant certificates in the interim.”, says Chris Hickman, Chief Security Officer, Keyfactor.
ITSWBureau: What are your views regarding the current practices of certification management?
Chris Hickman: We developed the maturity model to help customers identify where they are at in terms of certificate management and how to scale the program to a point where it covers a broader landscape within the organization. By and large, the current state is relatively immature.
The reality is that most businesses have not extended certificate management that thoroughly covers the organization and all its digital identities. Regardless of where an organization falls on the maturity scale today, there is a strong desire to advance maturity to a point where the program can encompass many cryptographic keys and digital certificates.
That level of maturity means that teams can embrace and implement automation to simplify digital certificate challenges. A recent survey found that most organizations have an average of 88,750 cryptographic keys and digital certificates in use today. Yet, most are only managing a few hundred of those – if that.
Visibility remains a challenge for most. Without visibility and understanding, how many certificates and keys live within the organization, it is impossible to adopt automation as a tool to help manage them.
ITSWBureau: In your opinion, what practices should enterprises adopt to mitigate the risks associated with digital certificates?
Chris Hickman: It comes down to having a strategy that helps teams look at certificate management as an imperative and strategic enterprise initiative rather than an administrative task, solely of the public key infrastructure (PKI).
The first step is recognizing the reach that certificates have within the organization and layering them from a top-down perspective to help establish and implement common policies and practices.
That effort goes a long way in ensuring holistic digital certificate management within the business, versus looking through a narrow lens at singular assets like web server certificates or keys.
The top-down approach also helps teams map to business needs and impact, helping to reduce risks associated with things like failed audits, security breaches, and service outages.
ITSWBureau: In light of the current shrinking lifespan of digital certification, quantum certification is emerging as a favorable choice among CISOs. What do you think the future holds for certification management with the emergence of quantum certification?
Chris Hickman: Shortening the lifespan of digital certificates challenges an organization’s ability to manage things like uptime and where certificates are actively used today. Ultimately, web servers are the target when it comes to lifespan reduction and the pivot means the problem teams already face in managing certificates just got twice as hard.
Interestingly, there is a tie between shrinking certificate lifespans and advancements in quantum capabilities. The lifespan reduction speaks to a similar problem: organizations struggle with understanding where certificates exist and when they need to be replaced, which introduces crypto agility as a solution.
Achieving full maturity within the model leads to a fully automated, centralized approach to replacing expiring certificates and depreciation management. CISOs working toward maturity are looking at how they can dovetail quantum-resistant certificates in the interim.
Quantum resistance is a process; quantum-resistant certificates must be compatible with today’s assets. Organizations need a simple path so that when the National Institute of Standards and Technology (NIST) approves quantum standards, teams are already positioned to pivot and adopt processes that can easily replace certificates at the push of a button.
The priority today is to move away from manual management modes. Quantum is another crypto event and the preparation organizations put in today will better prepare them for the shift to quantum readiness.
ITSWBureau: According to you, how crucial is certification lifecycle automation for an enterprise’s digital certification maturity?
Chris Hickman: Automated certificate lifecycle automation is critical; organizations need to have confidence that certificates can be managed in an automated way and at scale, throughout industry changes like shorter duration certificates that could impact the organization now and in a future state.
The reason why automation appears later in the maturity model is that organizations simply cannot employ it until they have achieved full visibility. The key is to deploy automation seamlessly, without worrying about individual certificates on devices.
The result ensures teams are focused and efficient, applying their skill sets to top operational priorities rather than having their time consumed with manual certificate discovery and management.
ITSWBureau: Does a lack of digital certification maturity pose serious threats to the enterprise? How would you suggest it is mitigated?
Chris Hickman: Any time an organization has any kind of security asset but lacks visibility to that asset, it is facing a number of security threats. Take the Equifax breach as one example – an expired certificate was not the cause of the breach, but that expiration left the organization blind to the breach.
Mitigation is key and following a maturity model that assesses where the organization is today, how and where certificates exist within the organization and the audit criteria they impact is a priority.
Leaders need to look at cryptography and key management as an enterprise initiative rather than an isolated exercise – get cross-functional buy-in to implement the program, so all digital assets are considered and included. By achieving a state where automation can be adopted, businesses can take human error out of the future state.
Chris Hickman is the chief security officer at Keyfactor, a leading provider of secure digital identity management solutions. As a member of the senior management team, Chris is responsible for establishing and maintaining Keyfactor’s leadership position as a world-class, technical organization with deep security industry expertise. He leads client success initiatives and helps integrate the voice of the customer directly into Keyfactor’s platform and capability set.