More Related Content Similar to Venafi 2012 risk audit survey findings Similar to Venafi 2012 risk audit survey findings (20) Venafi 2012 risk audit survey findings1. 2012 Risk Audit Survey Findings
Enterprise Key and Certificate
Management (EKCM)
February, 2012
© 2012 Venafi Proprietary and Confidential
2. 2012 EKCM Audit and Best Practices
Key Players
• Survey, analysis, potential risks and best practices developed in conjunction
with Osterman Research
Michael Osterman – President and founder of Osterman
Research
Osterman Research is a leading analyst firm with
expertise in research and survey methodology, providing
analysis, white papers and other services.
Jeff Hudson, CEO of Venafi
Venafi is the inventor of and market leader in
Enterprise Key and Certificate Management (EKCM)
solutions. Venafi solutions manage digital certificates
and SSH, symmetric and asymmetric keys.
1
© 2012 Venafi Proprietary and Confidential
3. Survey Methodology
Methodology
Venafi and Osterman
Research surveyed more
than 174 IT and
Infosecurity professionals
2
© 2012 Venafi Proprietary and Confidential
4. Survey Results
Unquantified and Unmanaged Risks
• 54% acknowledge having
an inaccurate or incomplete
inventory of their SSL
certificate population.
• 44% admit their digital
certificates are manually
managed with spread-
sheets and reminder notes.
3
© 2012 Venafi Proprietary and Confidential
5. Survey Results
Operational Risks
• 46% of respondents cannot
generate a report to discover
how many currently deployed
SSL/digital certificates will
expire during the next 30 days.
• 70% do not have a certificate
management system
integrated with their directory;
such integration allows for
automatic notification
escalations in the case of non-
response to notification.
4
© 2012 Venafi Proprietary and Confidential
6. Survey Results
Security Risks
43% of respondents do not have
a centralized corporate policy
mandating:
Specific encryption-key
• strengths
• Lengths
Validity periods
Private-key management
• Rotation
• separation of duties
Lack of policies and/or the ability to enforce them creates security vulnerabilities
5
© 2012 Venafi Proprietary and Confidential
7. Survey Results
Audit and Compliance Risks
• 54% do not have an
automated, repeatable and on-
demand way of providing a
senior manager, vice president
or auditor with a report of
exactly how many certificates
are present in the entire
environment.
• 62% do not have an
automated process for
ensuring compliance of
corporate policies.
6
© 2012 Venafi Proprietary and Confidential
8. Survey Results
Certificate Authority (CA)
Compromise Risk
• 72% do not have an automated
process to replace compromised
certificates if the Certificate
Authority in use is compromised.
7
© 2012 Venafi Proprietary and Confidential
9. Authentication and Encryption Needs Expanding
mobile
cloud
Applications
and data
Lack of knowledge is increasing
Requirement for key management
is accelerating
9
© 2011 Venafi Proprietary and Confidential
10. Industry Best Practices for Remediation
1. Educate all stakeholders on the seriousness of
certificate breaches and related problems.
2. Clearly articulate the role and use cases of
encryption in security.
3. Define and make easily accessible clear
encryption certificate and key-management
policies, processes and procedures.
10
© 2012 Venafi Proprietary and Confidential
11. Best Practices Continued
4. Implement a central inventory and monitoring
system; identify owners for each asset; ensure
notifications are sent regarding impending
expiration, errors and other issues.
5. Replace manual steps in the lifecycle
management of certificates and keys with
automation.
6. Dedicate sufficient staff to manage the
implementation and maintenance of central
encryption-key and certificate-management
policies and technologies.
11
© 2012 Venafi Proprietary and Confidential
13. Risk Self Diagnosis
• Do you know where all the digital certificates are
deployed on your network and who installed them?
• Do you know when they are going to expire?
• Do you separate access to public and private keys
for system access?
• Do all your encryption keys and certificates conform
to policy?
• How long would it take you to replace all your
certificates?
If target organizations cannot answer these questions they are going
to experience a breach, an outage, or will fail an audit.
13
© 2012 Venafi Proprietary and Confidential
14. Quantify Your Risks
Which Certificate
Authority(ies) issued
Where are all of our SSL these certificates?
certificates installed?
How many certificates
do we have?
What algorithms are in
use?
What encryption key
length is being used?
What date will
certificates expire? Are we in
compliance?
14
15. Venafi Assessor™
• What is Assessor?
– Customer downloadable software
– Ready to run
– Fast and easy
– Scans to find certificates and keys
– Quantifies the certificate and key population present
– 12 reports that identify type and severity of risks
• Installation and operation
– Runs in a virtual machine
– Preconfigured, no special expertise required
– Doesn’t modify environment
– Doesn’t “phone home”
• Assessor is available on February 22
– www.venafi.com/Assessor
15
© 2012 Venafi Proprietary and Confidential
16. Getting Accurate Certificate Data
Three Easy Steps
3 View detailed
reports
2
Enter addresses
and run discovery 1 Download and
deploy Assessor
16
© 2011 Venafi Proprietary and Confidential
17. What’s in Your Environment?
Turn Assumptions into Hard Data
– Number of manageable certificates
– Issuing certificate authorities
– Expiration dates
– Certificate validity periods
– Key lengths
– Signing algorithms
Assessor reports include indicated industry best-practice
recommendations for remediation of issues discovered
ignorance of the situation surrounding a critical security
mechanism must be resolved
17
© 2012 Venafi Proprietary and Confidential
18. Certificate Days to Expiration
Sample Assessor-generated Report
Rapid assessment of
downtime risk due to
expiring certificates
18
© 2012 Venafi Proprietary and Confidential
19. Certificate Validity Periods
Sample Assessor-generated Report
Administrators turn over
every year.
Validity periods >1 year
create significant
security risk.
19
© 2012 Venafi Proprietary and Confidential
20. Issuing Certificate Authorities
Sample Assessor-generated Report
Unauthorized CAs
create security and
operational risk
20
© 2012 Venafi Proprietary and Confidential
21. Encryption Key Lengths
Sample Assessor-generated Report
Weak keys open risk of
attacker deriving the
key.
NIST now stipulates
2048 bit length
21
© 2012 Venafi Proprietary and Confidential
Editor's Notes Mike 2011 has been the year of third-party trust compromises – as hackers and hacktivitist go after the highest value targets. This translates into five CA compromises, including Comodo and Digitinotar – great messaging opportunities for and the market is now more aware of the riskOf coruse big gusy like Verisign said they were too big to fail and be compromises, but look at RSA – another privider of thirs-party trustYear of good coverage from the press and analyst communitiesWorked cross-funtioanally to make this happen with mnay departmenttsRecent report from Gartner is their first in the certiificate maangment space and first to ackniolege the risks of poorly manged certificate management. Nice that they set the threshold at 200 certsRead to launch a full campaign to leverage their recommendations – as a demand tool Branding? CISO –Chief Information Security Officer Not an MPG player and iPod