According to a study conducted by the Ponemon Institute and Keyfactor, the average organization has over 100,000 SSL certificates, and over 50% of organizations don’t know how many certificates they have and are concerned about the increased workload and security risks that SSL mismanagement can cause. While 40% of organizations still try to manage their certificates using spreadsheets, the exponential growth of certificates has made it impossible for organizations to manually discover and manage certificates. This has forced 33% of organizations to create their own in-house certificate discovery and management tools, but the shortage of PKI experts has made this path extremely difficult. In this blog, we will go over the best way to discover and monitor SSL certificates.
Your organization has been running for years without needing to have an SSL management tool, but let’s talk about the hidden costs that has caused. 80% of organizations have reported an SSL outage in the last two years, and it is estimated that that each outage costs organizations around $300,000 dollars. The reason for that is lost business during the outage as well as the productivity time lost when dealing with the outage. Certificate-related outages are sneaky and usually take time to diagnose; an average of 20 people join the bridge to root cause the issue and discover that an SSL certificate was the cause of the issue, then the correct team must follow steps to remediate the issue.
Let’s be honest, most certificates are issued by engineers as a means to an end, most people are not passionate about PKI and SSL best practices (if you are, we are hiring) meaning that they might just follow a blog they find online and create unwanted misconfigurations that might cause your next security breach. Having a tool that scans your infrastructure and ensures that it is meeting industry standards is a great way to help your CISO sleep better at night.
The first step is discovering all your certificates. If you are just starting with SSL certificates and have not deployed any, using a cloud-based CA with automatic certificate management and discovery will make your life super easy. Since most organizations already have existing certificates, we have to find them all and bring them into management. SSL certificates can be divided into two buckets, public certificates and private certificates, and they both can be found using an SSL monitoring tool. Check out this blog to learn more about public vs. private CAs.
As aforementioned, most organizations do not have an accurate inventory of their certificates; therefore, using SSL monitoring tools that require you to manually import your certificates would not help you find all your SSL certificates. Thankfully, Google led the industry with the creation of certificate transparency logs. These logs have every single public certificate that has been issued by a public certificate authority since 2016. Using a Google-recommended certificate transparency log monitor such as EZMonitor can help you find all your public SSL certificates and even help you find similar domains that might be used as phishing, or dangling DNS entries that can cause your next major breach.
Discovering and monitoring private SSL certificates is a more complex subject than public SSL certificates; the reason is, your organization does not have a central log such as the certificate transparency logs that have every single certificate used by your organization. Instead, we must scan the known Certificate Authorities for the certificates that they have issued; however, that is simply not enough. During our years of experience, we have found that most organizations have thousands of SSL certificates issued by shadow IT, either by someone creating their own certificate authority or just creating self-signed certificates. To find all these certificates, we must scan the network and report on each certificate that is found; EZMonitor’s internal agent allows you to scan your private networks and helps you find all your certificates. With 20+ SSL related alerts, EZMonitor allows you to get full visibility into your SSL health and prevent outages and dangerous misconfigurations.
Managing certificates is a critical task for any organization. With the increasing number of certificates, it is essential to automate the certificate lifecycle and rotate certificates at regular intervals to maintain security and compliance. Implementing automation and a regular rotation schedule for non-hardware protected and computer leaf certificates will help in minimizing the risk of certificate-related outages and security breaches. If you’re still wondering how to go about everything, check out our blog on PKI and SSL best practices.