Firms hit by epidemic of lost or stolen digital certificates

16 Mar 2011

Despite the fallout of WikiLeaks’ publication of sensitive documents, mishandled encryption in businesses has caused downtime among 78pc of organisations, according to a report on encryption keys and digital certificate management by Venafi.

The report reveals that organisations are deploying increasing numbers of digital certificates and encryption technologies, but these security assets are also becoming lost, stolen and unaccounted for in epidemic proportions. Ironically, digital certificates and encryption keys are critical components of all information security programs, but they become dangerous liabilities when they go missing and find their way into the wrong hands.

“It is well documented that digital certificates played a key role in the Stuxnet attack that destroyed multiple centrifuges in an Iranian nuclear facility, and it is widely accepted that lost encryption keys can provide malicious insiders access to valuable corporate information revealed on high–profile whistleblower sites such as WikiLeaks,” said Jeff Hudson, CEO of Venafi.

Encryption assets scattered

Venafi compiled results from market and analyst report research, from a 471–respondent survey, from managers up to C–level executives from enterprise-class organisations within multiple industries, and from prior market surveys.

Some 51pc stated they had experienced either stolen or unaccounted-for digital certificates, or they were uncertain if their organisations had lost, stolen or unaccounted–for digital certificates in general.

And 54pc stated they had experienced either stolen or unaccounted-for encryption keys, or that they were uncertain if their organisations had lost, stolen or unaccounted-for encryption keys, in general.

Exacerbating the problem is the volume and diversity of encryption technologies and certificate authorities (CAs) organisations must deal with on a daily basis. The number of encryption assets in their inventories grows regularly, and scattered individuals and teams frequently manage them.

According to the survey findings:

  • 46pc of organisations are managing at least 1,000 digital encryption certificates; 20pc are managing more than 10,000.
  • 83pc of organisations are managing technologies from at least two different CAs; 18pc are dealing with more than five.
  • 88pc of organisations have multiple administrators managing encryption keys; 22pc have more than 10.
  • 42pc of organisations manage encryption technologies from at least four vendors; 8pc are dealing with more than 10.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years