Venafi 2012 risk audit survey findings

2012 Risk Audit Survey Findings

Enterprise Key and Certificate Management (EKCM)

February, 2012

© 2012 Venafi Proprietary and Confidential

2© 2012 Venafi Proprietary and Confidential

• Survey, analysis, potential risks and best practices developed in conjunction with Osterman Research

Michael Osterman – President and founder of Osterman Research

Osterman Research is a leading analyst firm with expertise in research and survey methodology, providing analysis, white papers and other services.

Jeff Hudson, CEO of Venafi

Venafi is the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions. Venafi solutions manage digital certificates and SSH, symmetric and asymmetric keys.

2012 EKCM Audit and Best PracticesKey Players


Methodology Venafi and Osterman Research surveyed more than 174 IT and Infosecurity professionals

Survey Methodology


• 54% acknowledge having an inaccurate or incomplete inventory of their SSL certificate population.

• 44% admit their digital certificates are manually managed with spread-sheets and reminder notes.

Survey Results

Unquantified and Unmanaged Risks


Operational Risks

• 46% of respondents cannot generate a report to discover how many currently deployed SSL/digital certificates will expire during the next 30 days.

• 70% do not have a certificate management system integrated with their directory; such integration allows for automatic notification escalations in the case of non-response to notification.

Survey Results


Security Risks

43% of respondents do not have a centralized corporate policy mandating:

Specific encryption-key• strengths• Lengths

Validity periodsPrivate-key management

• Rotation• separation of duties

Survey Results

Lack of policies and/or the ability to enforce them creates security vulnerabilities


Audit and Compliance Risks

• 54% do not have an automated, repeatable and on-demand way of providing a senior manager, vice president or auditor with a report of exactly how many certificates are present in the entire environment.

• 62% do not have an

automated process for ensuring compliance of corporate policies.

Survey Results


Certificate Authority (CA) Compromise Risk

• 72% do not have an automated process to replace compromised certificates if the Certificate Authority in use is compromised.

Survey Results

10

Human

in

terfa

ce

Authentication and Encryption Needs Expanding


Lack of knowledge is increasing

Requirement for key management is accelerating

Applications and data

cloudmobile


1. Educate all stakeholders on the seriousness of certificate breaches and related problems.

2. Clearly articulate the role and use cases of encryption in security.

3. Define and make easily accessible clear encryption certificate and key-management policies, processes and procedures.

Industry Best Practices for Remediation


4. Implement a central inventory and monitoring system; identify owners for each asset; ensure notifications are sent regarding impending expiration, errors and other issues.

5. Replace manual steps in the lifecycle management of certificates and keys with automation.

6. Dedicate sufficient staff to manage the implementation and maintenance of central encryption-key and certificate-management policies and technologies.

Best Practices Continued


Venafi Assessor™

14

Risk Self Diagnosis

• Do you know where all the digital certificates are deployed on your network and who installed them?

• Do you know when they are going to expire?• Do you separate access to public and private keys

for system access?• Do all your encryption keys and certificates conform

to policy?• How long would it take you to replace all your

certificates?

If target organizations cannot answer these questions they are going to experience a breach, an outage, or will fail an audit.


15

Quantify Your Risks

Where are all of our SSL certificates installed?

What date will certificates expire?

How many certificates do we have?

Which Certificate Authority(ies) issued these certificates?

What encryption key length is being used?

Are we in compliance?

?What algorithms are in use?

16

Venafi Assessor™

• What is Assessor?– Customer downloadable software– Ready to run – Fast and easy– Scans to find certificates and keys– Quantifies the certificate and key population present – 12 reports that identify type and severity of risks

• Installation and operation– Runs in a virtual machine– Preconfigured, no special expertise required– Doesn’t modify environment– Doesn’t “phone home”

• Assessor is available on February 22– www.venafi.com/Assessor


17

Enter addresses and run discovery

Getting Accurate Certificate DataThree Easy Steps

Download and deploy Assessor


12

View detailed reports

3

18

Turn Assumptions into Hard Data– Number of manageable certificates– Issuing certificate authorities – Expiration dates– Certificate validity periods– Key lengths– Signing algorithms


Assessor reports include indicated industry best-practice recommendations for remediation of issues discovered

What’s in Your Environment?

ignorance of the situation surrounding a critical security mechanism must be resolved

19

Certificate Days to ExpirationSample Assessor-generated Report


Rapid assessment of downtime risk due to

expiring certificates

20

Certificate Validity PeriodsSample Assessor-generated Report


Administrators turn over every year.

Validity periods >1 year create significant

security risk.


Issuing Certificate Authorities Sample Assessor-generated Report

Unauthorized CAs create security and

operational risk

22

Encryption Key LengthsSample Assessor-generated Report


Weak keys open risk of attacker deriving the

key.

NIST now stipulates 2048 bit length

23

??? ?? ??

Discussion

Technology

Venafi 2012 risk audit survey findings