Enterprises Face Encryption Key, Digital Certificate Management Challenges

A new survey suggests many organizations are losing track of encryption keys and digital certificates at a rate that may surprise you.

In an age of compliance regulations and a growing awareness of the costs of a data breach, encrypting data has become a key part of many enterprise security plans. But encrypting data has little value if an organization loses track of encryption keys.

And it is that last part that a recent survey (PDF) by key management vendor Venafi suggested is a challenge for many organizations out there. In a survey of 471 enterprise managers and executives, the firm found 54 percent either had unaccounted for or stolen encryption keys or were uncertain if they did. When it came to digital certificates, the figure was 51 percent.

"While digital certificates and their associated encryption keys are leveraged heavily for mission-critical applications, they do not come without overhead," said Jeff Hudson, CEO of Venafi. "Once a certificate is installed and in use, it is easy to forget about, lose track of, or have the responsible administrator move on to another project or position. All certificates have expiration dates. Applications and processes that are relying on the certificate for security or trust stop functioning when a certificate expires.

"Because most corporations have hundreds or thousands of certificates in use that are being managed manually, unplanned system outages are increasingly common and can have disastrous effect," he added.

The statistics seemed on the low side to Richard Stiennon, chief research analyst at IT-Harvest.

"Without a good management tool I cannot see how a large organization could keep track of all of their certificates," he said. "Those that answered that they had not experienced a loss of either certs or keys just don't know is my guess. Just laptop theft alone could lead to loss of keys."

Venafi's answer to all this is Venafi Encryption Director 6, which the company announced this week will be generally available in the second quarter of the year and which combines management for a wide range of digital certificates and encryption keys. To Hudson, the proliferation of sensitive data and the increasing sophistication of attackers mean organizations need to be more diligent in their security, and that has to include managing encryption keys and digital certificates.

"Today, nearly every enterprise application and IT system has been encryption key and certificate enabled," he said. "While this has delivered greater security capabilities than ever before, the complexity of utilizing this encryption capability has created a significant increase in security and operational risk."

According to the survey, 46 percent of respondents said they are managing at least 1,000 digital encryption certificates, and 20 percent are managing more than 10,000. Additionally, 83 percent are managing technologies from at least two different certificate authorities (CAs). Eighteen percent deal with more than five CAs.

"The encryption eco-system that has developed over time has gotten too complex. Departments, even individuals, contract separately with Microsoft, VeriSign, RSA, Entrust, or use open-source encryption tools and certificate generation tools," Stiennon said. "They never had a central policy, and each new project managed their own use of certs. In an environment like that, it is hard to gain control and not lose track of certificates."

UPDATE: This story was updated.