Failing to Manage Digital Certificates, Crypto Keys Can Cost Millions: Study

A new report from the Ponemon Institute examined the cost of failing to properly manage digital certificates and keys.

Enterprises may have to pay a high price for failing to protect the trust ecosystem supporting the digital world.

According to a new study from the Ponemon Institute commissioned by security vendor Venafi, organizations in the Forbes Global 2000 are expected to lose more than $35 million (USD) during the next 24 months. The estimate is based on a total possible cost exposure of $398 million per organization, according to the study, and factors in four cost categories: incident response, productivity loss, brand damage and revenue loss.

Ponemon fielded answers from 2,342 respondents in Australia, France, Germany, the U.K. and the United States, and comes on the heels of certificate authorities announcing the formation of the Certificate Authority Security Council (CASC) to promote standards and best practices among the organizations that issue digital certificates used for authentication.

Due in part to virtualization and the explosion of Secure Shell (SSH) key technology being used, the ecosystem supporting trust is expanding, said Venafi CEO Jeff Hudson.

"People are actively using certificates in many, many ways to encrypt data in motion and authenticate machines to one another," Hudson said.

Enterprises estimate they have on average 17,807 keys and certificates, according to the study. Fifty-one percent of those surveyed said they do not know exactly how many keys and certificates they have. In fact, 45 percent believe that failing to manage keys and certificates directly leads to the erosion of trust on which their business depends.

The problem is further illustrated by the fact that all the surveyed enterprises suffered at least one attack on trust due to failed key and certificate management. In addition, 18 percent of the enterprises expect to fall prey to attacks due to using weak, legacy cryptography during the next two years.

One of the biggest dangers, noted Larry Ponemon, chairman and founder of the Ponemon Institute, is the theft of SSH keys.

"Not well known outside the domain of the system administrator, SSH is used extensively to establish secure connections between computers and provides root access to the systems," according to the report. "Organizations use SSH to maintain control and ownership of cloud systems such as Amazon Web Services and Microsoft Azure. Management of SSH is typically performed by system administrators and until recently infrequently audited. If a criminal were to obtain keys used by a trusted administrator or system, all connected systems and data, even if encrypted, could be compromised."

To get trust in the cloud, every mechanism starts with a key or a certificate, Hudson said.

"As we move to an own-nothing model and bring your own device ... this notion of controlling trust in a world where corporations don't own anything becomes even more critical," he told eWEEK.

Fifty-nine percent of enterprises believe proper key and certificate management can help them regain control over trust and avoid risks.

Proper management, however, can no longer mean a spreadsheet program, Ponemon said.

"When you look at an average of close to 18,000 cryptographic keys and individual certificates ... for our sample, it's just way too complex without having a technology solution," he said.

"It's an issue that's ... not getting better," Ponemon added.