Rogue certificates \'affecting businesses up to authorities\'

Almost three-quarters of companies haven't any capability to detect or locate a rogue certificate.

According to a survey of 175 businesses by enterprise key and certificate management (EKCM) solutions vendor Venafi, 72 per cent of respondents admitted they'd no automated process to switch compromised certificates; because of this if their certificate authority (CA) were compromised, they might be blind to where the offending certificates were and feature no way of automatically locating and replacing them.

As with the case of Diginotar last year, where it was hacked and rogue certificates were issued for legitimate websites, the Venafi survey found that existing manual processes will require weeks to spot the vulnerable certificates; 76 per cent of respondents expected their certificate population to grow in 2012.

More than half (54 per cent) admitted to having an inaccurate or incomplete inventory in their SSL certificates, with 44 per cent admitting that their digital certificates are manually managed with spreadsheets and reminder notes.

Also, 46 per cent said they wouldn't have the ability to generate a report detailing what number of digital certificates they owned, and 70 per cent admitted that they didn't have a certificate management system that might remind them if a certificate renewal request failed.

Jeff Hudson, CEO of Venafi, said: “Organisations protect mission-critical and regularly regulated data with hundreds or thousands of encryption keys and digital certificates. As this survey reveals, too many companies have inaccurate or incomplete data about their security assets.

“The unquantified and unmanaged risks these certificates and keys pose is important, risks magnified through their increasingly pervasive use in corporate data centres, cloud-based systems and mobile devices.”

This week Venafi launched the Assessor tool that scans an organisation's network to find and analyse deployed digital certificates and the associated encryption keys. Per the corporate, Assessor produces a chain of stories that detail the safety, operational and compliance risks derived from the information it collects and give remediation recommendations in response to industry best practices and the mixture experience of Venafi customers.

“With Assessor, organisations can quantify the level in their risks, turning assumptions about their certificates and encryption keys into hard data. We're now providing this capability to organisations without charge,” said Hudson.