Survey finds 72 percent of companies are dicing with data breach disaster 收件匣 x

London February 23rd, 2012 Given the recent catastrophic data breaches suffered by third-party trust providers, including a number of certificate authorities (CAs), the findings of a new survey from Venafi Inc., the inventor and market leader of enterprise key and certificate management (EKCM) solutions, in conjunction with Osterman Research, make shocking reading. The findings shed light on truly careless management of crucial security instruments.

A staggering 72% of survey respondents admitted that they have no automated process to replace compromised certificates. This means that if their CA vendor is compromised they will be ignorant of where the offending certificates are and have no way of automatically locating and replacing them. This could bring all business operations of the respondent’s organisations to an immediate halt given that their existing manual processes would require weeks to identify the vulnerable certificates, with no consideration of how to replace them en masse. This is particularly worrisome when you discover that 76 percent of respondents also expect their certificate population to grow in 2012.

Fifty four percent of respondents admitted to having an inaccurate or incomplete inventory of their SSL certificates, with 44 percent admitting that their digital certificates are manually managed with spreadsheets and reminder notes. This is the equivalent of leaving a post-it note on your front door informing would-be burglars that your home is empty and ready to be robbed.

“Organisations protect mission-critical and often regulated data with hundreds or thousands of encryption keys and digital certificates,” said Jeff Hudson, Venafi CEO. “But as this survey reveals, too many companies have inaccurate or incomplete data about their security assets. The unquantified and unmanaged risks these certificates and keys pose is significant—risks magnified through their increasingly pervasive use in corporate data centres, cloud-based systems, and mobile devices.”

Forty three percent of respondents said that they did not have a centralised corporate policy covering encryption-key strengths or lengths, validity periods, and private key administration and access requirements for proper segregation of duties. This may allow vulnerable, weak encryption keys to be hacked or compromised, and result in data breaches and the ensuing brand damage. The survey data uncovers worrying complacency on the part of senior management about their stewardship of their own digital assets and information security mechanisms.

Sixty-two percent said they did not have automated processes for enforcing internal, corporate policies or regulatory compliance for how digital certificates and encryption keys are managed. This means that they would fail internal and external audits with risks of steep fines, potential employment termination and brand damage.

Forty-six percent of respondents said that they would not be able to generate a report to discover how many digital certificates they owned and 70 percent admitted that they did not have a certificate management system which would remind them if the certificate renewal request failed, resulting in costly unplanned outages and system downtime.

The survey also reveals that 54 of respondents do not have an automated, repeatable and on-demand way of providing a senior manager, vice president or auditor with a report of exactly how many certificates are present in the entire environment. This means that senior management is being kept in the dark about an unquantifiable risk to their businesses, which could potentially cripple them.

Effective Remediation Strategies

Venafi publishes best practices for effective key and certificate management, and is the industry’s leading authority on the processes and practices that comprise the overall strategy for improved security and lowered risk. The EKCM best-practices portal is available for free to any organization.

About Venafi

Venafi is the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions. Venafi delivered the first enterprise–class solution to automate the provisioning, discovery, monitoring and management of digital certificates and encryption keys—from the datacenter to the cloud and beyond—built specifically for encryption management interoperability across heterogeneous environments. Venafi products reduce the unquantified and unmanaged risks associated with encryption deployments that result in data breaches, security audit failures and unplanned system outages. Venafi also publishes best practices for effective key and certificate management at www.venafi.com/best-practices. Venafi customers include the world’s most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top–tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

About Osterman Research

Osterman Research was founded in 2011 and has become one of the leading analyst firms with expertise in research and survey methodology, providing analysis, white papers and other services to companies like Microsoft, IBM, Google, EMC, Symantec, Hewlett Packard and many others.