SSL Management for the Enterprise
Best Practices in SSL Certificate Management
Fortunately, there are services that make it easy to discover and manage SSL certificates across the enterprise. Some solutions may claim to reduce the burden of SSL management even if they do not allow you to discover certificates from multiple Certification Authorities. Other solutions might offer multi-CA scanning ability, but lack an intuitive, easy-to-navigate user interface.
To help ensure that you find the best solution to fit your needs, here are some key features to look for in any solution you consider:
Ability to scan your environment automatically:
While it is possible to audit networks manually, this approach would simply take too long and require too many staff resources to be feasible in a large, comples enterprise environment. Be sure to select a service that enables your team to conduct automatic scans that will detect SSL certificates from any provider.An easy-to-use interface:
Information that is hard to access or read will not be useful, so look for a tool that offers a dashboard that is easy to navigate and presents data in a way that is easy to understand at a glance.Delegation capabilities:
In the typical enterprise environment, multiple employees are tasked with security management. For this reason, finding a certificate discovery solution that allows administrators to grant different levels of access and delegate tasks to various employees across the network is critical.Alerts and reporting:
An expired SSL certificate puts data at risk, so finding a service that will send alerts before a certificate needs renewal is critical. In addition, the ability to generate reports that are easy to read and comprehend is critical. Advanced reporting capabilities will not only provide a deep, comprehensive view of certificates in the network, but will also allow your team to communicate critical information to other staff - such as executives - more effectively.Flexibility and scalability:
Enterprise networks are dynamic, ever-changing environments, which means a certificate discovery service should have configurable parameters, such as the duration of the scan, which IP addresses to scan, etc. In addition, the service must be scalable to allow for future growth.Timeliness:
In order to be effective, network scans must be completed quickly. If a network-wide scan takes too long, the status of some SSL certificates may change before the full scan is complete. This will result in an inaccurate view of the SSL certificate inventory.
The Dangers of Expired and Rogue SSL Certificates
An expired or rogue SSL certificate in a network environment could have severe repercussions. It takes just one out-of-date or rogue certificate to expose the enterprise - and perhaps more importantly, its customers-to malicious cybercrime. The following are just a few potential consequences of expired and rogue SSL certificates.
Theft of customer data
Thanks to years of news headlines about data breaches and education efforts led by consumer advocacy groups and businesses, the public is more concerned about identity theft than ever before. A recent study found that 64 percent of Americans are very or extremely concerned about someone stealing their identity, with 31 percent describing their level of worry as extremely concerned.
In this context, the risk of phishing is a major concern. In a phishing attack, a hacker will assume the identity of a legitimate business - taking advantage of the business's lack of authentication from non-existent or expired SSL certificates - and create a fake website that looks similar if not identical to the real site. Unsuspecting customers will then enter confidential information, such as credit card or social security numbers, on the site. The phished site feeds data directly to the hacker, who may in turn sell it to other criminals.
Even if a phishing incident or data breach is relatively minor, it can exacerbate these fears and seriously threaten the enterprise. In fact, research has found that 31 percent of customers will terminate their relationship with a company following a data breach regardless of the degree of severity.
Beyond these immediate losses, phishing and data breaches can also affect the reputation of an enterprise and lead both current customers and prospects to question whether a particular business can be trusted. Industry experts say that it takes about six months to stabilize sales and confidence in a company's network after a breach - and even then a company's reputation may not be
completely restored.
Losing customers to competitors
Another factor that concerns business is expired SSL certificates. An expired SSL certificate can lead to lost business in other ways. Chief among them is simply losing traffic when customers see warnings of SSL certificate expiration and leave your site to purchase products and services on sites that are secured with SSL certificates.
Customers may not know exactly how public key encryption works, but visible signs of SSL security - such as an SSL trust seal or the green Extended Validation bar - will make them more likely to transact on a particular site. If SSL certificates on e-commerce or other types of public-facing sites expire, they will lose customers' trust resulting in loss of business.
Conclusion
SSL certificates are essential to protecting data in transit. Despite its strength and reliability, however, SSL security can still be vulnerable to attack for one simple reason: poor SSL certificate management.
In a multi-certificate, multi-CA enterprise environment, getting a comprehensive view of SSL security is essential. Knowing the status of every certificate across sites and networks can not only help control customer service costs, but also lower the burden of SSL administration, giving busy IT teams more time to concentrate on other business-critical projects.
Rigorous SSL management can also prevent much more serious consequences, including a major phishing incident or other type of data breach that will not only be expensive to remediate, but may also cause long-term damage to your reputation with customers.
** This information is taken directly from Symantec's DataSheet - "Business Continuity and Breach Protection".