“’Failed trust’ is when an organization says to its stakeholders that everything is OK and in reality it’s not,” said Larry Ponemon (@ponemon), Chairman and Founder of the Ponemon Institute, in our conversation at the 2013 RSA Conference in San Francisco.
Failed trust is often not malicious. What’s happening is an organization is not managing their milieu of certificates (e.g., digital certificates, key management, SSH) and as a result many of these certificates expire and create holes in authorizations that allow bad guys to get in.
Here are some of the most common failures of certificate management:
- Certificates issued with weak cryptography.
- Certificate expires.
- Legitimate certificate issued to a criminal.
- Poor tracking managed through spreadsheets.
The situation is pretty bad, costing about $398 million in potential exposure for Fortune 2000 companies. This combined with the high probability of occurrence makes this a very serious problem, said Ponemon.
Sadly, just over half of the companies Ponemon interviewed admitted they didn’t know where all their certificates were.
The solution, which should be no surprise, is just good old fashioned governance. You can’t manage thousands of certificates through a spreadsheet. You need a much better solution tailored to this problem, said Ponemon.