Right now many enterprises are in final stages of their 2015 budget cycles and many are allocating budget for one of the most important problems and highest areas of risk: protecting the trust established by keys and certificates. Trust is a top-of-mind issue for CEOs and boards. Thousands of keys and certificates—many unknown to security teams—create the trust on which businesses run. If any one key or certificate is compromised, tampered with, or forged, brand reputation suffers, intellectual property can be stolen, and customer privacy breached. The consequences of failing to secure trust are considerable and can significantly damage business.
Why is securing keys and certificates so important now? As we have come to rely more heavily on keys and certificates, cybercriminals have made them more of a target. They want to use keys and certificates to be authenticated and evade detection, bypassing other security controls and keeping their actions cloaked.
Organizations layer security controls to create a defense-in-depth approach to protecting their business. But a lack of key and certificate security undermines the Critical Security Controls (CSCs) listed by the SANS Institute. For example, according to Gartner, 25% to 50% of all traffic in organizations is encrypted. Most security controls, like malware, boundary defenses, and data protection, do not decrypt data, but instead rely on keys and certificates to determine trust.
The challenge is that security technologies are still designed to trust encryption. When attackers use encryption, they securely bypass your other security controls and hide their actions. The strength of your security program depends on the trust established by keys and certificates and how well you protect that trust. If your top 2015 priorities are data security, privileged access, data loss prevention, PCI DSS v3, advanced threat mitigation, or mobility, then securing keys and certificates is critical to your team’s success.
If you have not already included key and certificate security in your 2015 budget, I encourage you to include this essential Next Generation Trust Protection as a top priority. Since Heartbleed, CEOs, Board of Directors, and even Audit Committees are asking their CISOs what they are doing about better securing keys and certificates—especially when hackers used the Heartbleed vulnerability to breach a behind-the-firewall system at Community Health Systems that affected an estimated 4.5 million patients! If keys and certificates are not replaced, exploits of Heartbleed can steal intellectual property, breach customer privacy, and irreparably damage reputation.
With these consequences, it’s incredibly surprising that so many have not fully remediated Heartbleed: in research from July 2014, Venafi Labs found 97% of public-facing G2000 servers are still vulnerable because keys and certificates hadn’t been changed—and this doesn’t include the behind-the-firewall systems that have been a low priority for remediation.
I know firsthand that CISOs are always being asked to do more with less and have to prioritize many important projects during budget cycles. I joined Venafi earlier this year to help other CISOs and CIOs fortify their strategies and defend their businesses. Since I joined Venafi, I’ve worked with over 150 CISOs and CIOs to help them understand the problem and begin budgeting now. I can do the same for you by sharing a budget recommendation brief that summarizes the information gathered from these CISO meetings.
Effective key and certificate security can complement your current priorities and improve the effectiveness of your critical security controls. Enterprises need to make key and certificate security a top priority in 2015, or an opportunity to get started with any left over 2014 funds. Without key and certificate security, there are security gaps that bypass critical security controls. And Heartbleed is just one of numerous vulnerabilities and attacks on trust—these are increasing in frequency and severity, continually threatening the trust that is the foundation of business.
I am personally committed to helping my fellow CISOs secure their businesses against trust-based attacks and welcome them to reach out to me directly to help them put together a plan to protect their keys and certificates and secure their business.