Will the truly secure website please stand up? writes Gregory Webb, Marketing Director, Venafi.
A company’s brand is among its most valuable assets. A strong brand—one known for providing quality solutions that add value—is essential for organisational success. Companies with the world’s most valuable and well-recognised brands will take on imposters and rivals in high-profile, expensive legal battles to protect their brands from illegal or improper use.
Yet, and I find this very ironic, these same brand stewards do relatively little to ensure against brand damage that comes when their public site goes down or when their customer or partner data is breached. The need for better oversight is not hypothetical. Major corporations like Lockheed Martin, L3, Epsilon, EMC, and others have recently been the subject of significant, mainstream press coverage regarding unauthorised access and data breaches.
You can’t fully understand why companies are doing so little to protect the integrity of their public sites, data and brands unless you understand that many believe that they are protecting them already, simply by deploying digital certificates and encryption keys.
Keys and certificates
Consumers recognise a T-Mobile phone by the T-Mobile logo, but how does a user logging in to their cell phone account recognise the T-Mobile website as truly belonging to that company?
In fact, the user’s web browser can and does recognise the website’s identity. Here’s reality: whenever a user connects to a secure website, the website submits a digital certificate, which identifies the site and the organisation that owns it. Of course, anyone can claim to be whoever they want. A digital certificate is signed by a Certificate Authority (CA), and browsers check that signature to discover whether the site truly belongs to the organisation to which it claims to belong—or to an imposter organisation, and one likely with malicious intent.
A company’s customers can access the company’s online services day after day and year after year without realising the background processes securing their activities—until these processes break down.
Encryption failures
The breakdown can occur in two equally critical ways:
•The certificate can expire, causing users to believe that a legitimate site belongs to an imposter
•The certificate can be compromised, causing users to believe that an imposter’s site is legitimate
In the first case of an expired certificate, users see the problem immediately in a message that warns them against accessing the site. Some users will simply abandon the site out of fear that it is not authentic, causing the company to lose business. Some users might also assume that the company’s security has been breached, which damages the company’s reputation almost as much as if it were actually breached.
The second case, a compromised certificate, poses an even greater risk to a company’s brand because the problem might remain invisible until the damage is already done. With a compromised or rogue certificate, hackers can launch man-in-the-middle and phishing attacks, luring customers to the imposter site and trick them into revealing valuable information such as credit card numbers, official government IDs, passwords, etc.
This type of security breach should make brand stewards wake up in a cold sweat—not only can the company be fined for regulatory violations, but the scandal can ripple through the company’s image for years.
In short, to protect its public site, and the brand for which the public site in the online avatar, the company must protect its digital certificates.
What protects?
At first glance, protecting the online data and systems seems a simple proposition: keep encryption keys and certificates up-to-date, accounted for, and properly protected. But the simple list of tasks conceals the complexities of implementing them, which is probably why so many companies are not protecting their online presence adequately—both online data as it traverses externally across the internet, but also the data that flows around between people, applications and systems inside the firewall.
Problem one: Proliferation of digital certificates
Most companies have certificates from multiple CAs and no simple method for managing authentication mechanisms across them. Companies often end up with siloes of certificates without any overarching management scheme—let alone one that can scale to tens of thousands of certificates obtained from several CAs. These companies cannot effectively manage their certificate assets with the piecemeal solutions offered by individual CAs nor with their own makeshift measures; they require a CA-neutral Enterprise Key and Certificate Management (EKCM) process.
Problem two: Underestimation of the problem
Uninformed security professionals can also stand in the way of an adequately protected website. Many security professionals think that their job starts and ends with purchasing and deploying a digital certificate to authenticate a website or to secure communications between systems and servers inside the firewall. What the uninformed security guru does not realize is that these certificates expire, opening the company to the host of problems and hacker exploits about which you just read.
Even after the company becomes aware that a certificate or CA has an issue, IT staff often find it nearly impossible to locate and replace the compromised certificate.
Problem three: Technology outpacing management
Even if security professionals understand what they must do to protect a company’s website—and do their best to do so—they can still fail. Technology is simply outpacing management.
Almost every company has a website that leverages the Internet’s unique ability to host services, deliver content, furnish demographic research, and provide a sales channel. As a result, more sensitive data than ever before is floating around in cyberspace. Hackers have seized the opportunity to hijack inadequately secured data, and the complexity of their exploits is rapidly outpacing advances in security. As you read, a compromised certificate opens to door to phishing and man-in-the-middle exploits that steal customers’ data—and land a company on the front page.
The bottom line is that information security teams that use outdated technologies to combat sophisticated exploits are essentially taking knives to a gunfight. Effective encryption key and digital certificate management gives these teams a bullet-proof-vest—a powerful tool for ensuring that the many certificates and keys securing their assets are truly secure. In addition, effective management and controls free up the security teams’ time to implement other necessary defenses.
Certificate management protects company’s certificates, websites, and brands
Digital certificates, or SSL keys, are an essential asset in the fight to protect a company’s brand and their customers’ personal information. When a company protects these keys to the kingdom, visitors to its site will never have to ask, “Will the real website please stand up?”
