Digital certificates: uses, key challenges and risks

Digital certificates: driving digital trust

Digital certificates are computer files signed by a certification authority. In doing so, the CA guarantees that the person, entity or machine (such as a server, computer, or connected object) is who it claims to be.

In the context of building digital trust, their uses are manifold:

• Encrypting feeds to ensure data confidentiality;
• Authorizing access to a digital resource (authentication or strong authentication);
• Implementing a zero trust security model, the idea being to “systematically verify identity and never trust”, meaning that only authenticated and authorized users and terminals have access to applications and data;
• Securing organizations’ cloud transformation, with research firm Markess by Exaegis estimating that the cloud now accounts for over 25% of all digital services and software;
• Handling electronic signatures to ensure data integrity and non-repudiation;
• Archiving to the legally required standard to ensure data integrity;
• Securing websites (TLS/SSL certificates);
• Protecting and identifying connected objects in a context where the global IoT market is growing at an average rate of 13% a year according to GlobalData, and is set to break through the $1 trillion mark by 2024…

Digital certificates are booming — and this is just the beginning

Digital transformation is the name of the game not just for businesses, but for wider society too — and certificate numbers are rocketing as a result. Using certificates and encrypting messages has become the new norm, whether in terms of protecting information systems and organizations’ data, or creating the right conditions to bolster digital trust.

Public Key Infrastructures (PKIs) are used to generate digital certificates, and according to Global Market Insights, the market exceeded $3 billion in 2022 and is expected to grow at an annual rate of over 20% between 2023 and 2032. It’s worth bearing in mind that this market has reached maturity and has a staggering number of different offerings, from company PKIs and public certificate authorities to the PKIs on offer from Cloud Service Providers (CSPs) themselves.

In step with these developments, certificate lifespans have been slashed in a bid to tighten security, dropping from five years a decade or so ago to 13 months on average today. These changes have been driven by the market’s major browsers and a shift towards zero trust architecture.

How poor digital certificate management affects you 

The boom in the number of certificates combined with a drop in their lifespan means the risks inherent to non-compliant or expired digital certificates has been ramped up. Published in the first quarter of 2019, the Ponemon Institute study entitled “The Impact of Unsecured Digital Identities” showed that 73% of those surveyed reported their organization had experienced unanticipated downtime or outages due to poor digital certificate management, with 55% of them stating that at least four certificate-related outages had occurred in the past two years.

On top of the risks of unauthorized access to sensitive resources, non-compliant and expired certificates trigger service interruption that lasts one to four hours on average, impacting directly on internal teams’ productivity, sales, and potentially even brand image. Consultancy firm Gartner estimates that on average, a single incident of service interruption costs around $300,000 per hour.

There are countless resounding examples of service interruption and malfunction linked to expired TLS/SSL certificates, right down to the very biggest companies. Here are just a few select examples:

• May 2021: the Microsoft Exchange administration portal was down
• July 2020: France’s La Poste mail service website was unavailable for several hours
• August 2020: Spotify struggled with a global outage
• May 2019: unsecured connection over at LinkedIn

Certificate Lifecycle Management: an easy way of managing digital certificates’ lifecycle

That same Ponemon Institute report also showed that 71% of respondents believe their organizations do not know how many keys and certificates they have, while 74% say their organization does not know what certificates they’re using, where to find them and when they expire. Despite tools being available to automate certificate management, according to an Opinium survey of over 300 IT professionals in the United States and United Kingdom, 36% rely on Excel spreadsheets to do so.

In organizations where over 100 certificates are deployed, Gartner recommends using a CLM tool to cut back on the costs and risks inherent to the fastidious, time-consuming process of maintaining inventories, renewing certificates, and checking certificate compliance.

These CLM solutions slot into an overarching certificate management process that includes:

• Automatically identifying all certificates;
• Mapping and auditing all certificates;
• Pulling up real-time overviews;
• Detecting any potential anomalies such as expired or non-compliant certificates;
• The option of receiving notifications when certificates are on the point of expiring or are non-compliant;
• Centralizing and monitoring certificates and PKIs;
• Conducting compliance audits;
• Approving requests for digital certificates;
• Automating renewals, deployment and revocation.

These certificate management tools pave the way for a centralized, streamlined certificate management process within a one-stop interface, allowing organizations’ cybersecurity teams to boost productivity by 50%, slash the risks of service interruption by 90%, ensure compliance, and focus their time and efforts on other less repetitive tasks with greater added value.

Digitalberry’s team of cybersecurity experts provides a complete certificate management software. BerryCert works like a hub for all your digital certificates, securing, centralizing, and automating your digital certificate management process. Get in touch with us for a free, bespoke demo of what BerryCert can do for you.