Earlier this month, Microsoft Teams went offline, courtesy of an expired security certificate. Users who attempted to log into their accounts were met with an error message informing them that the service could not establish a secure connection to Microsoft servers. This embarrassing mistake didn’t go unnoticed, causing an uproar of frustration from users, negative coverage in the media, and questions about how a company like Microsoft – which coincidentally provides Internal CA solution as part of its Operating system suite and tools to manage certificates – could neglect to renew a critical security certificate.
So, what happens when a certificate expires? The simple answer is that machines are no longer able to communicate over an encrypted HTTPS connection, leaving all communication completely unprotected. Each certificate has an expiration date – a point in time after which it is no longer considered to be ‘trusted’. It varies from a few weeks to a few years, averaging 1-2 years, as an industry best practice. Naturally, each certificate has its own validity period, and this is why keeping track of them on spreadsheets and homegrown tools is less than ideal, and leads to embarrassing and often costly outages.
An example of a very costly certificate-related mistake is a December 2018 outage of O2 and SoftBank’s phone service. Millions of phones were taken offline across UK and Japan, impacting users in a dozen countries. Ericsson, the maker of the equipment that caused the outage, acknowledged in a press release that the main issue was an expired certificate in the software versions installed with these customers. Ericsson apologized to the carriers and their customers, but O2 is still seeking up to £100m in damages, hoping to recoup at least some of money it is paying as compensation to its customers.
Certificate expiration issues are easily preventable, but most organizations lack the framework, processes, and tools to properly manage their digital certificates. A survey conducted by AppViewX confirms that outages are commonplace (65% of respondents faced between 1 and 10 certificate-related disruptions), but nearly half of all organizations continue to use spreadsheets and custom internally-developed tools for certificate management. Only 21% of respondents reported using dedicated CLM software like AppViewX.
AppViewX helps enterprise IT manage and automate the entire lifecycle of their internal and external PKI. We provide complete visibility into the certificate and encryption key infrastructure, which helps protect the enterprise from threats – and yes, costly and embarrassing mistakes. Plus, with AppViewX, application, network, and security engineers can self-service and initiate automation workflows, giving them control over certificates used in their devices.
To learn more about how AppViewX can help you automate your entire Certificate Lifecycle Management process, visit us at www.appviewx.com