Podcast listeners were recently unable to access and download their favorite episodes for more than eight hours due to an outage on Megaphone, a podcast hosting platform owned by Spotify, as reported by The Verge. According to Spotify spokesperson Erin Styles “Megaphone experienced a platform outage due to an issue related to our SSL certificate.” Though Megaphone was able to resolve the issues, the users faced delays with the Megaphone CMS.
The recurrence of such unfavorable events continues to shed light on a bitter reality that can’t be ignored. Certificate-related outages are often triggered by less-than-ideal methods of certificate monitoring and management. A study commissioned by AppViewX and conducted by Ponemon Institute reports that 64% of respondents mentioned that their organizations are unaware of the exact number of certificates due to a lack of a centralized inventory, and 41% of respondents noted that their organizations track certificates manually.
The major problem plaguing certificate management teams worldwide is the lack of proper information at the correct time. Whether or not it’s poor visibility of expiring/vulnerable certificates, or the inability to locate those certificates on time, such crucial information is usually improperly documented when manual or homegrown management methods come into play. Inevitably, this often leads to expensive certificate-related issues. And, the risks aren’t limited to non-compliant and undocumented certificates. The human errors can pave the way for misconfigurations, especially when teams take shortcuts to compensate for time-consuming business workflows.
Impact of Unexpected Certificate-Related Outages on Businesses
Poor user experience: Unexpected certificate-related outages could be detrimental to the reliability and availability of network services of the organization. The alarming browser notification displaying “the connection is not secure” and service inaccessibility arising due to expired certificates repel the users to leave the affected website. For public-facing websites, with daily traffic in the millions, outages of even a couple of hours could be synonymous with exorbitant losses and plummeting user experience.
Loss of revenue and business opportunities: Loss of revenue and opportunity go hand-in-hand with poor user experience. A user, unable to access company services, will be tempted to competitive offerings, thereby leading to customer churn and negatively impacting the revenue stream of the outage-affected organization.
Damaged company reputation: Poor user experiences, loss of customer trust and loss of business opportunities play a significant role in tarnishing the reputation of the organization facing outages. In light of this, the business impact of brand damage becomes obvious. A loss of public trust can be extrapolated to a lack of faith in the service as a whole, which brings with it a host of potential ramifications, including but not limited to: stock prices being slashed overnight, loss of shareholders backing, and difficulty in securing funding. An organization’s lack of effective strategies to strengthen security posture is also highlighted in the occurrence of such troublesome events.
Compliance issues and hefty fines: Multiple high-profile certificate-related data breaches have occurred in recent times, each bringing with them a flurry of compliance issues and heavy penalties. The General Data Protection Regulation (GDPR) requires organizations to implement data protection measures, including encryption for data protection against data losses or breaches. All organizations doing business in the EU must meet the compliance requirements of GDPR or else they are subject to hefty fines due to non-compliance.
The accompanying penalties notwithstanding, regulatory bodies also urge victims of data breaches to rethink their security strategies. Policy restructuring involves large investments sunk into consulting, auditing, and strategizing, as well as a significant commitment of time and manpower to effect, test, and implement.
Customer reconciliation: Outages and breaches often involve either an intermission of customer business or a situation in which their data is compromised, clumsily managed, or both. Organizations have both legal and moral obligations to fulfill when they’re responsible for security mishaps, like outages and data breaches. They’re usually pressured by regulatory bodies into providing monetary compensation to users (which, given the dimension of the customer base, could climb to the high millions). Many large organizations offer free services to their clients in an attempt to clear their names and reclaim lost trust. Both these reconciliatory measures incur no direct return and still lead to significant losses.
Exposure to security vulnerabilities: Expired certificates are the gateways to your organization’s network, and hackers rummage around for such easy to prey on vulnerabilities. Your network can be susceptible to a number of security threats, like phishing scams, SSL stripping attack, Poodle attack, FREAK attack, Raccoon attack, man-in-the-middle (MITM) attack, and advanced malware attacks.
Gain complete visibility into your certificate infrastructure to reduce the risks of outages
It would be beneficial if you had a tool to automatically build an inventory of all discovered certificates across all devices within the infrastructure, regardless of the certificate authority (CA) or device type. Critical certificate-related information like locations, associated applications, expiry dates, signatures, etc., should also be automatically captured. And, users can schedule periodic discoveries to maintain an updated inventory with new information on temporary and rogue certificates.
Establish ownership and access control
The underlying intent of creating an ownership and approval process is to guarantee that only authorized security personnel can access the certificate infrastructure and make necessary alterations. This process helps in eliminating the existence of undocumented or unapproved certificates with weak security standards, thereby mitigating the danger of an information breach.
Rogue and non-compliant certificates often find their way into infrastructure through two primary avenues – uncontrolled certificate procurement and insufficient policy enforcement. Users must be able to validate certificates against known vulnerabilities and flag non-compliant certificates continuously.
Dynamic reporting and auditing
A centralized dashboard view helps you get comprehensive knowledge about the certificate infrastructure, like certificate expiry by month, certificate expiry by certificate authority, certificate compliance, etc. You can customize this dashboard based on the information which is crucial to you and then convert the same into shareable reports that can be created as frequently as you choose. A well-formed report fed with accurate data is key to strengthening certificate management and protection.
While traditional management methods compel you to trust the device logs blindly for identifying malicious activities, a comprehensive auditing tool can help you establish a single source of valuable, authentic, and up-to-date information derived from all the device logs. With proper access control you can prevent unauthorized access and only administrators with ‘logging access’ can obtain exhaustive knowledge about the actions performed on the certificates.
Automated Certificate Lifecycle Management (CLM)
To prevent outages efficiently, reduce costs, and manage compliance requirements in a hybrid cloud or multi-cloud environment, you need a scalable and cost-effective solution that can provide you with enhanced visibility, control, and automation throughout the lifecycle of every certificate.
There has been an unprecedented explosion in the number of connected devices used today: ranging from cloud applications to the internet of things (IoT). Every system that is connected to the internet, or another system, requires at least one digital certificate to operate securely. Automation is pivotal in managing the various lifecycle stages of each certificate scattered across perimeter-less networks, like request, issuance, provisioning, scanning, and renewal/revocation. Automated CLM can help you set and and forget your manual process so you can eliminate outages like what Spotify experienced above.
How AppViewX can help?
Using a next-gen certificate lifecycle management solution like AppViewX CERT+ keeps your enterprise safe from certificate outages and helps you stay cryptographically agile.
AppViewX CERT+ simplifies the management of certificates and keys across various technologies like SSL/TLS, SSH, IoT, code signing, etc. in varied hybrid cloud and multi-cloud deployment environments. CERT+ natively supports a long list of devices and applications for certificate provisioning as well as all major public and private CAs for certificate enrollment. With the option to deploy it as a service with AppViewX CERT+ CLMaaS, you more quickly realize value of CLM automation for your organization.
Talk to an expert today to fortify your security posture against outages!