CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | April 20169CIOReviewhigh profile incidents with (the misuse of) certificates. One of these is the so-called Heartbleed attack. Around half a million of the Internet's secure web servers certified by trusted authorities were vulnerable to the attack, allowing theft of the servers private keys and passwords. This has arguably been one of the worst vulnerabilities on the internet in its history. Paradoxically, Heartbleed and other incidents haven't been an effective wake up call for businesses and public organizations to strengthen their safeguards around keys and certificates.Many organizations even lack proper insights in their use of certificates. CIO's and CISO's often have no idea how many certificates their organization deploys in the communication with outside parties. Often, they are astonished to learn about how widespread the use of certificates is. One of the problems is that it's a jungle out there with so many different ­ and continuously evolving ­ certificates. The best way to cope with it would be to streamline this jungle and to standardize the world of certificates. However, this seems to be a rather utopian thought.What can organizations do to mitigate the risks arising from vulnerabilities in certificates?The first step is to gain awareness on the importance of certificates and keys and to gain insight in their nature and number. Currently, many organizations think they can manage their certificates by registering them in a spreadsheet. The ownership is unclear. And the updating processes tend to be ticking the box exercises. Once there is better visibility on this topic ­ created by specialized tooling ­ this may all begin to change. Specialized solutions to manage this important aspect of security are capable of constantly assessing which keys and certificates are trusted, protecting those that should be trusted, and fixing or blocking the ones that are not. Not only is this an effective defense strategy against real dangers, it is also much more cost effective than following the manual procedures for maintenance on certificates.Last but not least. Why is it essential to act? The obvious answer is to prevent incidents ­ security breaches ­ to happen. The less obvious ­ but more convincing for many CEO's ­ reason is that managing certificates is a prerequisite to enable new business concepts. In the heydays of internet, we used to worry about the real identity of humans using the internet. Many of us are familiar with the cartoon in the New Yorker ­ published in 1993 ­ with the famous quote "On the Internet, nobody knows you're a dog." Today, this is still true, with the challenge entering a new phase as a consequence of trends such as cloud computing and the internet of things. More than 20 years after this cartoon, we must also assess if thermostats, fridges, cars, oil platforms and a variety of other devices are who they claim to be. In fact all these devices may be dogs on the internet. If we have no idea about this, we have a huge problem in rolling out new business concepts. The case for using trusted certificates is strong: it's simply a matter of building trusted communication on the internetJohn Hermans
< Page 8 | Page 10 >