Management Mayhem, Part 2: Why Machine Identities Are Costing More than You’d Think
Tue, 11/13/2018 09:34
To understand the true cost of certificate management, let’s consider thereal-lifeprocess of requesting or renewing a digital certificate in a typical enterprise environment.We also need to look at how involved a givenbusiness or operations personis in this lengthy process.
It’s fairly straightforwardreally.A user willsend a ticket(often in the form of anemailormessage)to the PKI team to request/renew a certificate. ThePKI teamsendsthemback a link or information on how to do that.They willusuallyneedto generate acertificate signing request (CSR), which is often a detailed and confusing process. The average user is qualified torun aline ofbusiness,not a PKI,so they often won’t know what a CSR is.So,they consultDr Google, orseekadvice fromtheHelp Desk.
But that’s just the beginning of the process.Once theyfinally learn about how to generate a CSR, and create oneand itgoes to PKI team,there is a high likelihood that it will berejecteddue to a usererror.The beleaguered requester thenfixesthe error and resubmits. (This may occur multiple times).
Many take theshort cutof copying and pasting their last CSR,which will beaccepted as valid. However, this will only generate a new certificate it will not generate a new set of keys, sothe requester’ssystemwillstillbevulnerable. The onlypossibleupside to thisless-than-ideal situation is thatno one knows(about this security policy breach)includingthe requester,as thecertificate won’t expire andcreate an outage.The certificate hides away and waits for its secretvulnerabilityto be discovered, most likely by someone who’sactuallylooking for it, or already found the keys previously,(such as…I don’t know…acyber criminal?)
Butlet’s getback to the process. For anexternal certificate,the requesternow needsapprovalbefore the CSRcan be submitted to the CA provider forcertificategeneration.The requestermay need multiple layers of approval for certain types of certificates ormachineidentities.As time is short, chasing approvals usually involves acallto theHelpDesk.
Finally, the requesterreceivesan email with a link to downloadthe certificatewhich involves entering apasswordthat the requestersubmitted several days ago. At this point, they have probablyforgottenthe password and…calltheHelp Desk.At last, the requester gets anew password, downloadsthe certificateand they are all done.
Well.No,they are notquitedone.
The certificate has to be manually installed somewhere in a key store. Is that inthe application, onthe physical deviceoron the operating system?The old certificate may expire beforethe requesterunderstandsthis step, which will trigger anoutage. Either way,theycalltheHelpDesk.In an attempt to be helpful, theHelp Deskwilltalkthe requesterthrough the step-by-step process or sendthema set of complex instructions, which need to be deciphered and followed.
Finally,thecertificatewill besafely installed and hopefully activated.Maybe, due to inexperience,the requester hasprovidedtheirprivilegedsystemaccess to a help desk person (who happens to beunauthorised) to trouble shoot forthem. Thisshared privileged access isunlikely to be revoked, and never expires.
Now, let’s look at the cost and productivity loss of this entire, convoluted process.Productivity lost at the business layer:1.5 hours up to 3 hours.Nottracked. Cost ofHelp Desktime:30 minutesup to2 hoursor more.Nottracked Cost ofPKIDesktime:15-30 minutes.Most likely the only tracked cost.
In addition, time delaysfor approvalsaremost likely 24-48 hours, but I have many examples of 2 weeks for approval.
All of the abovecost and productivity estimatesexcludethehoursthat may be spentin war rooms solving unexpectedcertificate expirations,tracking downbusiness owners who have changed positions(avery time-consumingproblemto solve),identifyinglost locationsofcertificate installation orunearthing locationswhere the copiesof the certificate have beenplaced.
All told, you could be looking at around2-6hours per certificateper year. At aconservative hourly rate of $75 for a fullyburdened IT professional, you’re absorbing a cost of up to $450per certificate installation. And 25% of organizations have at least 10,000 certificates .So,you caneasilyanticipatehundreds of thousands of dollarswastedon manual certificate installation.But when you factor in certificates for cloud and DevOps, the number can reach millions.
Read my next blog to see how automatingthe certificate life cyclewill help lower your costs to just a fraction of theamountwe outlined above.Plus, you’ll relieve your business line managers of a tedious burden.
How much time can you save by implementing an automated self-service portal for your organization’s certificates?Related posts 5 Ways that Automation Improves Machine Identity Protection 5 Hidden Costs of Certificate Management 5 Questions to Ask About Your PKI Certificate Management 3 Reasons Traditional Certificate Management Tools Won’t Survive
In the first post in my Management Mayhem blog series, I wrote about how most CIOs don’t realize thefull scope of their machine identity environment and where it may be exposed. In this post, I’d like to look at why managing that environment may cost more than you’d ever imagine.
Most organisations measure only the direct management cost ofmanagingmachine identities. That is, how many people do I have employed that renew, revoke, and approve certificate requests.But this approach is somewhat limiting and will give them a fiscal number that is far below their actual costs.
What are five hidden costs of certificate management?
Learn more about machine identity protection.