CIOs Raise the Alarm Over TLS Cert Security Risks

Three-quarters of global CIOs are concerned about the proliferation of TLS certificates and the growing security risks associated with them, according to a new study from Venafi.

The security vendor polled 550 CIOs from the US, UK, France, Germany and Australia to better understand attitudes to the certificates increasingly used to protect data flowing to trusted machines.

Digital transformation efforts have led to an explosion of TLS certs to protect modern computing systems, but in so doing, the manual or semi-autonomous processes used to keep track of them are no longer fit-for-purpose.

That can lead to large numbers expiring without the knowledge of IT, exposing the organization to risk. A previous Venafi study revealed that IT professionals on average each found over 57,000 TLS machine identities that they did not know they had in their businesses and clouds.

More than half (56%) of CIOs polled in the new study said they worry about outages and business interruptions due to these expired certificates.

The problem is only set to get worse: 93% of respondents told Venafi that they had a minimum of 10,000 active TLS certificates, while 40% said they have over 50,000 currently in use. However, nearly all (97%) of CIOs estimated that the number of TLS certificates used by their organization would increase at least 10-20% over the coming year.

Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi, claimed that CIOs are likely still underestimating the number of TLS machine identities they currently have in use.

“As a result, they are unaware of the size of the attack surface and the operational risks that these unknown machine identities bring to their organization. Whether it’s debilitating outages from expired certificates, or attackers hiding in encrypted traffic for extended periods of time, risks abound,” he argued.

“The only way to eliminate these risks is to discover, continuously monitor and automate the lifecycle of all TLS certificates across the entire enterprise network — and this includes short-lived certificates that are used in the cloud, virtual and DevOps environments.”