Your Fridge May be a Dog on the Internet
Let's assume your company is eager to embrace the next wave of growth, enabled by the Internet of Things, the emergence of cloud computing and the ever increasing connectivity of billions of internet users who are 'always on'. Question: What would be a quintessential challenge for succeeding in your strategy? Answer: being sure that you can trust these users and devices. That humans and devices actually are who they say they are. Why? Because we all understand the meaning of the internet meme saying 'On the internet, nobody knows you're a dog.' In the next ten years, trusted communication will be a key topic in business. Companies that act now by professionalizing the management of trusted certificates pave the way for controlled innovations and new business concepts.
"The case for using trusted certificates is strong: it's simply a matter of building trusted communication on the internet"
“PKI is dead.” This is what Gartner stated back in 2004 responding to the somewhat troublesome road to turn the internet into a trustworthy place. The challenge was huge: in fact, the grand design of the internet never intended to give users a digital identity. To warrant the identity of users and devices connected to the internet, companies and governments started building PKI's (Public Key Infrastructures) to overcome this problem.
Many years later, Gartner appears to have been wrong. Although the term PKI is not coined frequently, the underlying trend is clear. The ideas of the PKI are alive and kicking, be it in a bit of a different form than 10 years ago. Governments and businesses nowadays aim to solve problems surrounding confidentiality of communication and authentication by issuing certificates that act as digital passports. The use of these certificates is now supported in major security standards and integrated in many applications. These certificates are numerous and are in fact contributing to the original ideas of PKI. In short: PKI has been a strong silent trend in the last decade.
The case for using trusted certificates is strong: it's simply a matter of building trusted communication on the internet. However, as with all technologies, nothing is flawless and there are no panaceas to fight abuse or cybercrime. Hackers and other criminals use advanced methods to penetrate networks and systems and one of their objectives is to gain a trusted status, circumvent security controls and go undetected. By stealing and/or compromising keys and certificates, they can remain under the radar while penetrating these networks and systems. Therefore, keys and certificates nowadays are a prime target and criminals use these as the attack method of choice. However, many global enterprises and governments still put blind trust in these keys and certificates, without considering how to p r o p e r l y and manage these certificates in a structured way.
In recent years we've witnessed a number of high profile incidents with (the misuse of) certificates. One of these is the so-called Heartbleed attack. Around half a million of the Internet's secure web servers certified by trusted authorities were vulnerable to the attack, allowing theft of the servers private keys and passwords. This has arguably been one of the worst vulnerabilities on the internet in its history. Paradoxically, Heartbleed and other incidents haven't been an effective wake up call for businesses and public organizations to strengthen their safeguards around keys and certificates.
Many organizations even lack proper insights in their use of certificates. CIO's and CISO’s often have no idea how many certificates their organization deploys in the communication with outside parties. Often, they are astonished to learn about how widespread the use of certificates is. One of the problems is that it's a jungle out there with so many different – and continuously evolving – certificates. The best way to cope with it would be to streamline this jungle and to standardize the world of certificates. However, this seems to be a rather utopian thought.
What can organizations do to mitigate the risks arising from vulnerabilities in certificates?
The first step is to gain awareness on the importance of certificates and keys and to gain insight in their nature and number. Currently, many organizations think they can manage their certificates by registering them in a spreadsheet. The ownership is unclear. And the updating processes tend to be ticking the box exercises. Once there is better visibility on this topic – created by specialized tooling – this may all begin to change. Specialized solutions to manage this important aspect of security are capable of constantly assessing which keys and certificates are trusted, protecting those that should be trusted, and fixing or blocking the ones that are not. Not only is this an effective defense strategy against real dangers, it is also much more cost effective than following the manual procedures for maintenance on certificates.
Last but not least. Why is it essential to act? The obvious answer is to prevent incidents – security breaches – to happen. The less obvious – but more convincing for many CEO's – reason is that managing certificates is a prerequisite to enable new business concepts. In the heydays of internet, we used to worry about the real identity of humans using the internet. Many of us are familiar with the cartoon in the New Yorker – published in 1993 – with the famous quote "On the Internet, nobody knows you're a dog." Today, this is still true, with the challenge entering a new phase as a consequence of trends such as cloud computing and the internet of things. More than 20 years after this cartoon, we must also assess if thermostats, fridges, cars, oil platforms and a variety of other devices are who they claim to be. In fact all these devices may be dogs on the internet. If we have no idea about this, we have a huge problem in rolling out new business concepts.