Public key infrastructure is a critical element of the digital landscape. It's the technology behind digital certificates, which help secure everything from websites and smartphones to passports and credit cards.
Without digital certificates, almost everything you own would stop functioning. Phones would stop working. VPNs would fail to authenticate. Even smart refrigerators would stop operating.
Despite the importance of public key infrastructure (PKI), it remains a relatively unknown technology. While IT professionals and cybersecurity experts can tell you all about PKI, average technology users likely have no idea -- and, honestly, why should they? Business executives and organizational leaders are also generally unfamiliar with the term, despite the critical role it plays in organizational security.
As the digital ecosystem continues to expand and the number of certificates used by organization skyrockets, it's more important than ever to understand the consequences of poor certificate management and how to prevent those consequences.
The rise of digital certificates
The number of digital certificates an organization manages varies. If you want to establish a baseline, each employee is likely responsible for at least three certificates: laptop, phone and user identity. An organization with 10,000 employees, therefore, has a minimum of 30,000 certificates to manage. That number is before accounting for web certificates, IoT devices, DevOps containers, industrial control systems and other assets PKI secures. For modern organizations, the number of private certificates can be pushed into the hundreds of thousands or even millions.
This exponential use has made managing certificates a challenge. PKI is not a set-it-and-forget-it technology. Certificates need to be managed. Each certificate has a set life span, after which it must be renewed or revoked. Failure to renew a certificate can have serious consequences, as can failing to revoke a certificate that is no longer useful.
With so many certificates, manual management is no longer an option. A diligent employee could manage certificates with a spreadsheet when they numbered in the hundreds, but with those numbers reaching five, six and even seven digits, organizations must automate the process.
The consequences of poor certificate management
Poor certificate management can destroy a business. To put it simply, if an organization fails to renew a certificate, something is going to stop working.
In modern network architecture, systems are constantly talking to other systems, and it isn't easy to know where a failure has occurred. Think of it like a string of old Christmas lights: One bulb burns out, but to figure out which one, you have to test each individual bulb on the string. PKI failures work the same way. They aren't going to flash with a light saying, "Certificate outage." The system simply won't operate, and it's up to you to figure out how and where an error has occurred.
Certificate outages have manifested in high-profile ways. Last year, Microsoft Teams went down due to expired certificates. A few years ago, European mobile provider O2 suffered an infamous certificate outage, resulting in massive network outages across the continent. In November 2021, an expired certificate took a number of Windows 11 features offline.
Information Technology Intelligence Consulting released a report in 2020 indicating 98% of firms estimated downtime costs more than $150,000 per hour, while 40% estimated an hour of downtime could cost more than $1 million. Large enterprises, such as Microsoft and O2, are able to manage these costs, but others cannot.
It's important to remember website downtime isn't the only consequence of a certificate outage. Even old-school businesses rely on digital certificates. If a pizza place's computer stops working, it stops delivering. If a barbershop can't make appointments, hair doesn't get cut. Even if an order goes through on an e-commerce site, a certificate outage on the back end could prevent a package from ever making it onto the truck. There are many downstream consequences to poor certificate management, making it difficult to quantify potential damage.
The importance of automation
Certificate automation isn't just about maximizing efficiency or making life easy for IT staff -- though it does those things. It's also about insulating your enterprise from the consequences of certificate outages, protecting your reputation and your bottom line, and ensuring a technology designed to protect you doesn't wind up ruining your business.
PKI is not widely known, but its impact is felt by every business and industry. Without PKI, the modern internet would be unable to function. Managing your PKI system is essential, and the failure to do so can have major consequences. Fortunately, automated certificate management options are more accessible than ever, and they can mean the difference between suffering a catastrophic failure and never having to think about PKI again.
Presented with the choice in those terms, most business leaders will choose the latter.
About the author
Tim Callan is chief compliance officer at Sectigo, where he is responsible for ensuring Sectigo's certificate authority practices comply with industry and regulatory requirements and the company's certificate practices. Callan has more than 20 years of experience as a strategy and product leader for successful B2B software and SaaS companies, with 15 years of experience in the SSL and PKI technology spaces.