Shadow IT + Digital Certificates = Ticking Timebomb
When your employees use software or hardware at work that your IT or security team is unaware of – that’s Shadow IT. Calling the use of these tools “unsanctioned” might be a bit strong, but either way, employees have neglected to go through the proper channels and notify the right parties.
There are risks associated with that.
In the IT world, when you ask someone, ‘what is Shadow IT?’ The answers you get are going to vary quite a bit, some in the industry refer to it as a threat, others are far more optimistic and advise organizations to embrace it.
And from some vantage points that might be true, especially if you’re one of the companies selling the products that are being acquired outside of the standard channels. That’s good for business. Of course you like that.
But when it comes to cyber security, things aren’t so rosy. Especially in the context of digital certificates, where Shadow IT can lead to unexpected expirations, operational downtime, loss of revenues and compliance penalties.
So, today we’re going to talk about Shadow IT, the bad things that can happen with shadow certificates and how you can avoid these problems entirely with good certificate management choices.
Let’s hash it out.
Is Shadow IT a good thing or a bad thing?
Beauty is in the eye of the beholder. If you’re the head of a security team or an IT admin, shadow IT is likely the herpes of your profession – you’ll never be able to completely get rid of it so your best bet is just to manage it as well as you can.
If you’re the head of a technology company like HP, you’re a bit more charitable.
“We embrace the idea of this shallow exploration of new technologies, new tools, and new processes by our users. To the degree that they discover these applications or services that make their jobs easier, that make them more efficient at selling or better at running a supply chain or better at sourcing talent, then everybody wins.”
Empowered users can quickly and easily get tools that make them more productive and help them interact efficiently with co-workers and partners.
According to McAfee, 80% of workers admit to using SaaS applications at work without IT approval. In fact, for many employees it’s not something they even think twice about.
Generally speaking, there are three kinds of Shadow IT application:
- Cloud-based applications accessible from the company network
- Cloud-based applications accessible with 0Auth tokens
- Off-the-shelf software that’s loaded into devices or systems
But that’s just applications. There’s also hardware, which can be anything from an employee’s personal phone to purpose-made tech that’s acquired to handle specific functions within an organization.
If the IT department or security team doesn’t know about it, it’s Shadow IT.
A digital certificate is more of a Shadow IT asset than hardware or an application. But it can be even more dangerous because being unaware of even a single certificate opens the doors to a whole range of potential dangers. We’ll get into what those are specifically in just a moment, for now let’s focus on this:
While it’s OK to be agnostic about Shadow IT in other contexts, when it comes to security certificates – it’s unequivocally a bad thing.
What can go wrong with digital certificates and shadow IT
For many organizations, the threat of certificate expiration seems fairly abstract until it rudely slaps their face. That’s usually jarring enough to make it come into focus. When you hear things like “operational downtime” or “lost productivity” it doesn’t mean much until you’re actually dealing with it.
Take a company like LinkedIn, for instance, who just had a certificate expire and knock out its link shortening service. That meant that anyone attempting to click a LinkedIn-shortened link received an error and couldn’t reach their intended destination. Just the downtime alone, given the amount of money LinkedIn makes each year, cost millions of dollars. And that doesn’t even get into all the pissed off customers who either couldn’t use the service, or were marketing with the service and couldn’t reach their own customers.
And that last part is difficult to quantify but on some level it boils down to trust. Trust is currency. Customers and business partners expect you to be open for business when you say you are. They trust your services to run smoothly – without interruption. When things don’t work that way, the trust starts to strain.
Again, you can’t quantify all of that.
Still, KeyFactor has attempted to. In a recent study, it extrapolated the cost per organization over a 24-month period after polling hundreds of IT and security professionals.
It starts to add up.
|Cost of unplanned outages due to certificate expiry||$11,122,100|
|Cost of failed audits/compliance due to undocumented or poor key management||$14,411,500|
|Cost of server certificate and key misuse||$13,423,250|
|Cost of Code Signing certificate and key misuse||$15,025,150|
|Cost of CA compromise or rogue CA for MITM and/or phishing attacks||$13,219,850|
The problem with digital certificates is that it’s easy to lose sight of them when considering the bigger picture. For instance, you’re working on a priority project, you’re in the midst of the final crunch to hand it off – purely as a matter of utility someone grabs a certificate and IT/Security never catches wind.
It’s totally understandable. And even four or five years ago it still wasn’t that big of a deal in the greater scheme of things. But now that digital certificate use has exploded and PKI has become such a critical component of the internet and networking in general – it can be catastrophic.
And when certificates expire, a lot of the policies and mechanisms you have in place to help security end up hamstringing your organization even more. Take for instance the US government shutdown that rung in 2019, because federal websites are SUPPOSED to be on the HSTS preload list – which requires a secure connection in order to reach a website – as the shutdown continued and more certificates expired, it made those sites completely unreachable for the duration of the certificate outage.
When an expired digital certificate, be it SSL/TLS or signing, is acquired outside of the standard channels you are essentially sending your IT team on the PKI equivalent of a goose chase. With management and the C-suite breathing down their back they now have to locate the certificate that’s causing the problems, acquire a replacement and then install it and make any configuration adjustments on the fly.
Would you like being summoned at 3 AM to perform the certificate rotation dance for an audience of executives and stakeholders? That’s probably not a grenade anyone wanted to jump on.
Again, it’s easy to let it happen. The point’s not to criticize anyone when it does – it’s to point out that it doesn’t need to happen in the first place.
Preventing Shadow IT certificates
In ancient Rome, companies used to keep track of digital certificates by carving serial numbers and validity dates into the flesh of an intern. Your internship ended when they ran out of space. Oftentimes, for proprietary reasons, the records needed to be shredded afterward, which proved… problematic.
Today, we have advanced well beyond those primitive certificate management systems, yet many organizations are still sacrificing the unpaid at the X.509 altar of the PKI gods. Certificate management has literally never been easier.
And frankly, Enterprise customers are the biggest winner in all of this. Nowadays, organizations have their choice of certificate management platforms run by the CAs themselves, like you see with Sectigo Certificate Manager or DigiCert’s Cert Central platform. Or you can go with a third-party platform like Venafi or KeyManager Plus, that affords you access to multiple CAs through a single unified interface or module.
Using one of these tools, defending against Shadow IT certificates is extremely straightforward.
Scan and Inventory
Configuring a certificate management solution varies by platform, some can be set up in just a few clicks while others may require the provider to assist you. Either way, once your Certificate Management solution is up and running, scanning and inventorying your network is quick and easy.
Simply query the domains, IP addresses or networks you want to scan and your management tool will do the rest. It will find every certificate currently residing on your network and document them all. In some cases you can even get the location they’re stored at. You can scan at regular intervals, daily, weekly, monthly – though it’s not recommended to go any longer between scans than that (even a month between is pushing it).
Once you’ve finished scanning, you should have a listing of all your digital certificate viewable from your dashboard. This is what we’re referring to when we discuss visibility. As the great Yogi Berra once said, If you can’t see it, you can’t renew it on time.
Automation is your friend when it comes to certificate management, after all, it would take a lot of time and work to handle all of those certificates manually. This is true with only a handful of certificates. At scale it’s almost a requirement.
There are multiple ways to automate. Lots of organizations like to use Microsoft CA and active directory, which can be managed via a platform like Sectigo Certificate Manager.
More and more CAs are also beginning to support the ACME protocol, which allows you to install a client/agent on a server and completely automate all certificate requests, renewals and revocations. DigiCert, Sectigo, Let’s Encrypt and myriad other CAs support ACME, which can be configured to ping their servers at regular intervals. We went in-depth on ACME a few weeks ago. It’s great. Just set it and forget it.
Escalating Notifications FTW
Just because you’ve automated things doesn’t mean you shouldn’t still be kept abreast of things. Notifications facilitate this. One of the first things you should do when making certificate management decisions is create a security policy that governs who has permission to do what.
Part of that policy should be a notification structure that continues to loop in other, higher-situated stakeholders as it escalates. 60 days before expiration you may just want to send notifications to your IT admins, but as that expiration date inches ever closer, more and more people need to be made aware of it. All the way up to the C-suite if needed.
If nobody knows, nobody can fix the problem. If everyone knows and nobody fixes it, that’s an organizational culture issue and no amount of expertise from us, nor even the best certificate management tools can help with that.
Usually it’s the former though. The organizations just don’t know. And while we can’t earnestly find fault with making that kind of mistake – it happens – the ensuing consequences don’t account for whether it was accidental or not. They hit your bottom line just the same.
As always, leave any comments or questions below…