Fighting the Hidden Costs of SSL
Brendon J. Wilson – Director of Marketing, PGP TrustCenter Division
Last year, online shoppers spent over $150B in online transactions in the US alone – it wasn’t long ago that the lack of transaction security would have made these revenues inconceivable. Today, the security provided by the Secure Sockets Layer (SSL) protocol not only enables organizations to collect payments on the web, but also to securely communicate sensitive business information to partners, and to deliver internal network resources to remote workers.
As the global recession continues, SSL provides organizations a way to thrive despite the financial downturn by enabling businesses to expand market reach, to streamline costs, to tap far-flung resources, and to explore new revenue opportunities. Tapping these opportunities requires SSL certificates from trusted certificate authorities, such as PGP Corporation’s new PGP TrustCenter division, to enable transparent and secure communications. However, the increased revenues and effortless secure communications promised by SSL come with several hidden costs when not managed properly:
- Certificate costs: When facing tight deployment deadlines, many organizations choose to make a quick “one-off” certificate purchase. However, purchasing individual certificates is one of the most expensive ways to buy SSL certificates, with an individual certificate purchased via a retail certificate authority costing up to 60% more than those purchased in bulk.
- Management and compliance overhead: Maintaining a heterogeneous population of SSL certificates increases the effort required to procure and manage SSL solutions. Administrators duplicate efforts to obtain certificates and negotiate multiple procurement systems. Without a unified view of certificates in use, administrators also have to expend additional time to ensure compliance with security mandates – or risk fines, data breaches, or loss of the right to operate.
- Service interruptions: According to Netcraft, almost 10% of SSL certificates on public-facing servers are expired at any one time. In many organizations, the individual who purchases a certificate may not be with the company when that certificate finally expires. This can potentially cause costly downtime to critical services for partners and employees, and lost customer revenues. In environments subject to regulations, such as PCI, an outage can also throw an organization into non-compliance, resulting in fines, or exposure of sensitive information.
- Opportunity costs: When an organization wants to scale a service that relies on SSL, it may face unanticipated delays in procuring additional certificates. In the simple case, the organization may not have anticipated the expenditure, and must wait for budget approval. In cases where the service in question requires a high-security certificate, such as an Extended Validation (EV) SSL certificate, the Certificate Authority’s process to confirm the organization’s identity will prolong the procurement process. Unanticipated delays not only cost the organization time, but also revenues, competitive advantage, and the flexibility required to adapt quickly to a changing market.
To combat these hidden costs, organizations need to adopt a more strategic approach to procuring their SSL certificates. To do this, organizations need a certificate management solution that enables them to:
- Inventory certificates: The first step to combat these hidden costs is to identify all of the certificates in use within an organization. An enterprise-ready certificate management solution can identify SSL certificates in use, regardless of the Certificate Authority responsible for issuing the original certificate. Inventorying certificates allows an administrator to not only identify certificates used by both the organization’s public and internal servers, but also to identify expired, obsolete, or improperly installed certificates.
- Consolidate certificate management: A centralized certificate management solution allows organizations to avoid the time and effort overhead associated with managing certificates obtained from a variety of providers. Using a single console to procure and manage certificates not only eliminates this costly overhead, but also enables an organization to purchase certificates in bulk at significant discounts. Advanced certificate management solutions can also pre-vet an organization to streamline the procurement process and reduce the time required to obtain a high-security certificate.
- Delegate certificate administration: Consolidating certificate procurement shouldn’t require the responsibility for managing certificates to fall to a single administrator. Instead, a mature certificate management solution allows the organization to separate administrative duties, and delegate procurement, renewal, revocation, and other certificate management tasks to match the organization’s existing resources and processes.
- Monitor ongoing usage: Detailed reporting is a necessity to enable an organization to maintain the protection provided by SSL certificates. Not only does ongoing reporting allow an organization to avoid unexpected certificate expiration, it also allows the organization to monitor the state of deployment and plan annual budget allocations.
- Report on compliance: In addition to preventing an outage, an organization needs to be able to accurately demonstrate the state of protection it has put in place. Centralizing and consolidating certificate management allows an organization to easily generate reports to support regular audit compliance activities.
For organizations working to protect their data, their customers, and their businesses, the security provided by SSL is only the starting point – visionary enterprises will consider the need to protect other data and applications. To do this, organizations should seek solutions that allow them to unify management of certificates and encryption keys used across their organization to secure and authenticate documents and email communications, or even protect access to network resources. Centralized management will not only reduce the costs of deploying these security solutions, but also the complexity of managing and maintaining after deployment.