Microsoft's Azure outage highlights deeper problem of certificate management

Majority of enterprises do not know how many keys and digital certificates they have, survey finds

Microsoft (Nasdaq: MSFT) said on Saturday that its Windows Azure cloud platform had returned to normal after it was hit by worldwide outages on Friday due to an expired secure sockets layer (SSL) certificate.

On Friday, Microsoft announced: "We are experiencing an issue with Storage Worldwide and this is impacting all dependent services. We are actively investigating this issue and working to resolve it as soon as possible. Further updates will be published to keep you apprised of the situation."

On Saturday, Microsoft published an update: "Access Control has been fully recovered after the updated SSL cert has been deployed on the affected Storage clusters in the sub-region. We apologize for any inconvenience this causes our customers."

Microsoft said it would refund Azure customers for the outage. "Given the scope of the outage, we will proactively provide credits to impacted customers in accordance with our SLA. The credit will be reflected on a subsequent invoice," Steven Martin, general manager with Windows Azure business and operations, wrote in a blog.

When even a huge IT company like Microsoft does not know an SSL certificate is about to expire, it is clear there is a widespread problem with certificate management, a problem that not only leads to outages but also to security breaches by hackers.

Enterprises rely on encryption keys and digital certificates to ensure that communications and transactions conducted across the Internet and within their networks are trusted, private and compliant with regulations.

According to a recent study by certificate management firm Venafi and the Ponemon Institute, large enterprises are expected to lose $35 million over the next 24 months due to compromised keys and certificates, based on a survey of 2,300 Global 2000 enterprises in the United States, the U.K., Australia, France and Germany. This figure is based on a total possible cost exposure of $398 million per enterprise, according to estimates made by the Ponemon Institute.

Ponemon looked at costs from four perspectives: support costs, effect on productivity, effect on revenue loss and effect on brand and reputation from poorly managed keys and certificates, explained Larry Ponemon, chairman of the institute that bears his name. "This is a costly problem if an organization's keys and certificates get hit," Ponemon told FierceEnterpriseCommunications.

More than half of the Global 2000 firms surveyed by Ponemon did not know how many keys and digital certificates they had in their organization.

"The digital world is predicated on the notion that things trust one another… One of the fundamental building blocks of this trust are these keys and certificates," Jeff Hudson, CEO with Venafi, told FierceEnterpriseCommunications.

"There is not a lot of attention paid to managing this trust… because the guys at the higher levels don't really understand it," Hudson said.

Respondents identified the top threat to trust in their enterprise as the theft of a secure shell (SSH) key in an organization. All surveyed enterprises suffered at least one attack on trust due to failed key and certificate management, according to the survey.

When more than half of Global 2000 enterprises do not know how many keys and certificates they have, the scope of the problem becomes evident. The fact that Microsoft did not know one of its certificates was about to expire and therefore did nothing to prevent the Azure outage further highlights the problem.

For more:
- see Microsoft's Azure dashboard
- read Martin's blog
- check out the Ponemon-Venafi report (reg. req.)

Related articles:
Your content could be safer in the cloud
Spotlight: Big Data Partnership to support Microsoft's HDInsight