Digital trust is what enables us to build, participate in and grow the connected world that we now live in. It allows us all to have confidence that the things we are doing online — whether interactions, transactions or business processes — are secure.
In Digital Trust as an IT Imperative, we talked about the four building blocks of digital trust:
But what constitutes digital trust success? And how do you measure it?
Within IT departments, there can be multiple stewards of digital trust, among them: PKI administrators, identity and access managers, and information/product security architects. Each of these IT departments has metrics that measures success — or a path to success — of digital trust initiatives. And some of these metrics make it to the boardroom, underscoring the importance of digital trust to business objectives.
These metrics may fall in four core areas:
What is being measured: Outages caused by unintended certificate expiration are highly visible, particularly if they occur in mission-critical systems. Outages can have multiple causes. They can occur due to oversight, particularly if certificates are tracked manually. They can be caused by human error, due to incorrectly configured certificates. Or they can be caused by rogue activity, that is, ungoverned certificates purchased outside of the purview of IT management.
Metrics can include:
Who is measuring it: Outages affect multiple groups, but are meaningful to IT operations, site reliability engineering, and application engineering.
How to address: Methods to reduce the number of or potential for outages can include centralizing certificate management and automating certificate renewal.
What is being measured: Adoption is also a key metric. Are users installing certificates where they are needed? Are they calling tech support for configuration help? Are certificate issues keeping employees from being productive on onboarding or creating security gaps between employee departure and system access revocation?
Metrics can include:
Who is measuring it: These kinds of considerations are important to identity and access managers responsible for system access and provisioning of services such as VPN, wireless or email security. They may also be important metrics for centralized IT operations serving the needs of IT departments in other business units or subsidiaries.
How to address: IT professionals view automation as a key strategy for addressing adoption, usability and security concerns. Automation can make credential provisioning and management invisible to the end-user and seamless with onboarding and offboarding, improving adoption rates, reducing tech support load and eliminating provisioning gaps.
Adoption | Usability | Time to provision/revoke | |
Before automation | Low | High tech support load, errors | Delays |
After automation | 100% | Invisible to the user | Immediate |
What is being measured: IT professionals tasked with vulnerability management may be concerned about crypto-agility — the ability to respond to threats or to prepare for changes in compliance or cryptographic standards. These professionals require a comprehensive view of cryptographic assets and their associated vulnerabilities or cryptographic profiles.
Metrics can include:
Who is measuring it: Security operations, IT operations and information security professionals who need to respond quickly to threats can benefit from a centralized cryptographic asset inventory delivering visibility and control over their environment.
How to address: Discovery tools that inspect and inventory the cryptographic assets in a company’s environment can provide a centralized repository. Vulnerability assessment tools provide security ratings and identify out-of-date algorithms to prioritize remediation. Automation tools can help speed desired remediation or streamline response to compliance changes.
What is being measured: IT professionals concerned with risk may be concerned about compliance, privileged access, attack surfaces, threat intelligence and trust indicators.
Metrics can be defined as key risk indicators that track risk posture and tolerances in one or more of these areas.
Who is measuring it: IT departments focused on systems, application or network engineering; security operations; IT operations.
How to address: Tools governing authentication, privileged access, network inventories and monitoring can support the objectives of these teams. Strategies to prevent rogue certificate purchases can also play a role. Certification Authority Authorization (CAA) domain locking can prevent purchase of rogue certificates, which can play a role in man-in-the-middle attacks.
CT log monitoring can be an effective means of monitoring for the presence of rogue certificates in corporate networks.
Some IT professionals note that they are most successful when digital trust metrics are kept out of the board room — meaning there are no outages caused by unintended certificate expiration, credential provisioning is automated, Key Risk Indicators are within stated tolerances, and cryptographic vulnerabilities are addressed in a timely way. However, to achieve this objective, strategies that reduce outages, improve adoption, streamline operations, maintain compliance and reduce risk are paramount. Executive leaders may wish to review metrics that show progress towards these goals.
Bringing in a partner who is an expert in digital trust, such as DigiCert, can be a highly effective way to manage digital trust objectives. In addition to its robust digital trust portfolio and active engagement in standards bodies, DigiCert’s support provides companies with someone to lean on for emergency resolution, minimizing downtime and keeping metrics on track for success.
Want to learn more about DigiCert’s platform for digital trust? Email us at pki_info@digicert.com for more information or to set up a sales consultation.
Get the IDC whitepaper Digital Trust: The Foundation for Digital Freedom | DigiCert to read more about digital trust—what it is, how it works, and why it must be a strategic initiative for any organization, including yours.