5 Actionable Takeaways from Ponemon and KeyFactor’s 2020 PKI Study – Hashed Out by The SSL Store – Hashed Out by The SSL Store

Looking for the latest stats and info about public key infrastructure? Lookno further

74%. Thats how many organizations report not knowing how many keys and certificates they have. This unsettling statistic was reported in the latest data from The Impact of Unsecured Digital Identities, a new public key infrastructure (PKI)-focused research study by the Ponemon Institute and KeyFactor

Last year, KeyFactor and the Ponemon Institute joined forces to publish a study on public key infrastructure. This years publication is chock full of goodies and valuable insights on PKI as a whole. In early March, Chris Hickman, chief security officer at KeyFactor, and Larry Ponemon, chairman and founder of the Ponemon Institute, shared key insights from the study during a webinar. And in this years report, they included something new the Critical Trust Index. This 16-question core competency measurement aims to help businesses measure their certificate management capabilities, the effectiveness of their PKI efforts, and their agility and growth.

Its a great study one well definitely quote cybersecurity statistics from throughout the year. But what makes it so good? The items highlighted in the study are the ones we see every day from our clients across multiple industries both good and bad.

So, what can the results of this study tell you and how canit help you make informed decisions for your own PKI? And who was involved withthe study?

Lets hash it out.

The study, sponsored by our friends at KeyFactor, was independently conducted by the Ponemon Institute, both of which are well-known names within the industry.

The data in the study comes from the survey responses of 603IT and infosec professionals from across North America. The majority of therespondents (61%) reported their positions as supervisor or above and another30% indicated that they are at the staff/technician level. The majority arefrom large Enterprises, with 64% of the respondents indicating that they workfor organizations with at least 5,001 employees.

The participants were asked to respond to a series ofquestions relating to cyber security threats, strategies, budgets, certificatemanagement, compliance, and financial impacts relating to several of theseareas.

From a 30,000-foot perspective, the current mechanisms forsecuring and managing digital certificates and cryptographic keys are lacking.Many companies lack the personnel and technical resources, budgets, procedures,or policies to effectively support public key infrastructure. As such, thisleaves organizations open to significant risks from a variety of cybersecuritythreats the world over.

But no matter how challenging it can be, IT security andinformation security practitioners alike know that public key infrastructure iscritical to organizations. After all, PKI helps organizations to increase trustwith end users and clients (their web browsers) alike through authenticationand encryption. As certificate lifespans shrink and threats continue to evolve,the risk that your organization will be impacted increases with them.

But how important is PKI in the eyes of the C-suite executivesabove them? Lets find out as we glean insights about this topic and othersrelating to the PKI ecosystem.

Perception and reality are frequently two different things this is particularly the case regarding how PKI tasks and IT securitychallenges are handled. Probably the biggest takeaway that the study highlightsthe tremendous gap in perceptions in terms of confidence in the responses toquestions between the technical guardians within an organization and those who areamong the executive leadership above them.

In that data alone, it showed us very significantly how the problems of managing these types of critical assets in the organization, from the practitioners to the executives, differ when asked the same questions, Hickman said in the webinar on the study.

Their observation made them question why theres such adifference in the landscape between these different ranks within anorganization. Executives tend to be significantly more optimistic in theirresponses than their staff/technician counterparts averaging 6.2 on a 1-10scale, versus staff/technicians, who have an average confidence rating of 3.7. Thisis particularly true concerning issues relating to managing critical assets.

These responses demonstrate why challenges might exist withinorganizations leaders think issues are being handled or resolved, andpractitioners are struggling to keep up with the never-ending demands.

As with any organization and tasks, communication is key.There needs to be clear communication and transparency about the situation. Ifthere are deficiencies, insufficient resources, or other challenges, everyoneneeds to be on the same page.

Dont sugar coat things. Be open and honest about PKI and ITsecurity-related issues that exist within your organization. Make yourleadership aware of any challenges and offer recommendations and solutions toaddress the issues. Most importantly: Learn to speak their language.

One suggestion from Hickman and Ponemon shared during the webinar comes from Gartner:

Security leaders that successfully reposition X.509 certificate management to a compelling business story, such as digital business and trust enablement, will increase program success by 60%, up from less than 10% today.

Essentially, executives want to know the bottom line costsinvolved and how circumstances will affect the operation and organization as awhole. Dont speak technical mumbo-jumbo. Give them what they want while stillpushing for the resources you need by changing how you frame the situation.

Listen to your experts. Listen to understand and not to reply. Recognize that theyre humans and that the industry and cyber threats are continually changing. The threats we face today arent necessarily the same as those well face in the future. Be flexible and open to change. If you want to protect your organization, dont put off investing in your cybersecurity infrastructure and resources until tomorrow. Commit to making those changes today.

According to the report, 60% of respondents believe theyhave more than 10,000 certificates in use across their organization. Thats alot of cats to herd. Interestingly, though, the respondents arent all thatconfident in their estimates 74% indicate that they have no clue how manycertificates and keys they actually are using for certain.

So, what do all of these statistics have in common? A lackof certainty (and clarity), for one. Thats because these organizations lackvisibility into their PKI certificate management. Essentially, they dont know:

This lackadaisical approach is kind of like trying to run a restaurant without any clue about whos responsible for what and how its all getting done. For a restaurant to work, you need to know whos ordering the supply deliveries, whos making the food, whether the food thats available to serve to customers meets certain quality and hygienic standards (it hasnt expired), and whos serving it.

If you dont know these things because you lack visibilitywithin your operation, then, frankly, youre not going to be in business forvery long.

Honestly, this finding that organizations have a lack ofvisibility into their PKI doesnt strike me as surprising. After all, a lack ofvisibility is an ongoing issue for many organizations within the industry as awhole and was also an issue in their previous study from 2018. But it doessurprise me a little is that the organizations are willing to admit thatthey lack this visibility and that it continues to be an ongoing issue.

According to their data, 55% of surveyed organizations saidthey had four or more certificate outages over the last 2 years! And 73% saidthat their organizations still experience unplanned downtime and outages due tomismanaged digital certificates.

So, what can done to help you address this lack ofvisibility and poor certificate management within your organization?

Here at Hashed Out, were all about helping our readers avoidcommon PKI certificate management mistakes. One of the things we always emphasizeis the importance of having visibility over your PKI. An issue that many adminshave is that theyre trying to manage their keys and certificates using manualmethods such as Excel spreadsheets. This is not only clunky and cumbersome, butit leads to a variety of issues.

One such example is shadow ITcertificates. If youre not the only person in charge of installing,renewing, and managing X.509 digital certificates, then some certificates canget installed that you dont know about. And certificates that you may haveinstalled yourself may fall through the cracks and expire without yourknowledge. And you cant effectively manage what you dont know you have.

Using a reliable and reputable certificatemanagement solution can help you to avoid this issue. The best certificatemanagement tools enable you to

This provides you with full visibility of your public keyinfrastructure. Considering that many organizations believe they have at least10,000 certificates, you can see how trying to manually manage these assets is virtuallyimpossible.

Manage Digital Certificates like a Boss

14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.

We get it. Everyones busy and, frankly, there just arentenough hours in the day to handle every task that comes our way. But thatdoesnt change the importance of having a specific team or department thatsresponsible for handling essential tasks.

Despite this need, study respondents indicate that digitalcertificate budgets and responsibility ownership are lacking. The tasks,responsibilities, and budgetary requirements associated with certificatemanagement are often times spread among various departments within differentorganizations. Essentially, theres no clear center of excellence forcryptography.

Their findings also report that nearly just a third (38%) oforganizations claim that their organizations have the human resources dedicatedto their PKI deployment. Part of this might be because of the stagnantcybersecurity budgets in comparison to the industrys growing costs, or itcould be related to the challenges companies report facing in terms of hiringand retaining talent.

Organizations represented in the KeyFactor/Ponemon Institutestudy reported spending only 16% of their budgets on PKI. Thats approximately$3 million from the reported average IT security annual budget of $19.4 million!And they also discovered that the responsibilities and ownership is frequentlyspread among other departments:

In the U.S., were experiencing some of the lowest unemployment levels in more than two decades. The U.S. Bureau of Labor Statistics (BLS) reports that for college grads, the unemployment rate is at 2.0% and 3.8% for high school graduates as of January 2020. Were experiencing the lowest unemployment rates in IT security and technology, which is literally at 0%, according to Cybersecurity Ventures.

While this is great for jobseekers, its not as great fororganizations looking to hire them. Why? Because it would imply that theres agreater demand for skilled workers than there are people looking for jobs. Thismeans that businesses and organizations are competing for talent. So, what canyou do to combat growing workloads when you have static resources?

Some organizations are turning to automation and the use of artificial intelligence (AI). Automation can help reduce the load on your staff and augment their capabilities by eliminating the menial tasks from their workloads. Predictive analytics, language processes, authentication, and log analysis to identify anything unusual. Using AI helps to free up your employees so they can focus some of their attention on higher-level priorities and tasks.

One example of automation in PKI is a certificate management solution. You can use this tool to gain visibility into your PKI and discover shadow certificates. Its also invaluable in terms of helping your team effectively manage all aspects of the certificate lifecycle and avoid certificate expirations, which Gartner estimates can cost an average of $300,000 per hour.

SSL/TLS certificates are a must for any ecommerce business(or any website, really, that wants to rank on Google and other searchengines). And as more organizations readily adopt PKI solutions, it means thereare more keys and digital certificates to manage. Using certificate managementtools and other automation solutions can help you to not only streamline youroperations and make them more effective, but it also helps you to controlrising operational costs.

While certificate outages are a major cause of concern, theresponses received during the study indicate that failed audits due to insufficient key management practices, rogue orcompromised certificate authorities (CA), and misuse of code signingcertificates and keys are even bigger areas of concerns. This is true both interms of financial costs as well as compliance.

The seriousness of failedaudits and compliance headed up the rankings (4.1 on a 1-10 scale where 1 isconsidered a least serious problem and 10 is most serious problem). Inparticular, survey respondents are worried about insufficient or unenforced keymanagement policies and practices. The next most serious issue related toman-in-the-middle (MitM) and phishing attack vulnerabilities that stem from CAcomprormise.

We mentioned earlier that nearly three-quarters (73%) of respondents indicate that they experience unplanned outages and downtime due to mis-managed digital certificates. These occurences are more frequent than unplanned outages that result from certificate expiration. What makes these numbers even more dire is that disruptive outages are expected to keep increasing rather than decreasing. According to the report:

59 percent of respondents say the misuse of keys and certificates by cybercriminals is increasing the need to better secure these critical assets. Yet, more than half (54 percent) of respondents are concerned about their ability to secure keys and certificates throughout all stages of their lifecycle from generation to revocation

If youre using a private CA, its not really surprisingwhen things go sour. One of the best things you can do to avoid issues relatingto rogue or compromised certificate authorities is to work with established,reputable commercial CAs who provide managedPKI services. It would be best to stay away from free PKI certificateproviders because they lack the support and resources that commercial digitalcertificate providers have at their disposal.

The final insight well share from the survey is that respondents concerns stemming from post-quantum cryptography are decreasing for now. The KeyFactor and Ponemon report says:

Only 47 percent of respondents are concerned about the impact that quantum computing will have on their key and certificate management practices, but we expect this number will rise as recent advances in quantum technology bring us closer to the potential breaking point of the keys and algorithms we rely upon today.

Essentially, there is and has been hype surrounding thetopic for several years. But until quantum computing is available at the commerciallevel, well overestimate the potential negative impacts rather than highlightits positive impacts on security, Ponemon said.

Hickman says that quantum computing is our future reality its just a matter of when, not if it will become a thing. Thats why theindustrys work on post-quantum algorithms is critical (see our previousblog post highlighting DigiCerts work on post-quantum cryptography) andwhy organizations need to:

Rarely have we seen something in this industry with thepotential cataclysmic effect of quantum, and the disruptive nature that it willbring from a security standpoint, says Hickman, who emphasizes the importanceof planning, which seems to be taking a back seat in terms of being considereda priority.

Hickman continues:

Having a plan, understanding where your digital assets live, where your cryptography is deployed, having ways to manage that crypto is absolutely important. Things are going to happen along the way such as the deprecation of algorithms But youll be able to reuse that same plan and actually validate it top make sure that youre ready for a post-quantum world.

From these survey responses, its obvious that theres noone clear owner of PKI budgets and efforts with multi-discipline and multi-functionalteams. And theres also no one agreed upon method that these surveyedorganizations rely on to deal with these increasing crypto responsibilities. Butits obvious that having a governance process in place and clear visibility ofyour public key infrastructure are essential to improving a businesss certificatemanagement capabilities. Part of this entails establishing a cryptographiccenter of excellence if one doesnt already exist.

The increasing use of encryption technologies, digital certificates,etc. for compliance with regulations and policies dictates the need for better certificatemanagement practices. And as operational costs continue to increase without a parallelincrease in operating budgets to cover those costs, automation will becomeimportant the closer we get to a PQC world.

Read the original here:
5 Actionable Takeaways from Ponemon and KeyFactor's 2020 PKI Study - Hashed Out by The SSL Store - Hashed Out by The SSL Store