Encryption is a vital tool for a chief information security officer in the fight to protect the organization’s data, software and network connections. But if a survey of IT pros is accurate, failure to manage the cryptographic keys and digital certificates that encryption relies on is putting North American firms “at significant risk.”
That’s the conclusion of a report released today following a survey of 603 IT and information security professionals in Canada and the U.S. done for Keyfactor, which offers public key infrastructure as a service.
The survey by the Ponemon Institute found:
- 73 per cent of respondents said they have unplanned downtime and outages due to mismanaged digital certificates
- 55 per cent say their organizations had four or more certificate-related outages in the past two years alone
- 74 percent of respondents believe their organizations don’t know exactly how many keys and certificates (including self-signed) they have, much less where to find them or when they expire
Here’s one way to measure the extent of the problem: The average organization that responded to the survey experienced 5.8 audit failures in the past two years due to insufficient key management. Certificate authority (CA) compromise or rogue CAs that enable attackers to conduct man-in-the-middle and phishing attacks were close behind, with server certificate and key misuse almost tied.
And, the report argues, it’s not just an enterprise software problem. The emergence of new IoT devices and industry mandates call for more robust encryption and device identity. As a result, the number of keys and digital certificates in most organizations has reached tens or even hundreds of thousands.
Sixty-four per cent of respondents agreed the management of cryptographic keys and digital certificates is reducing the general efficiency of their business processes.
There’s no shortage of companies that have been embarrassed by the failure to manage certificates properly. The most recent is Microsoft, whose Teams collaboration platform was offline for two hours because of an expired SSL certificate.
This was the second annual report done for Keyfactor on what it calls unmanaged digital identities.
“Our 2019 report was a wake-up call in many ways – it was the first report of its kind to investigate the role that digital certificates and keys play in creating trust inside and outside organizations,” said Larry Ponemon, founder of the Ponemon Institute. “In many ways, I was optimistic that we’d see progress this year as more executives invested the resources needed to close the gap between ‘standard practice’ in PKI and ‘best practice’. This year’s report shows that while progress has been made in a few areas, that gap is actually growing wider.”
The report reinforces cryptography’s importance within the security, said Keyfactor CSO Chris Hickman.
“In many cases, PKI remains a manual function with ownership split across IT and security teams. Growing connectivity has created an exposure epidemic. Without a clear PKI in-house or outsourced program owner and process to close critical trust gaps, the risk of outages and breaches will continue to rise.”
Click here to read the full report. Registration required.