Venafi Study: Organizations Fail to Protect Keys and Certificates as Effectively as Usernames and Passwords
Only 54% of security professionals admit to having a written policy on length and randomness for keys for machine identities
SALT LAKE CITY – December 19, 2019 – Venafi®, the inventor and leading provider of machine identity protection, today announced the results of a study comparing security controls for human and machine identities. The study evaluated responses from over 1,500 IT security professionals from the U.S., U.K., France, Germany and Australia across a range of company sizes and industries.
People rely on usernames and passwords to identify themselves to machines so they can gain access to data and services. Machines also need to authenticate themselves to each other so they can communicate securely, relying on cryptographic keys and digital certificates, which serve as machine identities.
To better understand the gap between implementation of security controls for human identities and those for machine identities, Venafi sponsored a survey that evaluated similar security controls for each type of identity. For example, just half (54%) of organizations have a written policy on length and randomness for keys for machine identities, but 85% have a policy that governs password length for human identities.
Additional findings from the study include:
- Less than half (49%) of organizations audit the length and randomness of their keys, while 70% do so for passwords.
- Only 55% have a written policy stating how often certificates and private keys should be changed, while 79% have the equivalent policy for passwords.
- Only 42% of organizations automatically enforce the rotation of TLS certificates, compared with 79% that automatically enforce the rotation of passwords.
- Only 53% audit how often certificates and private keys should be changed, compared with 73% for passwords.
Organizations will spend over $10 billion protecting human identities this year, but they are just getting started with machine identity protection. However, the number of humans on enterprise networks remains relatively flat while the number of machines that need identities – including virtual machines, applications, algorithms, APIs and containers – is growing exponentially. Because cybercriminals understand the power of machine identities and their lack of protection, they target them for exploitation.
“Identities are widely recognized as a key element in the threat landscape,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi. “Machine identities are a relatively new, and very effective, point of attack, but there is a huge gap between the security controls applied to human identities and those applied to machine identities. This is a problem because the future of digital business relies heavily on machines. Enterprises are seeing dramatic growth in container usage, artificial intelligence, microservices and IoT devices, as well as machines in cloud and virtualized environments. Everyone – from CISOs to security architects and security practitioners – must prioritize the protection of machine identities for their organizations’ digital transformation to be successful.”
Additional Resources:
Venafi Research Brief: Comparing Security Controls for Machine Identities and Human Identities
Blog: Venafi Study: Critical Machine Identities Protected Less than Human Identities
About Venafi
Venafi is the cybersecurity market leader and inventor of machine identity protection, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, code signing, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise – on premises, mobile, virtual, cloud and IoT – at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.
With over 30 patents, Venafi delivers innovative solutions for the world’s most demanding, security-conscious Global 5000 organizations and government agencies, including the top five U.S. health insurers; the top five U.S. airlines; the top four credit card issuers; three out of the top four accounting and consulting firms; four of the top five U.S., U.K., Australian and South African banks; and four of the top five U.S. retailers. Venafi is backed by top-tier investors, including TCV, Foundation Capital, Intel Capital, QuestMark Partners, Mercato Partners and NextEquity.
For more information, visit: www.venafi.com.
