Scaling PKI Operations: Top 4 Issues to Avoid

This blog features insights from Keyfactor’s Chief Security Officer, Chris Hickman on the 2020 Keyfactor-Ponemon Institute Report: The Impact of Unsecured Digital Identities. Click Here to download and access the full report.

Cloud Native Now

As CIOs drive the business toward a multi-cloud model, the sheer number of machines and applications, and the volume of sensitive data they generate, has grown exponentially. When we think about security and how it has changed over the last decade, there are two concepts that come to mind – scale and complexity.

IT and DevOps teams have the power to provision and deploy infrastructure with a few clicks, rather than waiting days or even weeks. Everything these teams use in their day-to-day operations – cloud services, containers, devices and applications – make use of x.509 certificates to protect data and secure machine-to-machine communications.

The growing volume and diversity of x.509 certificates have multiplied the complexity of managing them, particularly as we see shorter certificate lifecycles and more frequent changes in cryptographic standards. PKI operations and security teams must now ensure that every issued certificate is trusted, up-to-date, protected from attack, and compliant with enterprise policy (i.e. key size, algorithm, etc.).

Roadblocks to Scaling PKI Operations

In the 2020 Keyfactor-Ponemon report, 600+ IT and information security professionals estimate that they have an average of 88,750 digital certificates and keys across their business—yet most organizations aren’t equipped to manage and protect them effectively at scale.

Unknown & Unmanaged Certificates

According to the report, 74% of respondents say their organization does not actually know exactly how many keys and certificates they have.

Most organizations focus on their efforts on TLS certificates they use to secure public-facing websites and applications, typically using CA-provided tools or spreadsheet-based methods to keep track of them. The problem? This approach can only account for a limited number of known certificates—but it is the unknown or rogue certificates that pose significant risk to the organization.

In many cases, Keyfactor customers see five to ten times more certificates in their environment than they expected. Gartner says that security and risk management (SRM) leaders should “ensure that they understand at least the known number of x.509 certificates in their environment. If this number exceeds 100, then certificate management solutions and other tools should be implemented to mitigate risks.”

Unexpected Expirations

Expired certificates continue to cause unexpected outages. When a network or application outage occurs, IT and security teams typically focus on other causes, such as hardware/software issues, well before they consider an expired x.509 certificate. Delays in identifying and remediating the expired certificate result in downtime and loss of productivity for both security teams and end users—and in some cases, significant loss of revenue and impact to product or brand reputation.

Seventy-three percent of respondents in the report say that their organization continues to experience certificate-related outages, yet only 30% say they are able to respond effectively to certificate expiration.

In hybrid cloud scenarios, tracking down and replacing an expired certificate can be extremely challenging, especially if that certificate is used across more than one application or cloud platform.

No Crypto-Agility

Knowing where certificates live, when they expire, and what applications rely on them is critical to ensure that security teams can detect and respond to non-compliant or rogue certificates.  Just as important is knowing the key sizes and algorithms in use, and how to update all affected certificates at massive scale. 

Only 30% of respondents within the survey say their organization is able to effectively respond if an algorithm is deprecated or compromised.

In many cases, different teams spin up a separate certificate authority (CA) for specific use cases, without the oversight of the PKI or security team. We still find many organizations with SHA-1 certificates hiding across their network, because they did not have a complete view of certificates issued from untrusted or self-signed CAs outside of their enterprise-supported PKI.

Outdated PKI Builds

Less than half (43%) of organizations are able to scale their PKI operations to support new applications and initiatives, including DevOps, Cloud and IoT devices.

Most enterprise PKI deployments were implemented for specific use cases to secure data and applications within the datacenter, but they were not built for the volume or velocity of certificate issuance required for dynamic, automated cloud infrastructure.

DevOps tools like HashiCorp Vault can enable developers with fast and easy access to certificates they need for day-to-day operations, but PKI and security teams still lack the visibility and control they need to protect the business. Developers need access to security-approved certificates without disruption to their native toolsets and workflows.

How Does Your x.509 Certificate Management Stack Up?

Take five minutes to calculate your organization’s Critical Trust Index and get personalized recommendations on how you can effectively manage x.509 certificates at scale to meet the growing demands and use cases of your business.

Calculate Your Score

*** This is a Security Bloggers Network syndicated blog from PKI Blog authored by Chris Hickman. Read the original post at: