Power to the PKI Admin

If you’re a PKI team – often a lonely team of one – you’ve got everything on the line, but often don’t have the resources.

You’re responsible for thousands of digital identities, in some cases millions, used by tens or hundreds of administrators across the business. Even a single mishandled certificate could cost millions, and PKI may not even be your primary responsibility.

It’s really a tough spot to be in.

Public key infrastructure (PKI) is one of the most critical IT functions in any enterprise. Organizations depend on encryption keys and digital certificates every day to build trust and security into their day to day operations.

But PKI isn’t just technology – it’s powered by a comprehensive set of policies, procedures, and most importantly, people.

As I read through the recent Keyfactor-Ponemon Institute report on the Impact of Unsecured Digital Identities, I’m reminded of the risks and often expensive outcomes that organizations face when digital identities are not properly managed.

As a former PKI admin myself, I know full well the security risks identified in this report, but I also see the opportunities it offers to improve processes and toolsets. After all, every risk can be minimized if you completely understand it.

Using the right technology, PKI teams have the power to significantly reduce security and operational risks, while cutting response times from hours to minutes, should an incident occur.

Let’s dive into the data and see how it reveals:

1. Why enterprises have a tough time delegating responsibility for PKI management;
2. The many risks and responsibilities of PKI ownership; and
3. How you can stay ahead of potential threats and avoid serious economic losses.

According to the report, responsibility over keys and PKI certificates is often dispersed throughout the organization. No one function emerges as the clear owner of the PKI budget – 20 percent say it is lines of business, and 19 percent say it is IT operations.

Why the disconnect?

Responsibility for PKI has always been a bit of a technical “hot potato.” The sheer complexity of public key cryptography alone is enough to scare off most IT professionals.

And if it isn’t the complexity, it’s the risk. The rate of failure with typical enterprise PKI is considerable. Fear of taking personal responsibility for that level of risk leaves few inclined to take on the challenge.

Nevertheless, it is essential that every organization have a team or individual willing to step up. PKI has been a hidden yet foundational security tool for more than two decades. As Internet of Things (IoT) and DevOps pipelines demand access to keys and signed certificates, the role of PKI only becomes more critical.

If your company doesn’t already have a PKI owner, it’s time you either become this person or find them. You (or they) will be an invaluable asset over the next several years.

Back when you were only dealing with a few hundred certificates, you could run a solid PKI using a spreadsheet (even then it was a challenge).

But times have changed.

Today, the average enterprise estimates that they have:

• More than 82,000 keys and certificates
• Another 56,000 certificates used in data encryption, SSL/TLS, VPNs and applications services

That’s a lot of responsibility. If just one certificate is overlooked, the damage can be serious.

Respondents to the Keyfactor-Ponemon report experienced an average of four unplanned outages due to expired certificates in the past 24 months. In the same time period, they experienced five failed audits, with the average cost for those events exceeding $14 million.

I suppose you could consider these numbers high or low, depending on the size of your organization, but the principle remains – lack of sufficient key and certificate management leads to costly outcomes.

Keeping track of keys and certificates today isn’t just a headache, it’s a nightmare. Thinking that you can accurately inventory and manage all of the necessary data (i.e. location, expiration date, key strength, etc.) in an Excel spreadsheet is simply unrealistic.

This is where technology comes into play.

An accurate inventory can only be achieved through real-time visibility as certificates are continuously issued, revoked and installed across your infrastructure.

When you can track every certificate in real time, you can avoid security and operational failures that so often leave others thinking, “the PKI team fell short again” (despite multiple efforts to notify the certificate owner).

The next step is to automate certificate lifecycle management.

As we know, most enterprises have a small team dedicated to managing digital certificates. Automation serves as a powerful workforce multiplier by alerting teams to out-of-policy or expired certificates. It also enables other business units to renew or replace certificates themselves with minimal to no effort.

Once you can find, control, and automate the lifecycle of every certificate in your environment, the role of “PKI owner” quickly moves from risky to rewarding.

In any scenario, the right solution can help you stay ahead of potential threats and avoid serious economic losses.

Facts and figures highlighted in the Keyfactor-Ponemon Institute report on The Impact of Unsecured Digital identities can help you build your case to implement a comprehensive digital identity strategy and adopt the right tools to achieve success.