Join Keyfactor at RSA Conference™ 2024    |    May 6 – 9th    | Learn More

The State of Machine Identity Management: More Machines, More Certificates … More Problems?

Machine Identity Management

A business must have a baseline of trust to be successful. Yet today’s IT and security professionals operate in a world where everything is connected, but nothing is implicitly trusted. 

Organizations are witnessing containers running in multiple clouds, employees taking their devices from the workplace to the home, and transactions becoming primarily digital. But with more workloads, devices, and transactions comes more challenges with trust. And that trust begins with every machine having an identity managed throughout its lifecycle.

So how are organizations balancing a rapidly expanding digital footprint while maintaining a high level of trust at scale?

Keyfactor sought to answer this question in its 2023 State of Machine Identity Management Report, which gathered what’s on the minds of 1,280 IT and infosec executives and practitioners across 12 key industries. 

Here we highlight the report’s significant findings and take a deeper dive into what the data tells us about machine identity management’s impact on businesses and boardrooms.

IoT is driving the deployment of PKI

The report is in its third year, which means it’s the first time we can start to look at machine identity trends over time. One of those trends is the deployment of PKI for IoT (49%) is on the rise, whereas in years past, we unsurprisingly saw zero trust and cloud as the primary drivers. 

The upsurge could be attributed to the two sides of IoT: Organizations that adopt connected devices internally and organizations that manufacture smart devices (with some organizations doing both).

“The IoT finding is the most significant increase we saw in the report, and I think it will continue to grow. With everything becoming more connected and trust needing to be propagated for these devices, it makes sense that it is coming up on the radar,” said Chris Hickman, Chief Security Officer at Keyfactor.

Certificates become a burden, not a benefit

So what’s the first report data point that Hickman looks at every year? It’s how many certificates organizations are dealing with. This number is foundational to understanding what is happening within organizations. 

The average number of certificates issued is 256k, and given the rise in use cases of PKI for IoT, it is not surprising there is an upward trend in certificate numbers. But interestingly, the average for the number of PKI/CA solutions is nine – a high amount to manage. Digging into this data more, the report found organizational challenges in trying to gain control of the high number of certificates:

  • 74% say they’re deploying more keys and certificates
  • 72% say increasing the use of keys and certificates is putting a burden on their teams
  • 62% say they don’t know exactly how many keys and certs they have

“These results are a telling sign of what’s going on in the real world around certificates. Organizations don’t have visibility into their certificates. As they issue more certificates, they struggle to stay above the water line and not slip under the PKI waves,” said Hickman.

Outages, talent shortages, oh my

Organizations can’t manage what they can’t see. Who owns the certificate? Where does it live? When does it expire? Without better certificate management, businesses open themselves up to multiple issues that can cause trouble across the organization.

When a certificate expires, it is cut off from the system or application it is installed on, and it becomes a complex process to get it back on track. Report respondents averaged three certificate-related outages in the past 24 months, and 55% said the outages resulted in severe disruption to customer-facing services.

For the first time, Keyfactor asked respondents what happens at their organizations during an outage. On average, it takes an organization more than four hours (42%) to identify, remediate and recover from a certificate-related outage and involves 11 to 20 staff members. An outage’s impact extends beyond those hours and can have ramifications, including revenue loss and customer satisfaction. 

 Companies are struggling to find and retain the security talent necessary to efficiently support them in resolving issues. More than half (53%) need more staff to deploy and manage PKI, which only raises the challenges of an already taxed team.

Where do we go from here with machine identity?

It’s not all doom and gloom on the machine identity front. A positive report takeaway is that executive support and awareness around machine identity are trending upwards. Executives are more in tune with the machine identity issues in their organizations and are taking steps to put resources and funding in place.

However, there is still more that needs to be done. Learn how organizations can keep up with the machine identity management changes that lie ahead in the State of Machine Identity Management on-demand webinar with Keyfactor’s Chris Hickman, Chief Security Officer, and Ryan Sanders, Senior Director of Product & Customer Marketing. Check out the full report here.

Keep up with the latest news in digital trust, PKI, machine identity management, and more by subscribing to The Source, Keyfactor’s monthly identity-first security newsletter.