This blog features insights from Keyfactor’s Chief Security Officer, Chris Hickman on the 2020 Keyfactor-Ponemon Institute Report: The Impact of Unsecured Digital Identities. Click Here to download and access the full report.
In the last two blogs in this series, we talked about the challenges in deploying public key infrastructure (PKI) and the roadblocks that organizations encounter as they scale their PKI operations to meet growing business demands and use cases. In reality, these challenges typically come down to one core problem – a knowledge gap between the infosec team and business leaders.
While cryptographic keys and x.509 certificates may be familiar to the “PKI guy” or security team, nontechnical business leaders simply don’t understand the importance of cryptography, until it’s too late. When PKI and digital certificate management are viewed as just an IT issue, rather than a strategic business enabler, organizations continue to suffer costly outages and security incidents as a result.
Outages Are Just the Beginning
In the recently released Keyfactor-Ponemon report on the Impact of Unsecured Digital Identities, 87% of respondents said that their organization experienced at least one certificate-related outage in the past two years, while 55% admitted they experienced four or more of these incidents.
There is no shortage of cases where the expiry of just one certificate has taken down networks, disrupted services, or left organizations blind to attack. Case in point: an expired certificate disabled a monitoring system at Equifax, allowing attackers to exfiltrate data without detection for more than two months. More recently, Microsoft Teams went down for nearly three hours after Microsoft forgot to renew an authentication certificate.
These events don’t just disrupt day-to-day operations; they also undermine trust in products and services, and cause significant downtime and loss of productivity for both enterprise users and security teams as they seek to identify and remediate the problem. Gartner pegs the average cost of network downtime at around $300,000 per hour – that’s $5,600 per minute.
Bigger Problems Lie Below the Surface
And that’s just breaking the surface. You may have heard that 90% of an iceberg lies below the waterline. When it comes to PKI, outages get most of the attention, since they have the most visible impact on the business, but most of the problems lie somewhere below the surface.
According to the Ponemon report, IT and security professionals say that their organization runs into challenges involving the misuse of keys and certificates, compromised or rogue certificate authorities (CAs), and audit failures much more frequently than unplanned outages. Not only that, they also ranked the seriousness of all of these incidents higher than the risk of outages caused by expired certificates.
But if mismanaged keys and digital certificates pose such a significant threat, then why wouldn’t it be business priority? In many cases, IT and security leaders just aren’t aware of the frequency and financial impact of these incidents. Meanwhile, InfoSec teams often struggle to shift the perception about PKI and cryptography from overly technical concepts to business-critical infrastructure.
Why PKI Often Isn't a Business Priority
In this year’s report, we introduce the Critical Trust Index™ – a range of metrics that measure enterprises’ ability to manage the rapid growth of keys and digital certificates across their business. Using a ten-point scale, respondents answered sixteen questions related to the state of their PKI and digital certificate management operations, indicating their ability from low (0) to high (10).
As shown in Figure 1 below, what we found was a serious gap between executive-level respondents and responses from staff directly involved in the management of PKI and digital certificates.
|Respondent’s Role||Critical Trust Index Score|
This disconnect shouldn’t come as a surprise though. According to Gartner, “Security and risk management leaders are often unaware of the scope or status of their X.509 deployment. As the certificate scope expands to devices, containers and the IoT, they will need to use automated certificate management to avert system outages and gain operational efficiencies.”
Despite tools that can automate the discovery and management of certificates, most are still tackling the problem with a spreadsheet. But PKI and security teams are now dealing with an expansive, complex and multi-vendor certificate landscape that renders manual management methods unfeasible. Without centralized visibility and control, more certificates create more problems.
Making the Case for Digital Certificate Management
Teams responsible for PKI operations must build a compelling business case, not just around mitigating the risk and impact of certificate-related incidents, but about enabling adoption of new technologies while keeping the business secure with a proven, scalable technology.
This shift from reactive (preventing outages) to proactive (driving secure innovation) ensures that PKI and certificate management are seen as a strategic business asset, not just a problem for IT.
Take five minutes to calculate your Critical Trust Index score and identify the biggest gaps within your organization. Share the results with your team, see how you compare to peers, and get personalized recommendations to build a compelling business case for certificate lifecycle automation.