Critical Trust Index
The Critical Trust Index is based on responses to 16 questions related to PKI and digital identity management capabilities. Using a 10-point scale, IT and security professionals indicated their ability from low (1) to high (10) for each metric. The average organization scored a 4.7/10.
It’s clear that a significant gap exists between the rapid growth in connectivity driven by cloud, mobile and IoT initiatives, and the ability of enterprises to protect and manage the growing number of keys and digital certificates required to keep their business secure.
We call this the Critical Trust Gap™. The result: keys and certificates intended to build trust instead cause costly network and application outages, or worse, a security breach.
Read on to discover key findings from this year’s report.
KEY FINDINGS | 2020
Enterprises face considerable new risks and challenges as digital identities play an increasingly important role in keeping the business secure.
01 | Disruptive Outages are on the Rise
73% of respondents admit that digital certificates have and continue to cause unplanned downtime and outages.
Over half of respondents (55 percent) say they have experienced four or more certificate-related outages in the past two years alone. This downtime isn’t just a nuisance. Between revenue loss, service interruptions, and lost productivity, outages caused by expired certificates can cost businesses millions – such as those seen at LinkedIn, Microsoft Azure, and Equifax.
It takes just one to slip through the cracks, yet 74 percent of respondents believe their organization does not know how many keys and certificates they have, much less where to find them when they expire. IT and security teams can spend hours or even days to pinpoint an expired certificate as the root cause and renew it, putting a serious strain on resources.
02 | More Encryption, More Problems
An estimated average of 88,750 keys and certificates are used by organization’s today to secure data and authenticate systems.
Two-thirds of respondents say their organization is adding additional layers of encryption to comply with regulations and IT policies. As mandates drive the need for more encryption, the number of keys and digital certificates has reached tens or even hundreds of thousands. At the same time, the trend toward shorter certificate validity has multiplied the management workload on IT and security teams by two- to three-fold over the last decade.
Unsurprisingly, 63 percent indicated that the growing number of cryptographic keys and digital certificates is increasing operational costs. Many security teams still struggle to deploy and manage certificates using a patchwork of manual spreadsheets, internal PKI, and CA-provided tools. Keeping up with certificate renewals isn’t enough to stay ahead anymore, as evolving cryptographic standards are now challenging enterprises’ ability to respond and adapt.
03 | Insufficient Skills Leave PKI Shorthanded
Only 38% of IT and security professionals say they have sufficient IT security staff dedicated to their PKI deployment.
Running a modern PKI in-house requires significant investment, both in capital and in human resources. However, 53 percent of organizations are unable to hire and retain enough qualified IT security personnel. Shifting IT resources coupled with a decline in the number of PKI and cryptography experts in the industry have left most PKI deployments shorthanded.
IT and security teams today are already stretched thin, driving more organizations to offload the security risks and maintenance frustrations of their PKI to a managed service. In fact, 41 percent of organizations have already outsourced all of part of their PKI deployment, while another 21 percent are currently in the planning stages.
04 | Crypto-Incidents Undermine Trust
Most respondents (76%) say failure to secure keys and certificates undermines the trust their organization relies upon to operate.
Fast-moving exploits such as Certificate Authority (CA) compromise, algorithm vulnerabilities, and misuse of theft of keys and certificates routinely challenge security teams to respond. According to the report, 87 percent of organizations have fallen victim to misuse or theft of server keys and certificates in the last two years. What’s worse, code signing keys and certificates were misused an average of nearly five times (4.72) amongst the organizations in the survey.
When keys and certificates are stolen, attackers can leverage them to exploit trusted networks or sign and deliver malware that appears legitimate – such as the recent attacks on ASUS and NordVPN that affected hundreds of thousands of customers.
If a CA is compromised, the fallout is even more troublesome. To impersonate public websites, orchestrate phishing schemes, or man-in-the middle attacks, hackers seek to infiltrate public or internal CAs to issue unauthorized certificates. Respondents indicated there is a 40 percent likelihood that this issue will occur in their organization in the next two years.
05 | Cloud, IoT & Quantum Challenges Continue to Grow
Migration to the cloud requires significant changes to key and certificate management practices, according to 71% of respondents.
The shift to cloud services, containers, and infrastructure as code has introduced new challenges for cryptography. More than half (52 percent) of respondents are using certificates to secure containers, but less than half (43 percent) are confident in their ability to scale PKI across on premises data center, cloud, and hybrid environments.
IoT is also introducing new PKI challenges at massive scale. When ranking the top three strategic priorities for digital security, authenticating and controlling IoT devices was ranked highest. In practice though, only 31 percent of respondents are confident in their ability to maintain IoT device identities and cryptography over the device lifetime.
Another disruptive technology is quantum computing. Only 47 percent of respondents agree that the rise of quantum computers will require significant changes to key and certificate management practices, but this number will undoubtedly increase as advances in quantum threaten to break even the strongest keys and algorithms we rely on today.
06 | Cryptography Lacks a Center of Excellence
No one function emerges as the clear owner of the (growing) PKI budget.
Organizations represented in the study spend an average of $19.5 million on IT security annually, with about 16 percent or $3 million dedicated to PKI. When asked who owns the PKI budget though, responses varied significantly, from IT operations (21 percent) and networking (16 percent) teams, to IT security (18 percent) and compliance (10 percent), among others.
Despite the growing importance and cost of cryptography, responsibility for the PKI budget is evidently dispersed throughout the organization. This tends to place conflicting pressure on multiple teams with responsibilities for PKI, from network engineers to infrastructure teams, without clear lines of accountability.
CIOs and business leaders everywhere are charting a course for digital transformation. The Internet has become the new operating model, as enterprises embrace disruptive technologies from multi-cloud and DevOps strategies, to mobile and IoT initiatives.
More and more enterprise users and devices now operate beyond the trusted corporate network, across a dispersed multi-cloud infrastructure. Without a defined perimeter, knowing who and what can be trusted to access critical data and infrastructure is now a serious challenge.
A cybersecurity skills shortage – coupled with growth in the scale and complexity of managing keys and certificates – is making a serious problem even worse, resulting in significant disruption to business operations and security compliance.
IT and security leaders should focus on taking action to close their Critical Trust Gap™ to halt the continuous threat of disruptive outages, security incidents, and failed audits due to poor PKI practices and mismanaged keys and digital certificates.
How Does Your Organization Compare?
CALCULATE YOUR CRITICAL TRUST INDEX™.
We invite you to calculate your score on the Critical Trust Index™ and get your personalized recommendations at benchmark.keyfactor.com.
SECURE EVERY DIGITAL IDENTITY
Keyfactor empowers enterprises of all sizes to escape the exposure epidemic – when breaches, outages and failed audits from digital certificates and keys impact brand loyalty and the bottom line. Powered by the industry’s only PKI as-a-service platform, IT and infosec teams can easily manage digital certificates and keys. And product teams can build IoT devices with crypto-agility and at massive scale.
ABOUT PONEMON INSTITUTE
ADVANCING RESPONSIBLE INFORMATION MANAGEMENT
Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.
We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.