Public Key Infrastructure is widely deployed for many applications but the security technology may also be at a tipping point. Enterprises are using it with legacy systems that need updating but are hesitant to change. This coupled with a move to the cloud and the rapid approach of the Internet of Things places PKI in an interesting position.
The “2015 PKI Global Trends Study” from the Ponemon Institute, sponsored by Thales e-Security, finds that companies are using their PKI to support seven different applications. The findings of this study, however, indicate a general lack of clear ownership of PKIs, as well as a lack of resources and skills to properly support them. Current approaches to PKI are fragmented and do not always incorporate best practices, indicating a need for many organizations to apply increased effort to securing their PKI as an important part of creating a foundation of trust.
“One of the most interesting findings is that companies are using their PKI for many more things that originally intended,” says John Grimm, senior director of Product Marketing at Thales e-Security. “But where we’re heading and seeing is that the PKI that they are reliant on isn’t up to the task and wasn’t designed to do what people need it to do.”
Enterprises are running up to seven applications off a PKI that was designed for one or two applications, Grimm says. Also, some of these systems are older and not able to handle modern encryption protocols and key lengths.
The companies need to develop a transition plan to modernize PKI, Grimm says. This is necessary to not only update legacy systems but also enable system for cloud access. But this leads to another issue, there’s a lack of expertise when it comes to supporting these legacy systems, Grimm says. Often the employees that stood these up are long gone and there’s nobody on staff that has the knowledge to transition to a modern system.
There’s also the train called IoT speeding down the tracks towards enterprises, Grimm says. This could see an explosion for PKI as each device is issued a certificate but these call for modern, flexible and scalable systems. Enterprises are trying to figure out the best way to use PKI to secure these systems.
The survey found other issues when it comes to PKI as well. Enterprises are protecting their PKI root keys primarily with passwords. This is not ideal and enterprises should be using hardware security modules, Grimm says. Only 28% of those surveyed were using HSMs.
There were also issues with certificate revocation lists. Thirty-seven percent of respondents report their organizations neither issue Certificate Revocations Lists nor deploy Online Certificate Status Responder technology, leaving them in a poor position to recover from compromise of root or issuing certificate authority private key compromise. However, organizations that deploy HSMs are more likely to use either online or offline certificate revocation techniques. This suggests organizations that deploy HSMs are more mature and attuned to best practices than those that do not.
This report summarizes the results of a survey completed by 1,511 IT and IT security practitioners in the United States, United Kingdom, Germany, France, Australia, Japan, Brazil, Russian Federation, India and Mexico. The report tabulates the responses to the survey and draws some limited conclusions as to how best practices are reflected in observed practices.
A copy of the report can be downloaded here.