News

Study Finds IT Inadequacies in Key and Certificate Management

• By Kurt Mackie
• 02/14/2020

Mismanaged security certificates have resulted in "unplanned downtime and outages," per 73 percent of respondents in a recently published Ponemon Institute study, which polled IT security personnel.

The February study, called "The Impact of Unsecured Digital Identities," was sponsored by Keyfactor, a company with an interest in the topic as it offers public key infrastructure (PKI) as a service to organizations. For the study, the Ponemon Institute included 603 IT and information security pros in the United States and Canada. The sampling time period for the survey wasn't disclosed.

Over half (55 percent) of the respondents indicated that their organizations had undergone "four or more certificate-related outages" in the past two years.

Management Troubles
A few responses by study participants suggested why IT departments were having such troubles. Staffing appeared to be one issue, with just 38 percent of respondents saying they had "enough IT security staff members dedicated to their PKI deployment." The management of keys appeared to be another issue, with 74 percent affirming that "my organization does not know how exactly many keys and certificates (including self-signed) it has."

When asked to estimate the number of keys and digital certificates their organizations were using, 60 percent of respondents thought that number was more than 10,000. It was also thought, by 58 percent, that "the management of cryptographic keys and digital certificates is increasing operational costs."

Study participants estimated the serious financial effects of "failed certificate management practices" as follows:

• Certificate authority compromise (75 percent)
• Failed audits (75 percent)
• Code signing and misuse of keys (72 percent)
• Unplanned outages (71 percent)
• Certificate and key misuse on servers (68 percent)

The study polled various types of organizations, with financial services topping the representation at 18 percent. The poll mostly landed on larger organizations, with 64 percent of respondents indicating that their organizations had "more than 5,000 employees."

Average IT security spending weighed in at $19.5 million annually, but just 16 percent of that budget ($3 million) was allocated to PKI, according to the study. PKI budgets were not centered in IT departments, which was described in the study as potentially obscuring "clear lines of accountability."

Middling Confidence
To gauge overall opinion on the topic, the study devised a "Critical Trust Index" encompassing the three topics of "key and certificate management, PKI operations, and business agility and growth." The average Critical Trust Index score in the study was just 4.7 (on a scale of 0 to 10), reflecting middling confidence among the study participants.

The "ability to respond effectively to certificate expiration" got one of the lowest trust ratings at 3.9.

Overall, the study concluded that organizations are having security key and certificate management troubles. IT is less able to cope as the number of keys and digital certificates continues to grow.

This report, available here from Keyfactor with sign-up, was the second annual study on digital identity security by the Ponemon Institute.