Ponemon Institute recently released their 2018 Global PKI Trends Study, proudly sponsored by Thales and Venafi. Ponemon surveyed 1,688 security practitioners in several different regions around the world, including Australia, Brazil, France, Germany, India, Japan, Mexico, the Middle East, Russia, South Korea, the United Kingdom, and the United States. The survey’s results can teach us a lot about how organizations deploy public key infrastructure (PKI) and Certificate Authorities (CA.) The knowledge gleaned from Ponemon’s research shows us how network security can be improved through proper PKI deployment. Certificates are vital to keeping your network’s data in transit well encrypted, but only if they’re used the right way!
One of the questions asked in the survey is “How would you describe how your organization’s enterprise PKI is deployed?” The differing sources of a PKI’s CAs have a direct effect on a network’s security and how to improve it. The sum of the responses to this question add up to 181% of respondents because an organization may use more than one type of enterprise PKI deployment.
- Internal corporate certificate authorities were cited by most respondents, 56%. They are becoming increasingly common because in the 2015 Global PKI Trends Study, only 44% of respondents said their organization uses an internal corporate certificate authority.
- Externally hosted private CAs are the second most common type of enterprise PKI deployment, at 40%. Fewer organizations are using this method, because in the 2015 Global PKI Trends Study, 48% of respondents said the same. The 2017 study reported 38%, and the 2016 study reported 41%, so perhaps organizations have levelled off at around 40% for now.
- Public CA services are also very common. 33% of 2018 study respondents say that their organization uses them. That’s a pretty significant increase from 25% in 2015.
- Private CAs running within public clouds are being used a lot more frequently than in recent years. 23% of respondents cited this method in 2018 versus a mere 9% in 2015.
- Business partner provided service CA use hasn’t changed much in the past few years. The 2018 survey cited 16%, the 2017 survey cited 14%, 15% in 2016, and 16% in 2015.
- A steady minority of organizations use government provided service CAs, 11% in 2018, 11% in 2017, 12% in 2016, and 9% in 2015.
Obviously, an organization has the most control over an internal corporate certificate authority. This may have something to do with why 56% of organizations use them. Having an internal CA can be a lot of work and responsibility though. Plus, they’re only as secure as how they’re configured and deployed. If an organization isn’t prepared to properly secure an internal CA, a trustworthy third-party CA may be a better solution. A third-party CA is also a good idea if your organization must produce certificates to be used on the public internet. On the public internet, well known public CAs which have operated for many years are the most trusted by applications such as web browsers, email clients, and FTP servers. There are so many variables and other factors to consider and your organization’s needs may be unique!
One of the most important factors to consider when assessing the security of an internal CA is how well security hardened the actual computers deploying the CA are. Organizations expose themselves to considerable cyber-attack risk if their internal CA computers are poorly physically secured, if it’s easy for an outsider to touch the CA computers. Is the datacenter’s door locked and guarded? Are administrators thoroughly authenticated into the machines with multiple factors? Do the machines have good firewalls, good antivirus? Is the operating system and application properly configured?
Internal certificates are sensitive data and they must have proper backup. Internal CAs often become inactive and a user in your network may require one of the certificates that old CA deployed!
Here’s something else I learned from 2018 Global PKI Trends Study. Survey respondents were asked “What best describes the number of individual CAs in your organization?” Organizations cited about 9 on average. American and German organizations use the greatest number of individual CAs at 9.48 and 9.19 respectively. Brazilian, French, and Russian organizations used the fewest individual CAs at 6.22, 6.21, and 5.22 respectively.
It may be necessary for an organization to use lots of individual CAs. But the more individual CAs that an organization uses, the more work it may take to keep them all properly secure. Certificates are never permanent, they always have a limited time duration that they can be used. That’s a good thing because a certificate that’s valid for many years could weaken your network’s encryption. A certificate is often valid for about a year. Sometimes they could be valid for a few years or a few months. Once a certificate expires, a new certificate must be generated for the client and the application.
So, consider the different ways CAs can be deployed and the different time limits on certificates. An organization may use nine or more individual CAs in total, and a user in an internal network may need certificates for several different applications at any given time. Considering how varied certificate needs can be and how often PKIs must adapt to change and evolve, certificate authority agility is a must. Does your CA administrator check for expired certificates and discontinued CAs? Do the certificates your CAs deploy right now suit your network’s current security needs? Are all active CAs being carefully monitored?
The 2018 Global PKI Trends Study indicates how organizations deploy PKIs and manage their certificates. This knowledge can be used to acquire a better understanding of how PKI deployment can be improved. Good PKI security can seem like a daunting challenge, but it’s a feasible and necessary goal.