As organizations race toward digital transformation, the reliance on secure machine-to-machine communications has caused an exponential increase in the number of SSL/TLS certificates organizations need to manage and protect. According to the findings of the Ponemon 2019 Global PKI and IoT Trends Study, sponsored by nCipher, the rapid growth in the use of IoT devices is having an impact on the use of PKI technologies and there is a growing realization that PKI provides important core authentication technologies for the IoT.
The purpose of this study is to better understand the use of PKI in organizations, since all participants are either involved in the management of their organizations’ enterprise PKI or in developing and/or managing applications that depend upon credentials controlled by their organizations’ PKI.
According to the study findings, IoT is becoming a major driver for the use of PKI, since provision of authentication and trust is a major challenge for IoT vendors. In fact, 41% of the respondents say that IoT is the most important trend driving the deployment of applications using PKI, up from 21% back in 2015. At the same time, cloud-based services as a factor for PKI deployment is down to 49% from 69% in 2015.
Despite the importance of PKI in the deployment of IoT based applications and services, there are what seem to me to be more pressing issues. What is truly worrying to me are the challenges of ownership and CA agility faced by PKI administrators during deployment. In fact, a striking 68% of respondents believe there is no one job function responsible for managing PKI.
Image adapted from the 2019 Global PKI and IoT Trends Study Executive Summary
"All organizations surveyed have more than 5 CAs deployed"
The penetration of the PKI into the core IT backbone of the modern organization is highlighted by the fact that all organizations surveyed have more than 5 CAs deployed within their organization. The U.S. and Germany have the most individual CAs deployed (9.65 and 9.24, respectively). Brazil and the Russian Federation have the least number of individual CAs (5.93 and 5.19, respectively).
Image adapted from the 2019 Global PKI and IoT Trends Study
Certificate ownership is a PKI challenge with increasing trends, since the advent of DevOps and the proliferation of IoT and cloud-based computing, introduces new types of certificate owners. As organizations push for more rapid and efficient deployment of business applications, certificates are deployed without coordination with the Certificate Services team.
"95% of companies don’t know where all their machine identities are being used within their networks"
In fact, research by Venafi revealed that an average enterprise may have thousands of SSL/TLS certificates spread throughout its infrastructure. The same research found that this number is increasing by 25% year over year and that 95% of companies don’t know where all their machine identities, including their SSL/TLS certificates, are being used within their networks. Tracking certificate ownership is a difficult task and may become impossible if the original requestor changes positions or leaves the company. Lack of ownership can be particularly problematic and may result in outages due to expired certificates. Ownership, responsibility and accountability are key factors for responding rapidly to issues with certificates.
On the other hand, lack of control of trusted CAs can result in several potential risks, such as increased costs, trust issues, security risks because of CA compromise, and operational issues because of unexpected CA incidents. In case of cryptographic incidents, like CAs being distrusted, vulnerable algorithms or advances in technology, such as quantum computing, organizations need to be crypto agile to ensure that its operations and services to customers are not interrupted for an extended period.
Machine identities, including digital keys and certificates, control the flow of data to trusted machines in a wide range of security and operational systems, including e-commerce and financial transaction systems, load balancers and traffic inspection devices. Enterprises rely on SSL/TLS certificates to connect and encrypt over 330 million internet domains, over 1.8 billion web sites and countless services. When these certificates expire unexpectedly, the machine or application will cease to communicate with other machines, shutting down critical business processes.
The No Outages Guarantee VIA Venafi is a reliable and easy way to solve these problems. It blends the power of the Venafi Platform with the experience of trained experts and a step-by-step implementation plan that supports customizable business processes. By delivering the visibility, intelligence and automation required to solve the underlying people, process and technology issues that contribute to certificate-related outages, the No Outages Guarantee VIA Venafi delivers proven, repeatable outcomes at any scale.