Survey Report: The State of PKI Security and Management 1

Survey Report

THE STATE
OF PKI
SECURITY AND
MANAGEMENT

www.appviewx.com
Contents

Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Survey Report: Results . . . . . . . . . . . . . . . . . . . . . . . . . . 5

The PKI Health Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Study Inference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Study Demographics. . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

5 Best Practices for Certificate Management. . . . . . . 14

AppViewX CERT+:
Complete Certificate Management Solution. . . . . . . . 16
 Survey Report: The State of PKI Security and Management 3

Executive Summary
As the second decade of the millennium nears In this whitepaper, you’ll find the results of the
its end, hyperconnected reality has become study, revealing the state of PKI in the industry
incredibly ubiquitous. Security has become today – including some surprising statistics,
the #1 priority for enterprises riding the digital such as:
wave, and Public Key Infrastructure (or PKI)
stands as the first and most important layer Used some type of
of defense against attackers for an internet-
facing system. However, certificate-related 40% encryption to secure
issues still plague businesses, resulting in
private keys.
thousands of dollars worth of losses every
single year.
Still use spreadsheets to
30% manage their PKI
A 2019 study has revealed that businesses’ PKI
setups have a long way to go before they’re
considered truly secure and effective. Security Were hit by 5-10
teams continue to leverage legacy techniques
to manage certificates and keys, resulting 5% certificate-related
in outages and security breaches hitting
outages in the past year.
corporations harder than ever before. What’s
more, leaders in tech anticipate the rapid
growth of new technologies that will require Average PKI Health Index: 4/10
authentication and security mechanisms,
Recommended PKI Health Index: 6+
making the issue more pressing than ever
– businesses need to step up their PKI
management standards ASAP. On evaluating the results of the survey, it was
discovered that the average enterprise scored
only a 4/10 on the PKI Health Index. In addition
to our critical analysis, we’ve also included a list of
best practices teams can quickly adopt in order to
score higher on the index, and hence, make their
PKI setups more robust, scalable, and secure.
 Survey Report: The State of PKI Security and Management 4

Introduction
The market for public key infrastructure is
growing at an explosive rate, accounting for
$1.65 Bn in 2019 – a figure projected
to grow to $4.55 Bn by 2027.
This astronomical figure is justified, given the
critical role it plays in securing information
transmitted online. By authenticating the
identities of endpoints on the web, PKI
ensures that information is not misused or
misappropriated anywhere along the value chain.
The PKI ecosystem can experience turbulence due
to a myriad of reasons, and the effects are just
as varied. Below are a few examples of certificate
issues, their consequences, and how they can be
remedied.
Of course, remediation is a protracted effort in the
real world. Determining the cause of a certificate
issue alone takes a significant amount of analysis
and time. Manually having to determine the
location and configuration of the certificate is not
easy, either. What’s more, these infractions come
with a cost – outages and data breaches cost
corporations millions of dollars in business losses,
fines, and remediation costs every single year.
AppViewX initiated this study to gain visibility
into the real-world state of PKI management
today – to determine what businesses were
doing, or not doing, and what falls within the
industry’s purview. By surveying a global audience
of security professionals, we gained insight into
how organizations handle PKI management, the
problems they face, and their thoughts on the
future of digital security.

Certificate Issue Effect Remediation Tactic

Expiry Application Renew the certificate and

(one certificate) downtime configure it for its endpoint.

Expiry Widespread Locate each certificate on the network,

(multiple network renew them individually, and configure each
certificates) outage certificate according to its endpoint.

Private key Data breach Decommission the certificate/certificate chain,

compromise revoke all permissions, and issue a new set of
PKI with stronger keys and hashes.
 Survey Report: The State of PKI Security and Management 5

Survey Report:
Results and Observations
Below, we’ll delve into a detailed analysis of the related application or device outages, which is
results. We’ve also covered the implications of an alarming statistic. This only goes to show that,
these results in the report, which you’ll find at the with the number of connected devices on the rise,
end of this report. the number of certificates they require are rising
too – bringing with them a range of management
issues and niggles that manual management only
#1 Outages are exacerbates. Finally, close to 25% were rocked
by over ten outages, indicating serious flaws in
commonplace – acute their PKI systems.

disasters, not so much
Among the respondents, 11% claimed to
have had zero certificate-related outages
over the last two years – these organizations
are likely to have to have powerful, end-to-
end certificate management systems which
encompass their entire networks. However, a
majority of the respondents (65%) admit to
have faced between one and ten certificate-
However, that statistic is mildly offset by the fact
that only 6% of the respondents’ organizations
had experienced serious data breaches – the
fact that most organizations are steering clear
of breaches so far is a relief. The fact remains
that breaches cannot be anticipated – even
international giants like Equifax and Capital One
have fallen victim to them in well-publicized
media affairs.

Outages in last 2 years Serious data breaches due to

certificate issues

More None Yes

than 10

11% 6%
24%

65% Less
than 10 93% No
 Survey Report: The State of PKI Security and Management 6

While the use of CA-provided software is

#2 A majority do temporarily acceptable (explained in detail in
the Inferences section), the use of legacy tool
not adhere to the to manage PKI creates the potential for grave
security threats, and should be avoided.
mandated best
Finally, only 21% were using dedicated
practices for PKI Certificate Lifecycle Management software to

management actively manage enterprise-wide PKI in real-time

across their networks.

The methods used to manage certificates

and keys are collectively a critical factor in
determining the potency of an organization’s PKI Private key storage
management strategy. To gauge how enterprises
fared in this regard, respondents were quizzed 6%
Only on the system using
on a handful of key data points.
AES-256 the key has a copy
encryption & HSMs
5%
Unprotected
Certificate management documents
20%
technique

Certificate Lifecycle 21% 48% Password-

Management Tool Spreadsheets protected
Basic
databases
encryption

16%
Custom
solutions
21%
30%
CA-Provided
Tool
33%
The second data point was, predictably, the
private key management tactic employed.
Private keys form the cornerstone of certificate
management, acting as the decrypting key-pair
in asymmetric key encryption used by almost
The first point of interest was the certificate all x.509 certificates. Naturally, keeping them
management technique employed. While 30% highly secure is a top priority for businesses, as
relied on CA-provided software, nearly 50% of a compromised key is the weak link a hacker
the respondents used spreadsheets and custom would need to infiltrate a network and commit
internal tools to do so. espionage or data theft.
 Survey Report: The State of PKI Security and Management 7

Collectively, nearly 60% of the respondents However, only 39% of the organizations
were found to use highly insecure key storage surveyed used both these techniques in unison.
techniques, including passwords and unprotected The remaining 61% were a combination of
documents. teams that used either, or none at all.

More than half of the remaining 40% used

basic, easily crackable encryption to secure
their keys, with only 20% leveraging the
recommended AES-256 encryption or HSMs to do
so, both of which make it virtually impossible for
a criminal to crack them.

The third point we analyzed was whether or

not businesses enforced both the monitoring
and auditing of their certificate infrastructure
in real-time. While monitoring the network aids
administrators to quickly realize the presence
of anomalies and rectify them, audits and audit
trails enable organizations to adhere to policy
and avoid undocumented large-scale network
changes.

Monitor and Audit

Yes

39%
61%
No

Figure 1.2: Serious data breaches due to certificate issues

 Survey Report: The State of PKI Security and Management 8

#3 Concerns over the 26% of the respondents chalked out

remediation costs to be an issue. Post-outage
business impacts of actions are wide-ranging and unpredictable,
depending on the degree of damage the outage
certificate outages caused. While some victims simply have to get
their certificates renewed or reissued, others
continue to rise could be instructed to rework their entire PKI
management strategy and policies from the
ground up.
The respondents had multiple concerns
regarding the effect a certificate-related outage
Finally, a rather large chunk of the respondents
or application downtime would have on their
businesses.
(51%) stated an internal loss of productivity
to be a factor while dealing with outages. With

47% of them affirmed that damage to personnel devoting their working hours to
getting customer-facing systems back online as
their brand was a large concern, given that
soon as possible, internal tasks are put on hold,
competition for services is almost always stiff,
indirectly triggering an organization-wide drop in
and an outage signalled a lack of vigilance and
productivity.
caution. Outages also result in a drop in trust
in the business, from customers, investors,
potential investors, and board members alike. An
outage is the most obvious sign of unreliability,
and earning lost trust back in a competitive Primary business impacts that
market is a difficult task. concern businesses

A whopping 62% cited the loss of revenue

due to service downtime as their top cause for Internal
productivity drop Brand Damage
worry. This comes as a predictable result, given
the widespread nature of internet based services
today (with most businesses surveyed being
primarily in the internet-based services vertical). 51% 47%
Remediation
Website downtime triggers delays and losses Revenue
costs 26% loss due
of businesses across the entire value chain, 62% to service
for customers, and their customers, making it 40% downtime
imperative for businesses to ensure that their Legal action
services are perennially in pristine working order. and fines

40% stated that legal action and fines were

a large cause of worry. These could come in
the form of customer reconciliation packages,
lawsuits, or fines levied on them by courts and
compliance bodies.
 Survey Report: The State of PKI Security and Management 9

#4 Businesses face
significant fundamental
challenges in deploying
and managing PKI
The respondents had multiple concerns
regarding the effect a certificate-related outage
or application downtime would have on their
for NetOps and SecOps teams to keep their
businesses.
certificate infrastructures in perfect working
order – the presence of thousands of certificates
The complexity involved with deploying PKI
eventually result in slippages like unnoticed
setups and efficiently managing them has
expirations or lost certificates.
multiplied manifold over the last decade.
Developments like shrinking certificate validity,
The majority of respondents (74%) cited
emerging technology, a rapidly increasing
their #1 concern as a lack of visibility into their
number of connected devices, and evolving
own certificate infrastructures. With multiple
standards have made it increasingly challenging
departments across geographies requesting and
enrolling certificates onto endpoints, a lack of a
structured process to do so results in certificates
being lost on the network. For instance, the
Challenges in deploying and expiration of one certificate could make it
managing PKI incredibly difficult for administrators to track,
locate, and renew it.

Other
A lack of understanding of PKI and a dearth of
Lack of visibility
into network skilled PKI management personnel took up the
next two spots on the graph, standing at 48%
12%
Lack of skilled
and 46% respectively.
personnel 74%
46% Finally, technological limitations were also
named as a cause for concern, with 20% of the
20%
48% Lack of respondents stating it. This is a growing issue
Technological
limitations
understanding for businesses – as more new technology like
on PKI cloud applications and the internet-of-things find
applications in the market, network teams often
find it difficult to apply suitable PKI strategies to
them, due to a lack of awareness.
 Survey Report: The State of PKI Security and Management 10

#5 Disruptive new
technologies will
require PKI for security
and authentication The next big trend that will
require PKI
Network and security personnel foresee the
rise of cutting-edge technology in the markets
of tomorrow – and all of them will require their
Others
endpoints to be safeguarded by PKI in order to Cloud
protect the data they transmit and store. software
15%
The Internet-of-things (IoT) took prime position, 49%
closely followed by cloud applications and mobile 46%
technology. These implementations will require
specialized PKI setups to function, each with their Mobile 62%
own set of standards and protocols that need Devices
to be followed. Businesses poised for growth
IoT
will most certainly have to include them on their
roadmaps, and their PKI infrastructures along
with them.
 Survey Report: The State of PKI Security and Management
The PKI Health Index
Average Score: 4/10
Recommended Score: 6+
To gauge the collective efficiency of certificate
infrastructures across the respondents surveyed,
we had to devise a scale which consolidated the
objectives of the study into a linear, balanced
performance indicator called the PKI Health
Index. To do this, we considered five data points
on the study:
▪ Reported outages over the last two years
▪ Serious data breaches due to certificate issues
▪ Certificate management technique
▪ Private key storage technique
▪ Monitoring and auditing
11
Designating a weighted score to each
respondent’s answer to the above questions, we
arrived at a ten-point scale (with each data point
contributing to two points each). On assigning
scores to individual respondents and obtaining a
mean value, the results revealed that the average
enterprise scored a 4/10 on the index.
This below-average score indicates that
enterprises have a long way to go in terms of
maintaining robust PKI setups. To do so, the
first step would be to adopt the mandated
best practices for certificate management and
resolutely adhere to them.
 Survey Report: The State of PKI Security and Management
Inference: Certificate
Lifecycle Management
is the need of the hour
A common observation was made across
the scope of this study – a dedicated tool to
automate and manage certificate lifecycles
would circumvent most of the issues highlighted
in this report.
CA-provided tools are
ineffective for large
infrastructures.
While businesses continue to invest in
technology that helps manage PKI, their money
isn’t in the right place. As is apparent from the
statistics, over 60% of the organizations who
took our survey rely on CA-issued software and/
or custom solutions developed by internal IT
to manage certificates and keys, rather than
investing in dedicated certificate management
tools. While the immediate cost benefits with this
approach are tangible, they aren’t feasible in the
long run, and here’s why: CA-provided software
is an excellent alternative for businesses with
a minimal quantum of certificates. However,
with businesses now using a veritably massive
number of certificates issued by multiple CAs,
and across varying endpoints, devices, and
virtual instances, the effectiveness of software
built by a CA which focuses on managing
certificates issued by themselves quickly fades
away. They also lack the deep multi-vendor
integration and workflow automation capabilities
that dedicated tools have.
12
Custom internal solutions
don’t scale.
Homegrown, custom solutions have their faults
as well. In addition to the drawbacks of using
CA-provided tools, these solutions also lack
cohesive functionality, given that they’re usually
developed on an ad-hoc basis, and not centrally
deployed across a network – this fogs visibility.
Moreover, they aren’t scalable, and fail to exert
the intended level of control over a network’s
constituent certificates once the number exceeds
a certain threshold.
Dedicated certificate
management provides the best
of both worlds.
Certificate lifecycle management tools come with
modules to manage each aspect of the process.
From auto-scanning environments to detect
and inventorize certificates, to automatically
renewing expired certificates and revoking
rogue ones, the entire lifecycle can be centrally
managed from the tool’s interface. They’re also
equipped with functionality that permits custom
workflow definition, monitoring, and granular
access control, allowing admins to manage their
PKI with minimal effort, while maximizing RoI.
 Survey Report: The State of PKI Security and Management 13

Study Demographics

Firm Size Industry

3%
Healthcare and Pharma
Over 2000 500-2000 Retail and
Employees Employees
1%
Consumer
Products 7%
Other

13%
44% BFSI Software
56% 9% and Tech
67%

Manufacturing
 Survey Report: The State of PKI Security and Management 14

Recommended

5 Best Practices for

Certificate Management
Below, you’ll find a list of best practices curated
by AppViewX experts that, if followed, will help
businesses avoid outages and certificate-related
issues.

Detect and Inventorize

Gaining visibility into your network
infrastructure is a critical necessity that aids
in better management. Invest in a discovery
tool that performs sweeping scans across
your networks and multi-cloud environments,
detects certificates issued by all CAs, and across
all endpoints. For best results, ensure that
these results are documented in structured
inventories, with pertinent information (such as
expiration dates and certificate chains) added to
them.

Enable dynamic monitoring

Use your certificate management tool to
actively monitor the status of certificates and
keys on your network. Create reports of key
metrics (such as approaching renewals, expired
certificates, and so on) that update in real-
time to promote quicker response times. Run
periodic scans across the network to ensure
that your certificate inventory is always up-to-
date.

Enforce ownership hierarchies

Do not allow multiple teams across geographies
to add, modify, and remove certificates at
random points in time. Create role-based
hierarchies and approval processes that will run
every CSR or issuance call through the designated
authorities. This will prevent the presence of
phantom, undocumented certificates which could
cause problems on going undetected in the event
of expiry or compromise.

Create an audit trail

Ensure that every change made to the PKI
environment is thoroughly documented. Automate
this process to reduce human effort in this regard.
With an audit trail in place, anomalies can easily be
detected, isolated, and resolved, saving teams the
effort of scanning the entire ecosystem for issues
when a problem is detected.

Automate the certificate

lifecycle
A certificate lifecycle management tool integrates
with your network to enable full-cycle automation.
Minimizing the human effort expended on
certificate operations will also reduce the risk
of error that comes with it. Set up tasks that
will automatically renew certificates when they
near expiration, or custom workflows that can
revoke and reissue all the certificates issued by a
particular CA.

AppViewX CERT+ can help you

adhere to the best practices for
certificate management, and eliminate
network outages and application
downtime. Keep reading to learn more
about CERT+, or sign up for a product
demo by clicking on the button below.

30-Minute Live Solution Demo REGISTER NOW

 Survey Report: The State of PKI Security and Management 16

AppViewX CERT+:
Complete Certificate Management Solution
AppViewX CERT+ is a full-cycle tool that makes managing certificates across environments extremely
simple. Combining an intuitive interface with powerful functionality and diverse integrations, CERT+ is all
you’ll need to manage the entire certificate lifecycle, without having to rely on multiple tools to do so.

Dynamic Monitoring

Scanning and Key Security and

Visibility Management

Role-based Access Automated

and Audit Control Certificate Operations

30-Minute Live Solution Demo REGISTER NOW

About AppViewX

AppViewX is revolutionizing the way NetOps and SecOps teams deliver services to Enterprise IT. The AppViewX
Platform is a modular, low-code software application that enables the automation and orchestration of network
infrastructure using an intuitive, context-aware, visual workflow. It quickly and easily translates business
requirements into automation workflows that improve agility, enforce compliance, eliminate errors, and reduce
cost. AppViewX is headquartered in Seattle with offices in the U.S., U.K., and India. To know more,
visit www.appviewx.com.

AppViewX Inc., ✉ info@appviewx.com  +1 (206) 207-7541

500 Yale Avenue North, Suite 100, Seattle, WA 98109  www.appviewx.com  +44 (0) 203-514-2226

© 2019 AppViewX, Inc. All Rights Reserved.