Documente Academic
Documente Profesional
Documente Cultură
Survey Report
THE STATE
OF PKI
SECURITY AND
MANAGEMENT
www.appviewx.com
Contents
Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Study Inference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Study Demographics. . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
AppViewX CERT+:
Complete Certificate Management Solution. . . . . . . . 16
Survey Report: The State of PKI Security and Management 3
Executive Summary
As the second decade of the millennium nears In this whitepaper, you’ll find the results of the
its end, hyperconnected reality has become study, revealing the state of PKI in the industry
incredibly ubiquitous. Security has become today – including some surprising statistics,
the #1 priority for enterprises riding the digital such as:
wave, and Public Key Infrastructure (or PKI)
stands as the first and most important layer Used some type of
of defense against attackers for an internet-
facing system. However, certificate-related 40% encryption to secure
issues still plague businesses, resulting in
private keys.
thousands of dollars worth of losses every
single year.
Still use spreadsheets to
30% manage their PKI
A 2019 study has revealed that businesses’ PKI
setups have a long way to go before they’re
considered truly secure and effective. Security Were hit by 5-10
teams continue to leverage legacy techniques
to manage certificates and keys, resulting 5% certificate-related
in outages and security breaches hitting
outages in the past year.
corporations harder than ever before. What’s
more, leaders in tech anticipate the rapid
growth of new technologies that will require Average PKI Health Index: 4/10
authentication and security mechanisms,
Recommended PKI Health Index: 6+
making the issue more pressing than ever
– businesses need to step up their PKI
management standards ASAP. On evaluating the results of the survey, it was
discovered that the average enterprise scored
only a 4/10 on the PKI Health Index. In addition
to our critical analysis, we’ve also included a list of
best practices teams can quickly adopt in order to
score higher on the index, and hence, make their
PKI setups more robust, scalable, and secure.
Survey Report: The State of PKI Security and Management 4
Introduction
Of course, remediation is a protracted effort in the
The market for public key infrastructure is real world. Determining the cause of a certificate
growing at an explosive rate, accounting for issue alone takes a significant amount of analysis
$1.65 Bn in 2019 – a figure projected and time. Manually having to determine the
to grow to $4.55 Bn by 2027. location and configuration of the certificate is not
easy, either. What’s more, these infractions come
with a cost – outages and data breaches cost
This astronomical figure is justified, given the corporations millions of dollars in business losses,
critical role it plays in securing information fines, and remediation costs every single year.
transmitted online. By authenticating the
identities of endpoints on the web, PKI AppViewX initiated this study to gain visibility
ensures that information is not misused or into the real-world state of PKI management
misappropriated anywhere along the value chain. today – to determine what businesses were
doing, or not doing, and what falls within the
The PKI ecosystem can experience turbulence due industry’s purview. By surveying a global audience
to a myriad of reasons, and the effects are just of security professionals, we gained insight into
as varied. Below are a few examples of certificate how organizations handle PKI management, the
issues, their consequences, and how they can be problems they face, and their thoughts on the
remedied. future of digital security.
Survey Report:
Results and Observations
Below, we’ll delve into a detailed analysis of the related application or device outages, which is
results. We’ve also covered the implications of an alarming statistic. This only goes to show that,
these results in the report, which you’ll find at the with the number of connected devices on the rise,
end of this report. the number of certificates they require are rising
too – bringing with them a range of management
issues and niggles that manual management only
#1 Outages are exacerbates. Finally, close to 25% were rocked
by over ten outages, indicating serious flaws in
commonplace – acute their PKI systems.
disasters, not so much However, that statistic is mildly offset by the fact
that only 6% of the respondents’ organizations
Among the respondents, 11% claimed to had experienced serious data breaches – the
have had zero certificate-related outages fact that most organizations are steering clear
over the last two years – these organizations of breaches so far is a relief. The fact remains
are likely to have to have powerful, end-to- that breaches cannot be anticipated – even
end certificate management systems which international giants like Equifax and Capital One
encompass their entire networks. However, a have fallen victim to them in well-publicized
majority of the respondents (65%) admit to media affairs.
have faced between one and ten certificate-
11% 6%
24%
65% Less
than 10 93% No
Survey Report: The State of PKI Security and Management 6
16%
Custom
solutions
21%
30%
CA-Provided
Tool
33%
The second data point was, predictably, the
private key management tactic employed.
Private keys form the cornerstone of certificate
management, acting as the decrypting key-pair
in asymmetric key encryption used by almost
The first point of interest was the certificate all x.509 certificates. Naturally, keeping them
management technique employed. While 30% highly secure is a top priority for businesses, as
relied on CA-provided software, nearly 50% of a compromised key is the weak link a hacker
the respondents used spreadsheets and custom would need to infiltrate a network and commit
internal tools to do so. espionage or data theft.
Survey Report: The State of PKI Security and Management 7
Collectively, nearly 60% of the respondents However, only 39% of the organizations
were found to use highly insecure key storage surveyed used both these techniques in unison.
techniques, including passwords and unprotected The remaining 61% were a combination of
documents. teams that used either, or none at all.
Yes
39%
61%
No
47% of them affirmed that damage to personnel devoting their working hours to
getting customer-facing systems back online as
their brand was a large concern, given that
soon as possible, internal tasks are put on hold,
competition for services is almost always stiff,
indirectly triggering an organization-wide drop in
and an outage signalled a lack of vigilance and
productivity.
caution. Outages also result in a drop in trust
in the business, from customers, investors,
potential investors, and board members alike. An
outage is the most obvious sign of unreliability,
and earning lost trust back in a competitive Primary business impacts that
market is a difficult task. concern businesses
#4 Businesses face
significant fundamental
challenges in deploying
and managing PKI
The respondents had multiple concerns
regarding the effect a certificate-related outage
or application downtime would have on their
for NetOps and SecOps teams to keep their
businesses.
certificate infrastructures in perfect working
order – the presence of thousands of certificates
The complexity involved with deploying PKI
eventually result in slippages like unnoticed
setups and efficiently managing them has
expirations or lost certificates.
multiplied manifold over the last decade.
Developments like shrinking certificate validity,
The majority of respondents (74%) cited
emerging technology, a rapidly increasing
their #1 concern as a lack of visibility into their
number of connected devices, and evolving
own certificate infrastructures. With multiple
standards have made it increasingly challenging
departments across geographies requesting and
enrolling certificates onto endpoints, a lack of a
structured process to do so results in certificates
being lost on the network. For instance, the
Challenges in deploying and expiration of one certificate could make it
managing PKI incredibly difficult for administrators to track,
locate, and renew it.
Other
A lack of understanding of PKI and a dearth of
Lack of visibility
into network skilled PKI management personnel took up the
next two spots on the graph, standing at 48%
12%
Lack of skilled
and 46% respectively.
personnel 74%
46% Finally, technological limitations were also
named as a cause for concern, with 20% of the
20%
48% Lack of respondents stating it. This is a growing issue
Technological
limitations
understanding for businesses – as more new technology like
on PKI cloud applications and the internet-of-things find
applications in the market, network teams often
find it difficult to apply suitable PKI strategies to
them, due to a lack of awareness.
Survey Report: The State of PKI Security and Management 10
#5 Disruptive new
technologies will
require PKI for security
and authentication The next big trend that will
require PKI
Network and security personnel foresee the
rise of cutting-edge technology in the markets
of tomorrow – and all of them will require their
Others
endpoints to be safeguarded by PKI in order to Cloud
protect the data they transmit and store. software
15%
The Internet-of-things (IoT) took prime position, 49%
closely followed by cloud applications and mobile 46%
technology. These implementations will require
specialized PKI setups to function, each with their Mobile 62%
own set of standards and protocols that need Devices
to be followed. Businesses poised for growth
IoT
will most certainly have to include them on their
roadmaps, and their PKI infrastructures along
with them.
Survey Report: The State of PKI Security and Management 11
Inference: Certificate
Lifecycle Management
is the need of the hour
A common observation was made across
Custom internal solutions
the scope of this study – a dedicated tool to
automate and manage certificate lifecycles don’t scale.
would circumvent most of the issues highlighted Homegrown, custom solutions have their faults
in this report. as well. In addition to the drawbacks of using
CA-provided tools, these solutions also lack
CA-provided tools are cohesive functionality, given that they’re usually
developed on an ad-hoc basis, and not centrally
ineffective for large deployed across a network – this fogs visibility.
infrastructures. Moreover, they aren’t scalable, and fail to exert
the intended level of control over a network’s
While businesses continue to invest in
constituent certificates once the number exceeds
technology that helps manage PKI, their money
a certain threshold.
isn’t in the right place. As is apparent from the
statistics, over 60% of the organizations who
took our survey rely on CA-issued software and/ Dedicated certificate
or custom solutions developed by internal IT
management provides the best
to manage certificates and keys, rather than
investing in dedicated certificate management of both worlds.
tools. While the immediate cost benefits with this Certificate lifecycle management tools come with
approach are tangible, they aren’t feasible in the modules to manage each aspect of the process.
long run, and here’s why: CA-provided software From auto-scanning environments to detect
is an excellent alternative for businesses with and inventorize certificates, to automatically
a minimal quantum of certificates. However, renewing expired certificates and revoking
with businesses now using a veritably massive rogue ones, the entire lifecycle can be centrally
number of certificates issued by multiple CAs, managed from the tool’s interface. They’re also
and across varying endpoints, devices, and equipped with functionality that permits custom
virtual instances, the effectiveness of software workflow definition, monitoring, and granular
built by a CA which focuses on managing access control, allowing admins to manage their
certificates issued by themselves quickly fades PKI with minimal effort, while maximizing RoI.
away. They also lack the deep multi-vendor
integration and workflow automation capabilities
that dedicated tools have.
Survey Report: The State of PKI Security and Management 13
Study Demographics
3%
Healthcare and Pharma
Over 2000 500-2000 Retail and
Employees Employees
1%
Consumer
Products 7%
Other
13%
44% BFSI Software
56% 9% and Tech
67%
Manufacturing
Survey Report: The State of PKI Security and Management 14
Recommended
AppViewX CERT+:
Complete Certificate Management Solution
AppViewX CERT+ is a full-cycle tool that makes managing certificates across environments extremely
simple. Combining an intuitive interface with powerful functionality and diverse integrations, CERT+ is all
you’ll need to manage the entire certificate lifecycle, without having to rely on multiple tools to do so.
Dynamic Monitoring
About AppViewX
AppViewX is revolutionizing the way NetOps and SecOps teams deliver services to Enterprise IT. The AppViewX
Platform is a modular, low-code software application that enables the automation and orchestration of network
infrastructure using an intuitive, context-aware, visual workflow. It quickly and easily translates business
requirements into automation workflows that improve agility, enforce compliance, eliminate errors, and reduce
cost. AppViewX is headquartered in Seattle with offices in the U.S., U.K., and India. To know more,
visit www.appviewx.com.