Mar 14, 2019 9:00:00 AM
CSO Insights: Consequences of Failing a Key Management Audit

Insights from Chief Security Officer, Chris Hickman, on the 2019 Keyfactor-Ponemon Institute Report: The Impact of Unsecured Digital Identities

Thousands of digital certificates secure your business every day, yet many organizations only have visibility into a few hundred at best. As more users, devices and applications join the network, the number of keys and certificates only continues to grow – but budgets and staff never seem to keep up.

And compliance regulations seem to evolve just as quickly, leaving IT and security teams struggling to meet regulatory baselines, let alone get ahead.

For those at the front line of public key infrastructure (PKI), keeping track of keys and certificates can easily feel like the Wild West, where rogue administrators and cybercriminals are a constant threat to the enterprise they strive to defend. But for cybersecurity and IT executives not involved in the day to day, it’s business as usual.

That is, until the auditor comes knocking…

The Inevitable Audit: Are You Prepared?

It’s hard enough to stay ahead of expired certificates, but that alone isn’t enough. Organizations are increasingly subject to scrutiny by industry regulators. Auditors want to know that your organization’s keys and certificates are managed, protected, and consistent with industry standards.

Failure to comply often means imposed deadlines for remediation, taking highly skilled IT staff away from strategic projects, and scrambling to find and fix non-compliant assets.

It’s not just occasional audits either.

As organizations trend toward security score cards and KPI-driven cybersecurity programs (sometimes tied to compensation), IT security and compliance teams must ensure that each and every certificate falls in line with organizational standards, and be able to prove it.

To respond to these audit scenarios, your teams will need to generate a report to demonstrate that every certificate aligns with corporate policies and industry standards.

Sounds straightforward, right? Not quite.

Keeping Up with Compliance

A recent study by Ponemon Institute on The Impact of Unsecured Digital Identities reveals that most organizations still struggle to keep up with compliance. Gathering input from nearly 600 respondents, here are some of the key highlights:

  • Respondents experienced an average of more than five failed audit or compliance incidents in the past two years
  • The average economic loss from these incidents is estimated at $14.4 million
  • User and IT security team productivity suffers the most due to failed audits
  • There is a 42% likelihood that organizations will share the same experience over the next two years

But why do organizations so often fail to meet compliance?

Most often, rogue and non-compliant certificates find their way into your network through a lack of tight controls around certificate requests and insufficient policy enforcement.

Since digital certificates play a critical role across virtually every line of business – from protecting your network and connected devices to securing your website – many stakeholders are involved. Conventionally slow and manual processes to obtain certificates from IT often leads other business units to opt for faster, non-compliant alternatives.

When there are no controls over how administrators request, renew and install certificates, they are far more likely to violate IT policies, and it quickly becomes impossible to know where every certificate is located, how they are used, or who owns them.

The biggest mistake is thinking that manual tracking in Excel or a database will pass audit requirements. Auditors will view these spreadsheets with even greater scrutiny, ensuring that data has not been manipulated or inputed incorrectly.

If you’re familiar with this process, you know it can take several days or even longer for large environments. Simply put – uncontrolled, undocumented, and unenforced key and certificate management will inevitably make every audit a logistical nightmare.

3 Ways to Ensure Key Management Audit Success

So, what can you do to ensure your next audit is a success?

  • Automate certificate requests: Enforce tight controls and automate the process for every business unit to request, renew and issue certificates. That way, you keep a complete inventory and audit trail of keys and certificates from a single location, and your teams trade time-consuming manual processes for instant self-service.
  • Invest in crypto-agility: Knowing where every certificate lives is only part of the audit challenge. If an audit uncovers policy violations, you must be able to quickly change keys and certificates on assets, without manual intervention.
  • Consider cloud-hosted PKI: Managed PKI service providers typically provide better proof for audit points than on-premise solutions by virtue of the requirement for cloud-hosted security solutions to comply with industry standards.

As cybersecurity and IT executives, we know that just one failed audit can seriously impact the productivity of our teams, the reputation of our brand, and of course, trust in our own ability to keep the business safe and secure.

It’s our role to drive cybersecurity out of the basement and into the boardroom. With a seat at the table, our teams can plan more effective ways to deal with emerging threats and compliance hurdles – reducing the risk of unforeseen (and costly) audit failures.

I’d love to hear more about your company’s experience and compare it to the report’s findings. Please reach out to me and let’s find a time to talk.


LET'S TALK