Public Key Infrastructure (PKI) is a battle-tested tool that has emerged as a critical, security component for enterprises in all industries. Attackers are constantly seeking the easiest path to network access and a rise in certificate-based breach events like Equifax put the bullseye on digital identity and PKI risk.
Unlike today’s machine learning-based and automated security defenses, the PKI management process is a manual one for most IT teams. However, the industry’s skill shortage and lack of resources often leaves basic system management tasks like PKI at the bottom of the priority list. When that happens, compromising IoT devices or stealing sensitive keys and certificates becomes a low effort task for opportunistic attackers.
At SecTor, Canada’s premier IT security education conference, we conducted a survey to learn more about the challenges facing IT professionals working to manage their organization’s PKI. Here’s what respondents had to say:
1.) What is your biggest challenge with PKI?
Insufficient budget/high cost – 13%
Lack of sills and expertise – 18%
Manual or complex processes - 50%
Regulatory and compliance requirements – 18%
2.) Which of the following are you most concerned about?
Lack of PKI ownership or accountability – 24%
Outages and breaches caused by expired certificates – 14%
Securely adopting DevOps, cloud and IoT – 43%
Quantum threat and risk preparedness – 19%
3.) What would be the greatest benefit of a modern PKI solution?
Ability to scale with business growth – 22%
Automation of manual and complex tasks – 41%
Managed PKI infrastructure and operations – 8%
Visibility to all keys and digital certificates – 30%
4.) As a security professional, do you think more privacy and security legislation is required to better protect Canadian businesses and consumers?
Yes – 87%
No – 13%
5.) Do you think regulators and elected Canadian officials are doing enough to standardize security guidance on measures like data encryption?
Yes – 42%
No – 58%
These results aren’t surprising, considering the recurring themes we had with professionals at the conference:
Unplanned outages and downtime due to expired certificates impact virtually every team across the business. Infrastructure teams that weren’t directly involved in PKI suffer the impact of these outages due to slipped or missed certificates by their security team. Outages have a broader and more frequent impact across the business. Breaches are higher risk, but less likely, and more directly impact a single team – the security team.
Certificate lifecycle management is just part of the overall picture. Many organizations are struggling to build, deploy and properly manage their PKI in-house, not to mention certificates issued from their public CAs. Many people we spoke to, including those directly involved in the management of PKI, were not even aware that putting their PKI in the cloud was an option.
Code Signing Stakeholders
Many security teams are either not aware or not involved in the code signing process, meaning developers and dev managers are primarily responsible for the security of code signing keys. At the same time, developers and engineering teams lack understanding and appreciation for the risk involved in the code signing process.
Code Signing Risk Awareness
Much of the audience attending our conference presentation were not aware of recent and significant attacks that leveraged legitimate code signing certificates to breach organizations, including Operation Shadowhammer, that impacted ASUS.
Internet of Things (IoT)
Connected devices were a core theme throughout the conference, yet it seems that both manufacturers of IoT devices, as well as the enterprises adopting these devices, are far behind industry best practices. Despite explosive adoption of the IoT, fundamental security practices including firmware signing and device encryption and authentication are still lacking.
It’s clear that proper management of PKI for enterprise IT and security teams is becoming a serious challenge. There is significant pressure to support the day-to-day needs of the organization while simultaneously managing business growth and new initiatives. When it comes to cybersecurity, PKI will remain a core component of the broader security framework. And as businesses become more reliant on PKI to deliver trust, getting it right is mission critical.