Organizations of all sizes have embraced digital transformation to unlock new lines of revenue, operate more efficiently, and deliver quality products and services faster than ever. New compute platforms and development practices – from the mobile workforce to the cloud, IoT and DevOps – create more opportunity for growth and agility.
Connectivity has consequently increased exponentially, reaching beyond the traditional perimeter. The Internet has become the new operating platform, as organizations shift from self-contained, highly trusted network environments to dispersed multi-cloud infrastructure.
Because of the growing number of connected devices and apps, combined with corporations’ constantly changing business operations, huge amounts of business and life-critical data (in the case of medical devices) are passing through millions of connection points, multiplying our potential attack surface.
In this world without traditional boundaries and network perimeters, how do organizations establish trust?
The Role of Digital Identities
Identity is the foundation for security in this new paradigm. Security teams must identify what is trusted and what is not trusted before enabling access to critical data. Every user, device and application needs a unique identity to authenticate and securely connect with one another.
To enable this, organizations use digital certificates and keys to verify authenticity and encrypt communications. However, as connectivity continues to grow, the number of keys and certificates used to protect these connections is growing too, and with it, the complexity of managing them.
Widespread Security Gaps
Nearly half of organizations use more than 10,000 certificates in their IT environment. Without proper management, these assets intended to build trust can all too quickly become risk liabilities. Compromised private keys used to sign code or decrypt sensitive data can be “weaponized” by attackers to distribute malware or steal data, while expired certificates can bring down mission-critical applications, even entire networks.
An increasing number of companies have fallen victim to certificate-related outages that have combined to affected millions of their end users. Unknown or expired certificates don’t just bring down systems, though; they also create network blind spots that leave organizations vulnerable to breach. The obvious example is the Equifax breach, which went undetected for months because of a single expired certificate.
Theft and misuse of keys has caused significant damage to businesses as well. Just this year, two major breaches were revealed to the public. In both cases, attackers gained access to poorly protected private keys to distribute malware to thousands of devices (in the case of ASUS) or compromise the trust of customers (in the case of NordVPN).
While it’s easy to call out these few examples, the underlying security gaps that caused these incidents are widespread across most organizations today. According to a 2019 Ponemon Report, 74% of organizations say certificates have caused and still cause unplanned downtime or outages. Furthermore, theft and misuse of server keys and certificates will impact 39% of organizations in the next two years.
But why is this situation getting worse instead of better?
Multiplying Risks & Challenges
Despite advances in containerization, cloud, and the IoT, the majority of public key infrastructure (PKI) admins still deploy and manage certificates using outdated methods. Manual tracking of certificates on spreadsheets or using custom scripts may have been sufficient for the static infrastructure of the ‘90s, but modern environments are agile and automated. Most organizations simply do not have the people, processes and technology needed to effectively provision, update and revoke certificates at the speed and scale their business now requires.
Shorter certificate lifecycles driven by industry mandates and instantly scalable infrastructure introduce new challenges – multiplying the workload for IT and security teams by two to three-fold in many cases. A patchwork of spreadsheets, internal PKI, and public certificate authorities (CAs) creates inefficiency and risk of outage or breach due to human error.
Keeping up with certificate expirations is not enough. Cryptographic algorithms that we rely on today will one day be obsolete, if not by changing industry standards, then by advances in quantum computing that could render even the strongest keys and algorithms vulnerable. Finding and replacing algorithms at massive scale will be problematic for most, considering it has taken years for organizations to move away from the MD5 and SHA1 algorithms.
Effective PKI and cryptographic management requires the right set of specialized skills and resources as well, yet security teams struggle to find and retain them. Only 39% of organizations say they have sufficient IT security staff dedicated to PKI deployment. It is no wonder that we’ve seen an outbreak of certificate and key-related incidents in recent years.
It's An Exposure Epidemic
As IT and security leaders, we’re inundated with stories about security breaches. Our news feeds are so crowded with articles and posts that we’ve become numb to them. Yet, it’s become clear that shifts in the IT landscape have left our organizations more exposed than ever. If news feeds are any indicator, this isn’t just an outbreak, it’s an epidemic.
Learn more about the Exposure Epidemic. Read our white paper to find out how your organization stacks up against the imminent risks ahead.