Feb 12, 2020 9:47:33 AM
PKI Deployment Challenges & How To Avoid Them

This blog features insights from Keyfactor’s Chief Security Officer, Chris Hickman on the 2020 Keyfactor-Ponemon Institute Report: The Impact of Unsecured Digital Identities. Click Here to download and access the full report.

Public key infrastructure (PKI) is one of the most powerful tools in your IT stack. The math is complicated, but the core concept is simple. PKI allows you to use digital certificates to protect sensitive data, secure end-to-end communications, and provide a unique digital identity for the users, devices and applications across your business.

Not long ago, PKI was considered a niche technology – a tool built for a specific purpose, and for the most part, ran quietly in the background. Since then, the scope of PKI has expanded well beyond traditional use cases to devices, cloud infrastructure, containers and the IoT.

Without a doubt, the role of PKI has changed, but the challenges involved in deploying and managing it remain relatively the same. Despite its critical role, in-house PKI deployments often create more challenges (and costs) than they solve. That’s left most organizations looking in the rear-view mirror instead of realizing the full potential of their PKI deployment.

Fundamental Challenges in PKI Operations

In the recently released 2020 Keyfactor-Ponemon Institute Report: The Impact of Unsecured Digital Identities, survey responses from 603 IT and security professionals revealed some of the fundamental problems in PKI management. Let’s break down some of the core challenges and how they can impact your organization.

Insufficient Skills & Resources

If you’ve worked in the tech industry for some time, it’s no secret that there is a serious shortage in the cybersecurity workforce. As more of our critical infrastructure is plugged into the Internet, there’s a limited number of qualified people who understand the pressing need for cybersecurity.

PKI isn’t like any other technology in your IT stack – it requires highly specialized knowledge and skills to run it effectively. That skillset is not only rare, it is also difficult to retain.

According to the report, only 38% of respondents say their organization has sufficient staff dedicated to their PKI deployment.

Far too often, this leads to situations where PKI falls on inexperienced hands, where even the slightest mishap could cause a significant outage or security breach.

Lack of Investment

Despite the critical role of PKI in enterprise security, most organizations are still tackling the problem with a patchwork of spreadsheets, internal PKI, and CA-provided tools. The way we provision and run infrastructure has changed entirely – from static hardware to dynamic and highly automated infrastructure – yet many still use outdated, manual methods to deploy and manage their PKI.

Cybersecurity funding may be on the rise, but PKI is still, in many cases, inadequate and underfunded, which creates significant risks to the organization. Without the right tools and resources, PKI engineers or admins spend more time fighting fires than enabling new use cases that can benefit the business.

No Clear Ownership

One of the biggest PKI deployment challenges continues to be lack of clear ownership.

When asked, who owns the PKI budget; responses were all over the place, from IT operations (21%) and IT security (18%), to lines of business (19%) and networking teams (16%).

This often places conflicting pressure on those involved when something goes wrong – such as a failed audit or compromised CA.

PKI tends to be a technology used by all – owned by none. All too often, we see situations where every team from IT operations to developers are spinning up a separate PKI for specific applications, without any oversight by the security team. Not only does this lead to a PKI management mess, it also makes it much more difficult to enforce consistent policies and respond effectively to a security incident.

Security of the Root CA

The root certificate authority (CA) is the foundation of trust for every certificate issued across your environment. If you cannot trust your root CA, you cannot trust your PKI.

If we look at the report findings though, less than half of respondents (44%) are confident in the security of their root CA.

In all likelihood, that number is much lower, because many organizations assume their root CA is secure without conducting a proper audit. Another dangerous assumption is that digital certificates are inherently trusted and secure. If you do not know the policies of the issuing and root CAs, you cannot assume that issued certificates can be trusted.

How to Tackle Your PKI Problems

We’ve discussed the PKI deployment challenges, now it’s time to talk solutions. Here are three steps that you can take to ensure you have the right tools and resources to run your PKI right:

  • Build a Business Case: PKI and certificate management are often seen as overly technical, so business leaders simply don’t understand the importance of investing in them. Gartner says, “Security leaders that successfully reposition X.509 certificate management to a compelling business story, such as digital business and trust enablement, will increase program success by 60%, up from less than 10% today.”
  • Audit Your PKI: Start by understanding the current architecture of your PKI environment – how many CAs you have across your environment (including forgotten CAs), how they were implemented and for what purpose, and what security controls and policies were put in place. When it comes to the root CA, look for things like: does the root CA use an HSM? Or is the root CA offline at all times?
  • Invest in Expertise: Sometimes even the experts need expertise. PKI is critical infrastructure that demands routine care and feeding to keep it running securely. Enterprises must either be the experts or outsource their PKI to a trusted expert. Managed PKI providers can invest far more in state-of-the-art PKI infrastructure, security and expertise than is feasible for most organizations.

Take five minutes to calculate your organization’s Critical Trust Index and get personalized recommendations on how to effectively manage your PKI and digital certificates.

Calculate Your Score