banner

Thales Blog

Are Your PKI Practices Putting Your Business At Risk?

October 18, 2016

Are your PKI practices putting your business at risk?

Every day, our digital world is becoming more and more dependent on public key infrastructure (PKI). The need to create unique credentials that validate the identity of any person, device or service has never been more important. With the ever-present threat of cyberattacks, malicious insiders, or even employee mistakes, the role of digital credentials to control how sensitive data is accessed within an organization has reached new levels of criticality.

With this in mind, it is clear PKI can no longer be considered as an auxiliary or non-essential service -- instead it has truly become a core component to an organization’s IT backbone. Our new 2016 PKI Global Trends Report, conducted by Ponemon, further confirms this as it reveals an average of eight distinct applications, such as public cloud applications and device authentication, are managed by an organization’s PKI – an increase on the seven reported last year.

The most important trends behind this increase in the number of applications requiring certificate issuance services include a rise in cloud-based services and the Internet of Things (IoT). In fact, over a quarter (26 percent) of IT security professionals surveyed believe the IoT will drive changes in security infrastructure – a 14 percent increase over last year.

With increasing pressure on PKIs that are often facing demands that were not forecast when they were initially deployed, there is a real need for organizations to up their efforts to better secure their PKI as an important part of creating a foundation of trust. But the report suggests there is still some way to go in achieving this.

Given the central role of PKI today and the increasing dependency indicated in the report, you would expect to also see increasing rigor applied to security. Yet, over a third (34 percent) of businesses rely on passwords alone to secure their PKI and just 32 percent of businesses use Hardware Security Modules (HSMs) -- a well-accepted best practice for offline root and online issuing certificate authorities (CAs). Although the HSM usage figure increased 4 percent over 2015, this figure remains surprisingly low.

What’s more, 37 percent of global businesses said they do not have a certificate revocation process in place. This figure is particularly concerning because revocation is an essential control in a well architected, best practice-based PKI process. A certificate may need to be revoked for a number of reasons, including suspected compromise of the associate private key, or the suspected or actual compromise of a private key anywhere in the issuing hierarchy above it, up to the root key. And if a root private key is compromised, the result is likely to be significant disruption and downtime to PKI-dependent applications as all the certificates below it need to be revoked and replaced. Without an efficient certificate revocation process, this application downtime can take days or even weeks to resolve, dealing a huge potential blow to business continuity.

All security controls used by businesses rely on a strong authentication and access control infrastructure. If a business cares about protecting its most sensitive data, a ‘fit for purpose’ PKI, with a strong root of trust and based on best practices, is more important than ever to ensure application availability and reduce the risk of potential disruptions.