Most organizations (73 percent) surveyed in a research continue to experience unplanned downtime and outages due to mismanaged digital certificates. 
 
More than half of respondents (55 percent) say their organizations have experienced four or more certificate-related outages in the past two years alone, says new Keyfactor-Ponemon Institute: The Impact of Unsecured Digital Identities report. “Connectivity and the number of digital identities within the enterprise has grown exponentially thanks to continued cloud, mobile, DevOps and IoT adoption,” said Chris Hickman, chief security officer at Keyfactor. “The complexity of managing those identities while keeping them securely connected to the business has created a critical trust gap – in many cases the keys and certificates designed to build trust are instead causing outages and security breaches.”

 

Digital certificates and keys ensure authenticity across enterprise user, application and device identities, says the report. "Cryptographic algorithms encrypt the data associated with those identities, providing secure communication and exploit protection. Two-thirds of respondents say their organization is adding additional layers of encryption to comply with industry regulations and IT policies; however, shorter certificate validity has doubled the management workload on short-staffed IT and security teams," notes the study. 

An estimated average of 88,750 keys and certificates are used by organizations today to secure data and authenticate systems. However, 74 percent of respondents believe their organizations do not know exactly how many keys and certificates (including self-signed) they have, much less where to find them or when they expire. Furthermore, 76 percent of respondents say that failure to secure keys and certificates undermines the trust their organization relies upon to operate.
 
Additional findings include: 
  • According to the findings, failed audits due to insufficient key management practices and compromised or rogue certificate authorities (CA) are the most frequent and most serious problems faced by organizations when it comes to managing PKI and cryptography. 
  • Two-thirds of organizations are adding additional layers of encryption technologies to comply with industry regulations and IT policies. As a result, managing a growing number of cryptographic keys and digital certificates has increased operational costs and reduced the overall efficiency of business processes.
  • Only 38 percent of respondents say their organizations have enough IT security staff members dedicated to their PKI deployment. More than half of respondents (53 percent) say they are unable to hire and retained qualified IT security personnel. Responsibility for the PKI budget is also dispersed throughout the organization, with IT operations (21 percent) and lines of business (19 percent) cited most often as owners of the PKI budget.
  • According to respondents, the following are the top four strategic priorities for digital security in their enterprise: authenticating and controlling IoT devices, knowing the expiration date of certificates, reducing complexity in their IT infrastructure, and reducing the risk of unknown certificates in the workplace (i.e. shadow IT).

Our 2019 report was a wake-up call in many ways – it was the first report of its kind to investigate the role that digital certificates and keys play in creating trust inside and outside organizations,” said Dr. Larry Ponemon, founder of the Ponemon Institute. “In many ways I was optimistic that we’d see progress this year as more executives invested the resources needed to close the gap between ‘standard practice’ in PKI and ‘best practice’. This year’s report shows that while progress has been made in a few areas, that gap is actually growing wider.”

“This report reinforces cryptography’s importance within the security agenda,” said Hickman. “In many cases, PKI remains a manual function with ownership split across IT and security teams. Growing connectivity has created an exposure epidemic. Without a clear PKI in-house or outsourced program owner and process to close critical trust gaps, the risk of outages and breaches will continue to rise.”