2020 brings unique levels of PKI usage challenges

Organizations are rapidly increasing the size, scope and scale of their data protection infrastructure, reflected in dramatic rises in adoption of public key infrastructure (PKI) across enterprises worldwide, according to Entrust research.

PKI usage

PKI is at the core of nearly every IT infrastructure, enabling security for critical digital initiatives such as cloud, mobile device deployment, identities and the IoT.

The annual study is based on feedback from more than 1,900 IT security professionals in 17 countries.

IoT, authentication and cloud, top drivers in PKI usage growth

As organizations become more dependent on digital information and face increasingly sophisticated cyberattacks, they rely on PKI to control access to data and ascertain the identities of people, systems and devices on a mass scale.

IoT is the fastest growing trend driving PKI application deployment, up 26 percent over the past five years to 47 percent in 2020, with cloud-based services the second highest driver cited by 44 percent of respondents.

PKI usage surging for cloud and authentication use cases

TLS/SSL certificates for public-facing websites and services are the most often cited use case for PKI credentials (84 percent of respondents).

Public cloud-based applications saw the fastest year-over-year growth, cited by 82 percent, up 27 percent from 2019, followed by enterprise user authentication by 70 percent of respondents, an increase of 19 percent over 2019. All underscore the critical need of PKI in supporting core enterprise applications.

The average number of certificates an organization needs to manage grew 43 percent in the 2020 study over the previous year, from 39,197 to 56,192 certificates, highlighting a pivotal requirement for enterprise certificate management.

The rise is likely driven by the industry transition to shorter certificate validity periods, and the sharp growth in cloud and enterprise user authentication use cases.

Challenges, change and uncertainty

The study found that IT security professionals are confronting new challenges to enabling applications to use PKI. 52 percent cited lack of visibility of an existing PKI’s security capabilities as their top challenge, an increase of 16 percent over the 2019 study.

This issue underscores the lack of cybersecurity expertise available within even the most well-resourced organizations, and the need for PKI specialists who can create custom enterprise roadmaps based on security and operational best practices.

Respondents also cited inability to change legacy applications and the inability of their existing PKIs to support new applications as critical challenges – both at 51 percent.

When it comes to deploying and managing a PKI, IT security professionals are most challenged by organizational issues such as no clear ownership, insufficient skills and insufficient resources.

PKI deployment figures from the study clearly indicate a trend toward more diversified approaches, with as-a-service offerings even becoming more prevalent than on-premise offerings in some countries.

The two greatest areas of PKI change and uncertainty come from new applications such as IoT (52 percent of respondents) and external mandates and standards (49 percent). The regulatory environment is also increasingly driving deployment of applications that use PKI, cited by 24 percent of respondents.

Security practices have not kept pace with growth

In the next two years, an estimated average of 41 percent of IoT devices will rely primarily on digital certificates for identification and authentication. Encryption for IoT devices, platforms and data repositories, while growing, is at just 33 percent – a potential exposure point for sensitive data.

Respondents cited several threats to IoT security, including altering the function of IoT devices through malware or other attacks (68 percent) and remote control of a device by an unauthorized user (54 percent).

However, respondents rated controls relevant to malware protection – like securely delivering patches and updates to IoT devices – last on a list of the five most important IoT security capabilities.

The US National Institute of Standards and Technology (NIST) recommends that cryptographic modules for certificate authorities (CAs), key recovery servers and OCSP responders should be validated to FIPS 140-2 level 3 or higher.

Thirty-nine percent of respondents in this study use hardware security modules (HSMs) to secure their PKIs, most often to manage the private keys for their root, issuing, or policy CAs. Yet only 12 percent of respondents indicate the use of HSMs in their OSCP installations, demonstrating a significant gap between best practices and observed practices.

“PKI underpins the security of both the business and the consumer world, from digitally signing transactions and applications to prove the source as well as integrity, to supporting the authentication of smart phones, games consoles, citizen passports, mass transit ticketing and mobile banking, says Larry Ponemon, founder of the Ponemon Institute.

“The 2020 Global PKI and IoT Trends Study shows a surge in the use of PKI credentials for cloud-based applications and enterprise user authentication, underscoring the criticality of PKI in supporting core enterprise applications.”

“We are seeing increasing reliance on PKI juxtaposed with struggles by internal teams to adapt it to new market needs — driving changes to traditional PKI deployment models and methods,” says John Grimm, vice president strategy for digital solutions at Entrust.

“In newer areas like IoT, enterprises are clearly failing to prioritize security mechanisms like firmware signing that would counter the most urgent threats, such as malware.

“And with the massive increase in certificates issued and acquired found in this year’s study, the importance of automated certificate management, a flexible PKI deployment approach, and strong best practice-based security including HSMs has never been greater.”

10 considerations in order to ensure business continuity for PKI

Every year, enterprises face unforeseen events that can disrupt operations. These events are rarely predictable and often create significant challenges for IT and security teams, the network, and even hardware supply chains. That’s where business continuity comes in – to ensure that core functions remain intact, despite the disruption. A critical component of business continuity is public key infrastructure (PKI).

At the core of enterprise IT, PKI is a fundamental tool used to protect sensitive data and secure connections across multiple business-critical applications. In fact, the average PKI today supports more than eight different applications, from customer-facing websites and services to private network and VPN access. If PKI is mishandled, though, it can create significant disruption and application downtime.

Business continuity planning must account for your PKI and all applications that depend on it. With increasing pressure on PKI to protect new use cases, such as cloud services, mobile and remote workforces, the ability to support scale, availability and assurance is even more critical.

Below are 10 considerations to ensure business continuity for your PKI:

1. Don’t cut corners during implementation – Sometimes it’s just too easy to click “next, next, next” when configuring a Microsoft CA (certificate authority), but simple missteps can expose your organization to serious risk and service disruptions down the line.

2. Track expiration dates – If your root CA is up for renewal in the next 8-12 months, you should start planning resources appropriately. If your root CA expires, all certificates issued from it expire. Industry-standard practice is to renew the root CA after 10 years, and re-key after 20 years.

3. Plan for physical access to your root CA – The foundation of trust for your PKI, a root CA should be kept offline, air-gapped from the network and protected with an HSM (hardware security module). However, this means that routine maintenance tasks, like publishing a certificate revocation list (CRL), require multiple staff to be physically present. If remote HSM cardholders are miles (not steps) from the root CA server, this becomes much more difficult.

4. Don’t forget about renewals – If a CA is down, you’ll be unable to issue new certificates, but if your CRL is expired, all your certificates become immediately unusable. That’s because most applications need to check the validity of certificates against a CRL or OCSP server. If they cannot reach the CRL server, or if the CRL itself is expired, users will be unable to access their application.

5. Leave a sufficient CRL overlap – There are three points in time that matter when it comes to your CRL: the time you publish it, the time it expires and the period of overlap in between. Remember that CRL publishing is a manual process for offline CAs. The purpose of this overlap is to provide time to manually push the new CRL before the old CRL expires, and to avoid a gap in availability.

6. Make sure your CDPs are internet-routable – When an application checks for revoked certificates, it retrieves the current CRL from a specified CRL distribution point (CDP). After the CRL is retrieved, it’s typically cached until it expires. If users move outside your network, the CDP must be reachable over the Internet to ensure that devices can still retrieve the new CRL when needed. The CRL should be accessible via an HTTP URL.

7. Check the disk space on your issuing CAs – Carefully consider if there is enough disk space on all issuing CA servers to handle expanded use. For example, if you enable thousands of remote workers with certificates for SSL VPN, you must ensure the CA database is equipped to store the influx of certificates and audit logs without latency issues.

8. Ensure regular backups – CA backups aren’t fool proof and need to be regularly tested. If you have a backup of your CA database but not the HSM, the CA can’t be recovered anyway. Ensure that everything is automatically and periodically backed up to ensure resiliency should a system failure occur.

9. Inventory certificates – It’s critical to keep a complete inventory of every certificate issued form both your internal and public CAs. Know where every certificate lives and which applications are dependent on them. If SSL VPN becomes a business-critical application for your workforce, you’ll need to re-assess the risk related to these certificates.

10. Track certificate expirations and ownership – Organizations cannot afford the application downtime or service disruptions caused by expired certificates. However, chasing down application owners to renew their certificates can be challenging if employees work remotely. As you build your inventory, actively monitor certificates, define clear responsibilities and notify owners well before expiration.

Periodic business continuity exercises should be performed to ensure a quick and efficient way to bring business operations back to normal in the case of a disruptive event. Proper access to the facilities and root CA should be reviewed. All documentation should be up to date, tested and understood by all stakeholders who would be involved in business continuity efforts.

If there is a legitimate need for a change, kick off a change control to update any documents. Think of them as living, breathing documents that evolve with the goal of maintaining the PKI’s intended level of assurance.

Organizations still struggle to manage foundational security

Regulatory measures such as GDPR put focus on data privacy at design, tightening requirements and guiding IT security controls like Public Key Infrastructure (PKI).

foundational security

Continued adoption of IoT, cloud and mobile technologies are increasing the number of digital certificates and keys that ensure secure connections and identity authentication through PKI, a Keyfactor and Ponemon Institute research reveals.

“This research demonstrates that despite heightened compliance focus, businesses struggle to manage foundational security like PKI and the tools and processes that maintain it. This is concerning, especially as the number of digital certificates and keys within enterprise continues to multiply,” said Chris Hickman, CSO at Keyfactor.

Regulatory compliance a strategic priority

Half of respondents indicate regulatory compliance as a strategic priority and two-thirds say their organization is adding additional layers of encryption to comply with regulations and IT policies.

However, undocumented or unenforced key management policies are problematic, with respondents averaging more than four failed audits or compliance experiences in the last 24 months.

“Less than half of respondents say they have sufficient staff dedicated to PKI,” said Hickman.

“A lack of program ownership, combined with the constant care and feeding that digital identities need, has introduced new risk, creating an exposure epidemic. Unless leaders invest in in-house processes and outsourced resources to manage PKI, enterprise will risk failed audits, fines and worse, a security breach.”

foundational security

Foundational security: Additional findings

  • A rise in security incidents: on average, organizations experienced a Certificate Authority (CA) or rogue man-in-the-middle (MITM) and/or phishing attack four times in the last 24 months, facing a 32% likelihood of a MITM or phishing attack over the next 24 months.
  • Staffing shortages: on average, 15% of IT security budget is spent on PKI deployment annually, yet just 43% of respondents say their organisation has enough IT security staff members dedicated to PKI deployment.
  • Lack of visibility: 70% of respondents say their organisation does not know how many digital certificates and keys it has within the business.
  • Cryptography related security incidents undermine trust: 68% of respondents say failure to secure keys and certificates undermines the trust their organisation relies upon to operate.
  • Cryptography lacks a center of excellence: despite the rising cost of PKI and growth of cryptography-related incidents, just 40% of companies have the ability to drive enterprise-wide best practice.
  • Spending trend: represented organizations are spending an average of £9.37M on IT security annually, with £1.37M dedicated to PKI.

Let’s Encrypt will revoke 3m+ TLS/SSL certificates

Starting with 20:00 UTC (3:00pm US EST), today (March 4), the non-profit certificate authority Let’s Encrypt will begin it’s effort to revoke a little over 3 million TLS/SSL certificates that it issued while a bug affected its CA software.

Preliminary investigation suggests the bug was introduced on July 25, 2019, but a more detailed investigation is under way – though, for now, it seems that “it’s not likely that there was any significant mis-issuance as a result of this incident.”

Nevertheless, affected certificate owners have been urged to renew and replace their certificate(s) so that their sites don’t end up showing this type of alert to visitors:

revoke TLS/SSL certificates

About the CAA rechecking bug

As explained by Let’s Encrypt engineer (and Senior Staff Technologist at EFF) Jacob Hoffman-Andrews, the software in question – named Boulder – checks for CAA records at the same time it validates a subscriber’s control of a domain name.

“Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (…), so any domain name that was validated more than 8 hours ago requires rechecking,” he noted.

“The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.”

Of the 3 million+ certificates affected, about 1 million are duplicates of other affected certificates (i.e., they cover the same set of domain names).

Are you affected?

Let’s Encrypt, which is run by Internet Security Research Group (ISRG), has been emailing affected subscribers for whom they have contact information, but many might still not be aware of the situation. If they don’t manage to get a new, valid certificate in place before the revocation, visitors might end up losing trust in the safety of their websites.

The CA has provided a tool for checking whether one is using an affected certificate and additional instructions.

Security researcher Scott Helme has made available a list of affected domains.

Digital certificates still cause unplanned downtime and application outages

51% of enterprises claim low ability to detect and respond to digital certificate and key misuse, according to Keyfactor and the Ponemon Institute.

digital certificates downtime

“Connectivity and the number of digital identities within the enterprise has grown exponentially thanks to continued cloud, mobile, DevOps and IoT adoption,” said Chris Hickman, CSO, Keyfactor.

“The complexity of managing those identities while keeping them securely connected to the business has created a critical trust gap – in many cases the keys and certificates designed to build trust are instead causing outages and security breaches.”

Digital certificates and keys ensure authenticity across enterprise user, application and device identities. Cryptographic algorithms encrypt the data associated with those identities, providing secure communication and exploit protection.

Two-thirds of respondents say their organization is adding additional layers of encryption to comply with industry regulations and IT policies; however, shorter certificate validity has doubled the management workload on short-staffed IT and security teams.

Additional key findings

  • Connected IoT increasing risk: 60% say they’re adding additional layers of encryption technologies to secure IoT devices, but 46% admit low ability to maintain IoT device identities and cryptography over device lifetime.
  • A rise in security incidents: on average, organizations have experienced a Certificate Authority (CA) or rogue man-in-the-middle (MITM) and/or phishing attack five times in the last 24 months, with a 40% likelihood of a MITM or phishing attack over the next 24 months; 73% of respondents admitted that digital certificates have and continue to cause unplanned downtime and outages.
  • Staffing shortages: on average, 16% of the IT security budget is spent on PKI deployment annually, yet just 38% of respondents say their organization has enough IT security staff members dedicated to PKI deployment.
  • Cryptography related security incidents undermine trust: 76% of respondents say failure to secure keys and certificates undermines the trust their organization relies upon to operate.
  • Cryptography lacks a center of excellence: Despite the rising cost of PKI and growth of cryptography-related incidents, just 60% of companies have the ability to drive enterprise-wide best practices.

digital certificates downtime

“This report reinforces cryptography’s importance within the security agenda,” said Hickman.

“In many cases, PKI remains a manual function with ownership split across IT and security teams. Growing connectivity has created an exposure epidemic. Without a clear PKI in-house or outsourced program owner and process to close critical trust gaps, the risk of outages and breaches will continue to rise.”