Why CSOs are prioritizing PKI infrastructure as they adapt to post-quantum cryptography [Q&A]
A growing number of machine identities leaves organizations with the task of managing increasingly complex PKI infrastructure.
We spoke to Chris Hickman, CSO of Keyfactor, about how organizations can go about reducing PKI complexity as well as other trends to keep in mind as they adapt to an era of post-quantum cryptography.
BN: What are the trends that have fueled the growth of keys and digital certificates in the enterprise?
CH: Our latest State of Machine Identity Management report with the Ponemon Institute pointed to three major trends driving the growth of keys and digital certificates: the increased use of IoT devices, the adoption of cloud-based services, and the embrace of zero trust. There's been a huge uptick in the number of internet-connected devices and cloud-based services used within the enterprise in the past few years, which has largely been driven by digital transformation and cloud migration efforts. Organizations have prioritized these efforts so that they can operate with more agility, make faster business decisions, drive impactful innovation, and ultimately deliver better value to their customers through the data that is collected from these technologies. As a result, there are more connected IoT and mobile devices, software-defined applications, cloud workloads, virtual machines (VMs), and containers within the enterprise now more than ever.
Each of these machines uses a set of credentials that allows them to authenticate and communicate information securely -- much like we do to verify human identities within the enterprise before granting them access to mission-critical applications and devices. Instead of usernames and passwords, these machines use cryptographic keys and digital certificates to protect sensitive data, provide unique digital identities for users, devices and applications, and secure end-to-end communications.
The embrace of zero-trust strategies was reported to be the number one driver of increased use of keys and digital certificates. The zero-trust security principle is based on the fact that the traditional perimeter no longer exists and, therefore, every identity must be regularly validated, authenticated, and authorized to connect to data and systems, regardless of who they are. Keys and digital certificates are a critical component of this strategy, as they enable easy identification and authentication of machine identities.
BN: Exactly how many machine identities are in use at organizations today, and how has that changed?
CH: In last year's report I observed that the forces driving the growth of the machine workforce were only going to accelerate -- and that’s exactly what happened. This is not because I’m prescient; the trends are very clear. Due to the rise of connected devices and new machines introduced to enterprise ecosystems, an average of 255,000 digital certificates are in use within organizations today. This is a significant increase -- about 11 percent -- compared to 2021, when organizations had an average of 231,000 certificates in use.
BN: What challenges are organizations grappling with as a result of the rapid increase in machine identities? How does this restrict organizations' ability to manage them?
CH: As organizations incorporate an exponential number of machines into their ecosystems, identifying and providing them with an identity via a digital certificate – and then managing every single one of those certificates throughout their entire lifecycle -- has only become more difficult. More than 60 percent of respondents said they do not know how many keys and certificates they have. Coupled with shorter certificate lifecycles, it has become much more difficult for security teams to keep pace with certificate issuance and management. Certificates need to expire and be renewed similar to a passport or driver's license. Some of those certificates have rules that require them to be renewed every 389 days and there is industry pressure to reduce that amount of time further to as little as 90 days. Teams that are managing these certificates in manual ways are about to get a lot busier and I would suspect we will see a significant increase in outages as a result.
All of this has significantly increased the operational burden certificate management on teams, according to nearly three-quarters of respondents. Not to mention, more than half of organizations (53 percent) do not have enough staff and resources in the first place who are dedicated to the deployment of public key infrastructure (PKI), which is the set of policies and procedures that governs the issuance of digital certificates.
This creates a turbulent environment for those tasked with identity and access management within an organization and increases the risk of certificate-related outages if left untracked or ignored. This can cause applications and services to stop working, which wreaks havoc on an organization's operations, productivity, reputation, and even opens a loophole for a potential data breach. Unfortunately, certificate outages occur a lot more often than they should. Most respondents (77 percent) reported experiencing at least two outages in the past 24 months.
BN: How will prioritizing PKI management and reducing the complexity of PKI infrastructure allow organizations to deal with the management of machine identities?
CH: An effective PKI management strategy is critical to keeping track of the hundreds of thousands of machines housed within enterprises today. However, as shown through our research, many PKI environments are disjointed and aging, making it extremely difficult to actually manage machine identities. On average, organizations use nine different PKI and certificate authority solutions. Furthermore, ownership of certificate management doesn't fall on just one team's shoulders; several teams across the enterprise, including security, IT, DevOps, and cloud, all use certificates. As you can imagine, this exacerbates common management issues like low visibility.
The encouraging news is reducing PKI complexity ranked as the top strategic priority among security leaders for the first time in the report’s history. One of the most important steps these organizations can take to simplify certificate management is to invest in automation tools as part of their PKI strategy. These tools help increase visibility into certificates and automate the lifecycle management of certificates -- thereby eliminating many of the challenges teams are currently experiencing with PKI management.
BN: How will PKI management help organizations prepare for post-quantum world? Are there any actions they can take now?
CH: The move to quantum resistant cryptography is the cybersecurity equivalent to the '100-year storm.' It will prove to be a major undertaking for organizations, and some are simply not planning far enough in advance for its eventual impact.
As a result of these new Post Quantum cryptographic algorithms, organizations need to rethink PKI strategies and one of the best actions they can take now is to establish ownership of machine identities. When there’s no clear ownership of PKI strategy, there can be no alignment around best practices, decision-making around identity-related conflicts, or cross-organizational support for certificate issues. Because cryptography has become a strategic set of initiatives that require broader knowledge and a longer-term strategy, establishing a crypto center of excellence (CCoE) or a machine identity working group that includes cross-functional participants can help eliminate silos and increase visibility of cryptographic assets. Currently, only about one-third of respondents say their organizations have a mature machine identity working group.
This brings me to my next point, which is to gain visibility over all certificates and their lifecycles. This is perhaps the most difficult goal to accomplish, but is incredibly important to an organization's ability to manage certificates and respond effectively to incidences or standards changes. One of the first steps of a newly formed machine identity working group should be to audit the organization's machine identity landscape and identify the gaps. From there, they can evaluate which tools and processes will best fit with their organization's unique PKI needs and goals. This is where investing in automated PKI and certificate management tools would be beneficial to reduce any redundancy or visibility issues.
BN: Why is it important to have a strategy to manage PKI?
CH: Our research shows that less than half of organizations have an enterprise-wide strategy for managing PKI. However, it is fully possible to build a machine identity management strategy that can do double-duty in establishing digital trust and enabling greater crypto-agility for the future, no matter how rudimentary an organization's PKI infrastructure. As our reliance on machines increases and the reality of quantum computing draws closer, it will only become even more important to get a handle on PKI management, and that takes time to get right. With this in mind, I encourage all organizations to take a hard look at their PKI infrastructure today and ask themselves how they can improve to set themselves up for a secure, successful future. This is the first step towards establishing long-term, enterprise-wide digital trust.