In the modern IT environment, data, applications, and devices are no longer bound by the confines of corporate premises or data centers. They are distributed across multiple private and public clouds and the edge. With network perimeters fading away, traditional security frameworks will no longer function as they used to, thereby putting enterprise data at risk.
Digital identities are as crucial to cybersecurity as protecting human identities – and potentially even more. The convergence of digital and human identities has the most significant impact on securing digital certificates.
A study commissioned by AppViewX and conducted by the Ponemon Institute© reveals why it is crucial to invest in digital identity management.
As part of the study, approximately 1,600 IT and IT security practitioners across industry verticals were interviewed about the importance of managing digital identities. These professionals reside in North America, Europe, and the Asia Pacific and have deep expertise in identity and access management (IAM) programs, digital transformation initiatives, digital identity management, and certificate lifecycle management programs.
Fifty-two percent of respondents mentioned that their organizations experienced one or more security incidents or data breaches in the past two years. These security incidents were caused by a variety of factors, including:
- digital certificate compromise caused mainly by a cyberattack, according to 57 percent of respondents
- certificate authority (CA) compromise as per 49 percent of respondents
- an employee or third-party negligence according to 48 percent of respondents
Fifty-eight percent of respondents say the financial consequences were very severe.
Managing certificates and keys has gained priority over managing human identities
Fifty-four percent of respondents invest more in managing certificates and keys than in human identities. The underlying reason is that the management of certificates and keys is increasing their organizations’ operational efficiency and reducing the inefficiency of business processes, according to 61 percent of respondents.
While only 46 percent of respondents admit that their organization has secured all certificates and keys, 67 percent believe it is critical to secure them during the digital transformation process.
As organizations tread their paths to digital transformation, some are struggling as they move their legacy solutions to the cloud. While the importance of digital transformation in ensuring the future success of organizations is undeniable, it creates many security risks. The cloud facilitates and accelerates the process. However, it can be challenging to secure certificates and identities across many platforms.
Nonetheless, digital transformation remains a key driver for organizations adopting a digital identity management program. Today, most human identities are secured with public key infrastructure (PKI), but this will decrease considerably in the next two years and get replaced by digital identity management programs. According to 52 percent of respondents, digital transformation encourages organizations to adopt a digital identity management program. The least used authentication method in the next two years will be passwordless authentication.
In the future, the proliferation of IoT devices followed by the remote workplace will significantly impact an organization’s ability to secure digital certificates.
Key challenges and plan of action
Organizations estimate they have almost two times the number of certificates than human identities, and the lack of certificate lifecycle management (CLM) maturity is putting organizations at risk.
Although most organizations have a CLM program, most CLM activities have not been planned or deployed, according to 36 percent of respondents. Thirty-four percent of respondents say their CLM activities are planned and defined but only partially deployed.
Lack of visibility remains a key challenge across organizations. As already mentioned, there is also uncertainty about the exact number of certificates.
- Sixty-four percent of respondents mentioned that their organizations are unaware of the exact number of certificates due to lack of a centralized inventory.
- Forty-one percent of respondents noted that their organizations track certificates manually.
- Fifty-two percent lack the ability to monitor and flag anomalous behavior indicating a certificate compromise.
- Twenty-three percent agree that remote workplace and the proliferation of IoT devices make it extremely challenging to manage and secure certificates.
To address these challenges, on average, organizations will spend 24 percent of their identity and access management (IAM budget) managing and securing certificates versus an average of approximately 18 percent on managing human identities.
To address security incidents or data breaches caused by digital certificate compromises or CA compromise, 42 percent of respondents say their organizations have an enterprise-wide strategy for managing cryptographic keys and certificates. Forty-six percent of respondents say their organizations have secured all their certificates and keys.
Automation – the way forward
The benefits of automation can’t be ignored. Fifty-two percent of respondents say their organizations use automation to manage certificates. Of these respondents, 41 percent say automation ensures tasks are performed consistently, and 41 percent of respondents say it improves security by removing administrator access to keys.
Automate the management of certificates. Manually managing certificate lifecycles is slow, error-prone, and highly inefficient. With hundreds of thousands of certificates in circulation, administrators cannot rely on manual management techniques to ensure that PKI is constantly secure and up-to-date. Automation helps enable cryptographic agility – digital identities can stay on top of protocol and algorithm upgrades to offer the best possible protection under all circumstances.
Automating certificate and key lifecycle management – enrollment, provisioning, renewal, and revocation – helps keep digital identities up-to-date and effectively eliminates outages. Processes such as policy management and SSH key rotation can be automated for enhanced security.
Implement structured certificate management processes. Ensure all operations teams have visibility and control over their PKI.
Ensure an accurate inventory of certificates. It would help if you had a tool that discovers certificates from various devices and applications across hybrid-cloud or multicloud environments. Information such as locations, associated applications, expiry dates, signatures, etc., should be automatically captured. Users should have the ability to schedule periodic discoveries to keep inventory updated with new information on undocumented and rogue certificates.
Employ a comprehensive tool that runs complete, top-down scans across your entire network to discover every certificate. These scans need to run periodically for a healthy inventory free from undocumented certificates.
Post discovery, you need to consolidate the scan results in a database to draw meaningful insights. Ideally, the scanning tool should automatically create an inventory of its findings in a structured database with complete details of every certificate discovered – name, expiration date, encryption strength, key strength, the endpoint’s network, location, and so on.
Once this is done, group certificates based on the certificate authority (CA) or location to ease the process of renewals and revocations when the time comes. Your inventory should also give you a lateral view of your infrastructure – you should be able to quickly verify the chain of trust.
PKI infrastructures should be monitored for weak links. PKI requires efficient management, and administrators cannot spend their time manually renewing thousands of certificates, installing them, and ensuring that each one is always online. This is a recipe for disaster caused by manual errors.
It has become apparent that even the best-designed PKIs require supporting systems to help manage them by streamlining certificate tasks, key rotations, and the entire gamut of PKI operations.
An efficient certificate lifecycle management solution will not only enable administrators to renew, revoke, or install certificates from a single interface but also weave together multiple vendors (CAs, hardware security modules – HSMs, identity, and access management – IAM tools et al.) and allow them to work in smooth synergy with your PKI.
PKI certificates are increasingly becoming more short-lived by the day. However, organizations need not restrict themselves to the limits set by browsers. Certificates with shorter validities are always more secure (new technology like DevOps, IoT, and cloud applications are already on board the short-lived certificate train). Naturally, the keys have to be rotated when the certificates are renewed, too.
Automation of certificate management based on policies laid down by the enterprise, the CA, and industry regulations is crucial. PKI administrators should group certificates based on their type, use-case, and criticality and apply a different policy for each certificate group. Policy-based automation takes care of certificate lifecycle tasks such as time-bound certificate renewals, key rotation, access privileges, and compliance audits.