Poor key management practices leading to severe downtime and outages
21 February 2019
An average organisation will suffer up to £51.5 million in losses over the next two years to downtime and outages which could occur as a result of poor digital identity management practices as well as a lack of visibility over keys and certificates owned by the organisation.
This was revealed in a survey commissioned by Keyfactor that aimed to determine how much control and oversight organisations have over their digital certificates and keys and whether their digital identity management practices are up to the mark.
Out of 500 IT and IT security professionals interviewed for the survey, over 70% said that their organisation did not know how many keys and certificates it had and 74% said that digital certificates have caused and still cause unanticipated downtime or outages.
According to Keyfactor, such downtime and outages will cost an average organisation as much as £51.5 million on average in the next two years. Such costs will have to be borne by organisations due to added system administration and support time, lost productivity, immediate revenue loss, and diminished brand reputation.
“We know that many organisations struggle with properly and efficiently managing certificates and there’s a clear gap in understanding how critical it is, especially at the executive level. Unfortunately, digital identity management is often siloed and assumed to be a pure IT function. This report should empower PKI and infosec teams to ask for the resources they need to fully manage and secure every digital identity,” said Chris Hickman, Chief Security Officer at Keyfactor.
“The study shows that organisations are spending an average of $18.2 million (£13.9 million) on IT security annually and only 14% of that is allocated to PKI. Yet the average company is managing upwards of 83,000 digital certificates to encrypt data and authenticate servers and secure data on IoT devices. The burden of PKI should be offset by technology that reduces risk and operational costs, improves efficiencies and automates certificate lifecycle management,” he added.
Lack of PKI management will result in downtime and outages
Last year, Thales’ 2018 Global PKI Trends Study revealed that massive growth in the adoption of IoT devices by organisations had also led to a major rise in the deployment of applications that relied on public key infrastructure (PKI). The report estimated that by 2020, as many as 42% of IoT devices would use digital certificates for authentication.
However, the study also noted that in as many as 70% of organisations, no single department or function was responsible for managing PKI. Thales said that “this lack of clear ownership is not in line with best practices, which assume as a baseline a sufficient degree of staffing and competency to define and maintain the process and procedures on which a modern PKI depends.”
“The majority of organisations worldwide and in the UK manage all of their secrets (SSH keys, passwords, PKI certificates and files containing sensitive data) in an extremely ad hoc fashion. Lacking formalised rules surrounding the care and handling of digital secrets is a recipe for disaster. In almost every case SSH key visibility (knowing what keys are created, what they can access, who is using them and when they should be rotated) is all but non-existent.
“While there are a variety of open source and commercial products to assist with key and secret management, the number one thing organisations should consider is defence in depth and how to layer multiple different applications and services to protect against attacks,” said Andy Richmond, UK VP at Varonis.