Enterprises Move to Public Key Infrastructures

The most significant challenge organizations face with PKI is the inability of existing PKIs to support new applications, according to a Ponemon Institute study.

thales and pki

There is an increased reliance on public key infrastructures in today's enterprise environment, driven largely by the growing use of cloud-based services and applications and the internet of things, according to a report from the Ponemon Institute and sponsored by Thales.

The study found 62 percent of businesses regard cloud-based services as the most important trend driving the deployment of applications using PKI (50 percent in 2015) and more than a quarter (28 percent) say IoT will drive this deployment.

In addition, PKIs increasingly are used to support more and more applications. On average, the report found, they support eight different applications within a business—up one from 2015 worldwide. In the United States, this number increased by three applications.

The most significant challenge organizations face around PKI is the inability of their existing PKIs to support new applications, according to 58 percent of respondents.

A finding of concern: A large percentage of respondents continue to report they have no certificate revocation techniques, while the use of high assurance mechanisms such as hardware security modules (HSMs) to secure PKI has increased.

The top places where HSMs are deployed to secure PKIs are for the most critical root and issuing certificate authority (CA) private keys, together with offline and online root CAs.

"A very concerning finding is that many organizations are failing to follow well-understood best practices in their PKI deployments," John Grimm, senior director of security strategy for Thales, told eWEEK. "As an example, the usage of a weak mechanism like passwords—alone, without a second factor—to protect a PKI at 34 percent outpaces the use of HSMs to protect critical PKI private keys."

He noted additionally, more than one-third of deployed PKIs operate without any means of certificate revocation, leaving them vulnerable to downtime and other disruption if root or issuing CA keys are compromised and extant certificates need to be reissued.

"A silver lining is that some higher-level security measures showed increases from 2015, such as multi-factor authentication for administrators and HSM usage, each of which rose 4 percent from their 2015 levels," Grimm said.

He explained with the predicted rapid explosion of connected things and the importance of digital certificate technology in authenticating them and helping organizations determine whether they can trust the data they produce and share, PKI technology stands to play an ever-increasing and important role.

More than 5,000 business and IT managers were surveyed for the study in 11 countries; the United States, the U.K., Germany, France, Australia, Japan, Brazil, the Russian Federation, Mexico, India and Middle East (Saudi Arabia and United Arab Emirates). The aim of the study was to better understand the use of PKI within organizations.