Security is top of mind for everyone in the software industry, but as the number security approaches increase, enterprises are finding it hard to keep up. A new report released from Keyfactor and Ponemon Institute finds enterprises are struggling to manage digital identities in their organization.
The Impact of Unsecured Digital Identities is based on more than 600 IT and information security professionals responses.
“Connectivity and the number of digital identities within the enterprise has grown exponentially thanks to continued cloud, mobile, DevOps and IoT adoption,” said Chris Hickman, chief security officer at Keyfactor. “The complexity of managing those identities while keeping them securely connected to the business has created a critical trust gap – in many cases the keys and certificates designed to build trust are instead causing outages and security breaches.”
RELATED CONTENT: Know your risk: Make smart decisions on application security
Digital certificates and cryptographic keys are used to ensure user, application, and device authenticity. According to the report, many respondents estimate their organization has more than 10,000 keys and digital certificates in use. In addition, 74% reported their organization doesn’t know exactly how many keys and certificates it has. Undocumented or unenforced key management policies and insufficient key management practices can lead to failed audits or compliance. Key or certificate management problems can also lead to code signing certificate and key misuse, CA compromises, and unplanned outages due to certificate expiration.
When asked how many times these problems have occurred with an organization over the last two years, respondents cited an average of 5.8 failed audits or compliance followed by 5 CA compromise or rogue CAs. “.The least frequent incidents are unplanned outages due to certificate expiration, though the frequency of these events is still concerning,” the report stated. The report also found that failed audits and CA compromises have the biggest financial impact.
Keyfactor also looked at organizations’ strategic digital security priorities, and found authenticating and controlling IoT devices, knowing the expiration date of certificates, and reducing complexity in IT infrastructure to be the top priorities. Sixty percent said they are adding additional layers of encryption for IoT devices, but 46% admit low ability to maintain IoT device identities and cryptography over a device’s lifetime.
Additionally, the report noted a rise in security incidents. On average, organizations have experienced certificate authority of rogue man-in-the-middle and phishing attacks five times in the last 24 months.
“In many ways I was optimistic that we’d see progress this year as more executives invested the resources needed to close the gap between ‘standard practice’ in PKI [Public Key Infrastructure] and ‘best practice.’ This year’s report shows that while progress has been made in a few areas, that gap is actually growing wider,” said Larry Ponemon, founder of the Ponemon Institute.
Othey key findings included: Lack of security staff members dedicated to PKI deployment, cryptography related security incidents undermine trust, and cryptography lacks a center of excellence.