nCipher Security Blog

Creaking PKIs poised for breakdown in today’s IT enterprise environments

John Grimm | Vice President of Strategy and Business Development More About This Author >

Yet another complication in the ongoing move to the cloud has come to light, and it’s come in the form of a familiar technology – one that might be in need of that overhaul that many have been putting off for the last few years. Love it or hate it, rely on it, or don’t trust it – whatever the case, your enterprise public key infrastructure (PKI) might be in desperate need of some loving care.

In the Thales sponsored 2015 PKI Global Trends Study, which surveyed more than 1,500 IT practitioners from ten countries, nearly two thirds (64%) of respondents cited cloud-based services as the most important trend driving the increasing number of applications requiring certificate issuance services. But the needs serviced by today’s PKI are in no way limited to those that are forward-looking. The report also revealed that companies today are using their public key infrastructure to support an average of seven different existing applications. It is clear that PKI is a foundational element of the IT backbone.

But have organizations been completely aware of the pressure that the growing number of applications and capabilities has been piling onto their PKI? It would appear not, as the report reveals a fragmented approach – indicating a need to apply increased effort to secure their PKIs in order to create a foundation of trust.

Firstly, the research shows that older PKIs are not equipped to support new applications and capabilities. Nearly two thirds of respondents (63%) say their existing PKI is incapable of supporting new applications. Other challenges include a lack of ability to change legacy apps (58% of respondents) and insufficient skills and resources (40% and 39% respectively). This paints a picture of aging PKI technology – if enterprises want to maintain a stable and secure enterprise backbone, they are going to need to turn their attention to better management of their PKIs and application interfaces.

Given the central role of PKI today, we would expect the highest levels of security to protect it. However, over half of respondents (53%) say they at least in part rely on passwords to secure their PKI, with just 28% reporting use of Hardware Security Modules (HSMs) – a well-accepted best practice for offline root and online issuing certificate authorities (CAs) – in place. A further 37% confess that they do not have a certificate revocation process at all, leaving you to wonder what business continuity procedures are in place for PKI-dependent applications in the case of a root or CA private key compromise.

With both the cloud and the Internet of Things (a PKI problem on a massive scale) to consider, PKIs need a strong root of trust to be fit for purpose if they are to support the ever growing number of applications. The old quote that ‘trust takes years to build and seconds to break’ has never been more relevant here – the risk of depending on services from an outdated PKI, or with a less than robust key protection and management strategy, is too great to ignore. Businesses have no option but to PKI strategy if they are to ensure the dependability of the services it provides.

To download the full report, please click here.