Can your PKI handle the pressure of the digital world?

Nowadays, the methods used to prove you are who you say you are can take many different forms – from something as simple as a password to something as complex as biometric authentication. When it comes to proving the identity of a device, however, the means available for authentication depend on the capabilities of the device. And we are quickly entering an era where the number and types of devices that are online and connected reaches a scale that stands to push authentication infrastructures as we know them today well past their limits.   

Leading global analyst house Gartner predicts that, by 2020, 20.8 billion devices will be connected to the internet and 90 per cent of cars will be online, compared to just 2 per cent in 2012. The rise of the Internet of Things (IoT) promises to transform how we go about our everyday personal and professional lives and it’s certainly an exciting world to be part of. But where there are rewards, there are risks and unfortunately, as the number of connected devices grows, so too do the potential vulnerabilities. In fact, Gartner also predicts that more than one in four identified cyber-attacks in enterprises will involve IoT. Authentication of devices, then, has to be a priority for anyone in charge of data security.   

Enter Public Key Infrastructure (PKI) technology. Used to issue digital certificates for identification and authentication, this technology has been used effectively for more than two decades. However, the rapidly escalating burden of device authentication and ongoing management is set to pile an unprecedented level of pressure onto business’ existing PKIs, resulting in a huge challenge for security professionals across the globe. 

In a report we published late last year, over one in four (26%) senior IT decision makers indicated that when planning the evolution of their PKI, the IoT would cause the biggest changes within their organisation – a 12 per cent increase from 2015, and the largest year-over-year increase of all the change sources presented in the survey.     

The cloud changes the game 

It’s not just connected devices, though, that are pushing PKIs to breaking point. A growing adoption of cloud services, too, is putting existing PKIs under increasing amounts of pressure.   

With the lure of cost savings and increased agility and flexibility, the cloud has been far too appealing for many businesses to pass on and we have increasingly seen more and more organisations move workloads into the cloud. In fact, it was recently revealed that operator and vendor revenues across the main cloud services and infrastructure market hit just over £120bn during 2016 - a 25 per cent growth on the year before. And we can only assume this figure will continue growing as more and more businesses look to embrace the technology to reduce their bottom line and speed up business operations.   

As a result of this increasing adoption, nearly two thirds of organisations around the world (62%) are now using public key infrastructure (PKI) credentials to support their public cloud-based applications and services – 12 per cent up on last year, according to our PKI Global Trends Report conducted last year. What’s more, a similar number of organisations (61%) see cloud-based services as being the most important driver behind the deployment of applications using PKI. 

No longer a ‘nice-to-have’ 

It is clear PKI should no longer be considered an “add-on” – it should, instead, be viewed as a core IT function within an organisation as IoT and cloud adoption continue to gain speed. Worryingly though, more than half of businesses (58%) have admitted their existing PKI is unable to support new applications. And this is perhaps even more concerning when you consider that PKIs are currently being used to support an average of eight distinct applications each. 

With increasing pressure on PKIs that are facing demands not forecast when they were initially deployed, there is a real need for organisations to raise their efforts to better secure their PKI as an important part of creating a foundation of trust. But figures would suggest there is still some way to go in achieving this. 

Establishing trust 

When it comes to securing their PKI, over a third (34%) of businesses admit that they rely on passwords alone and just 32 per cent deploy Hardware Security Modules (HSMs) - a well-accepted best practice for offline root and online issuing certificate authorities (CAs). Although the HSM usage figure increased 4 percent over 2015, this figure remains surprisingly low. Given the central role of PKI today, one would expect to see a much more robust approach to securing the private keys that anchor its trust.     

What’s more, 37 per cent of global businesses say they do not have a certificate revocation process in place. This figure is particularly concerning because revocation is an essential control in a well architected, best practice-based PKI process. A certificate may need to be revoked for a number of reasons, including suspected compromise of the associated private key, or the suspected or actual compromise of a private key anywhere in the issuing hierarchy above it, up to the root key.  What’s more, if a root private key is compromised, the result is likely to be significant disruption and downtime to PKI-dependent applications, given that all the certificates below it need to be revoked and replaced. Without an efficient certificate revocation process, this application downtime can take days or even weeks to resolve, dealing a huge potential blow to business continuity. 

In light of the challenges posed by an increasing reliance on the cloud and IoT, a business must change the way it approaches PKI, to ensure it is investing in future-proofing it so that it can bear up under the pressures of the digital world. If your business cares about protecting its devices and most sensitive data, at a time when data breaches are at an all-time high, a ‘fit for purpose’ PKI with a strong root of trust, and based on best practices, needs to be at the top of your IT security considerations.   

John Grimm, Senior Director of Security Strategy, Thales e-Security 

Image Credit: Faithie / Shutterstock