Both the federal government and Internet of Things manufacturers are facing key challenges and opportunities in regards to implementing secure Public Key Infrastructure practices for digital certificate management and encryption, according to a pair of newly published research reports.
The first report, from machine identity protection company Venafi, reveals data compiled from a survey of 100 federal government IT security professionals who were asked about their organisations’ preparedness to comply with the 2017 Binding Operational Directive (BOD) 18-01. This Department of Homeland Security-issued directive requires all US federal agency websites to fortify their email and web security by improving the handling of machine identities through the use of Transport Layer Security (TLS) keys and PKI certificates.
According to the survey, 54 percent of respondents said they were confident their networks do not contain certificates from any unauthorised certificate authorities (CAs) — and yet only 46 percent of the study participants said they have the controls in place needed to detect this problem.
Moreover, only 30 percent of respondents said that they have a complete certificate inventory, meaning the other 70 percent lack the visibility necessary to know for certain if certain certificates are from unauthorised sources. Also, only 29 percent believe their inventories include the location of every installed certificate, while only 37 percent believe their inventories include certificate ownership information. Location information is important for upgrade efforts in large organisations where certificates may be installed in multiple devices, while ownership information is vital to conduct timely updates, Venafi explains.
"Unfortunately, even the world’s most sophisticated security teams rarely have the visibility, intelligence or automation necessary to effectively scale the use of their machine identities," said Kevin Bocek, chief cyber security strategist at Venafi, in a company blog post detailing the report. "For example, only 69 percent of all federal sites enable HTTPS, despite BOD 18-01 requiring 100 percent HTTPS usage."
Meanwhile, the Ponemon Institute and Thales collaborated on a just released 2018 Global PKI Trends study that reveals survey data collected from 1,688 IT and IT security practitioners in 12 countries.
According to the survey, IoT is shaping up to be a major disruptor influencing PKI. In fact, 42 percent of respondents said that IoT is the most significant factor driving PKI change, tied for the highest overall percentage alongside external mandates and standards (participants were allowed to pick up to two responses). In last year’s survey, only 36 percent cited IoT as a major PKI change agent.
Similarly, respondents who believe IoT is the most important trend driving the deployment of applications
using PKI has increased significantly from 21 percent to 44 percent since 2015, the report states.
The study also found that 42 percent of IoT devices will use digital certificates for authentication within the next two years.
"Huge amounts of data are generated by and collected from a rapidly growing number of IoT devices, with the cloud playing a pivotal role in IoT solutions of the future. But there’s no point in collecting and analysing that data, and making business decisions based upon it if you’re not able to trust the devices or their data," said John Grimm, senior director security strategy at Thales eSecurity, in a press release. For safe, secure IoT deployments organisations need to embrace time-tested security techniques, like PKI, to ensure the integrity and security of their IoT systems."
"In previous years, we highlighted PKI as an established technology positioned to tackle the authentication needs and challenges to support the rise of cloud applications. Now, the C-suite is challenging its teams to leverage IoT to improve and drive business," added Dr. Larry Ponemon, chairman and founder of The Ponemon Institute, in the same release. "With this comes the increased risk of more endpoints to protect, and the need to understand the role of PKI as a critical enabler. At the same time, this underscores the need for further advancement in skilling and resourcing related to PKI and the overall ownership within the organisation."
Originally published in scmagazine.com North America.