Fragmented approaches to PKI don’t always follow best practices

Independent research by the Ponemon Institute reveales increased reliance on public key infrastructures (PKIs) in today’s enterprise environment, supporting a growing number of applications.

At the same time, however, there is a general lack of clear PKI ownership, as well as a lack of resources and skills to properly support them. Current approaches to PKI are fragmented and do not always incorporate best practices, indicating a need for many organizations to apply increased effort to secure their PKI as an important part of creating a foundation of trust.

“On average, companies today are using their public key infrastructure (PKI) to support seven different applications. While the results of this study demonstrate some use of best practices, including strong authentication and hardware security modules, they also reveal that lower security options like passwords are still prevalent – which is concerning in light of the increased dependency on PKIs today,” said Dr. Larry Ponemon, chairman of The Ponemon Institute.

Key findings:

  • The most significant challenge organizations face around PKI is the inability of their existing PKIs to support new applications (63 percent of respondents said this).
  • Only 11 percent of respondents say there is accountability and responsibility for PKI and the applications that rely upon it.
  • A large percentage of respondents said they had no revocation techniques.
  • Cloud-based services are the most significant driver for PKI-based application adoption.
  • The level of visibility, influence and/or control over the applications that consume certificates managed by their PKI is minimal.
  • There is a significantly higher use of weaker security techniques like passwords (53 percent) than there is of strong authentication mechanisms such as Hardware Security Modules (HSMs) (28 percent).
  • The top three places where HSMs are deployed to secure PKIs are issuing certificate authorities together with offline and online root certificate authorities.

More than 1,500 IT and IT security practitioners were surveyed in ten countries: United States, United Kingdom, Germany, France, Australia, Japan, Brazil, Russian Federation, India and Mexico, with the aim of better understanding the use of PKI within organizations.

More about

Don't miss