Are CIOs wasting millions on infosec that doesn’t work?

There’s overwhelming consensus among IT executives that the foundation of cybersecurity—cryptographic keys and digital certificates—is being left unprotected, leaving enterprises blind, in chaos, and unable to defend their businesses, according to Venafi.

CIOs acknowledge they are wasting millions of dollars on layered security defences because these tools blindly trust keys and certificates – unable to differentiate between which keys and certificates should be trusted and which shouldn’t.

With Gartner predicting that 50% of network attacks will come over SSL/TLS this means popular security systems will only work half of the time. And CIOs recognize that this chaos is jeopardizing their most strategic plans to build fast IT organizations around DevOps.

Key findings

• 87% of CIOs believe their security defences are less effective since they can’t inspect encrypted network traffic for attacks
• 90% of CIOs have or expect to suffer from an attack in which encrypted traffic is used to hide the attack
• 86% of CIOs think stolen encryption keys and digital certificates will be the next big market for hackers
• 79% of CIOs agree that their core strategy to accelerate IT and innovation is in jeopardy because these initiatives introduce new vulnerabilities.

Keys and certificates: The foundation of trust

Enterprises rely on tens of thousands of keys and certificates as the foundation of trust for their websites, virtual machines, mobile devices, and cloud servers. The technology was adopted to help solve the original Internet security problem of knowing what is safe and private. From online banking, secure communications and mobile applications to the Internet of Things, everything IP-based depends upon a key and certificate to create a trusted and secure connection. But unprotected keys and certificates are being misused by cybercriminals to hide in encrypted traffic, spoof websites, deploy malware, elevate their privileges, and steal data.

Deployed technologies like endpoint protection, advanced threat protection, next generation firewalls, behavioural analytics, IDS and DLP are fundamentally flawed because they cannot determine which keys and certificates are good or bad, friend or foe. As a result, one consequence is that they are unable to inspect the vast majority of encrypted network traffic. This leaves gaping holes in enterprise security defences. Cybercriminals are taking advantage of these security blind spots and are using unprotected keys and certificates to hide in encrypted traffic and circumvent security controls.

“Keys and certificates are the foundation of cybersecurity, authenticating system connections and telling us if software and devices are doing what they are meant to. If this foundation collapses, we’re in serious trouble,” comments Kevin Bocek, Vice President Threat Intelligence and Security Strategy at Venafi. “With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds, and mobile devices, and decrypt communications thought to be private.”

The risks from unmanaged and unprotected keys and certificates increase as their numbers grow. A recent Ponemon report reveals that the average enterprise has more than 23,000 keys and certificates, and 54% of security professionals admit to not knowing where all of their keys and certificates are located, who owns them, or how they are used. CIOs are concerned that the increase in keys and certificates to support new IT initiatives will confound the problem.

In light of Encryption Everywhere plans, virtually all CIOs (95%) indicated they are worried about how they will securely manage and protect all encryption keys and certificates. And as the speed of IT increases—creating and decommissioning services based on elastic needs—keys and certificates will grow in orders of magnitude. When asked if the speed of DevOps makes it more difficult to know what is trusted or not in their organizations, 79% of CIOs said yes.

“Gartner predicts that by 2017 three out of four enterprise organizations will be moving to a bi-modal IT structure with two stream/two speed IT: one that supports existing apps that require stability and another that delivers fast IT for innovation and business-impacting projects.,” said Bocek. “Yet using agile methods and introducing DevOps is an extremely high risk and chaotic endeavour. In these new environments security will always suffer and it will become virtually impossible to keep track of what can and can’t be trusted.”