A new study conducted by Dimensional Research evaluated current and projected growth rates of cryptographic keys and digital certificates in the enterprise for 2016 and 2017. Study respondents included 505 IT professionals that manage these critical cryptographic assets in the U.S., U.K., France and Germany.
“This research shows the growth in encrypted HTTPS to create secure and authenticated connections for web applications, cloud services and IoT continues to explode,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi. “Despite this dramatic growth, more than half of organizations rely on chaotic, error prone, manual processes to protect these critical encryption assets.”
Key study findings
- 58 percent say their organizations used more than 2500 keys and certificates in 2016. One in four organizations used more than 10,000 keys.
- In 2016, 50 percent saw their key and certificate use grow by more than 25 percent and one in five say key and certificate usage has increased by more than 50 percent.
- 49 percent say key and certificate use will grow by more than 25 percent over the next 12 months.
- Although 96 percent say that key and certificate management is part of their security program, only 34 percent say they manage their keys and certificates centrally.
“Wide spread adoption of DevOps, containers, and cloud services is probably not factored into these growth rates and that means the total number of keys and certificates organizations believe they will use is probably still too low,” noted Bocek. “In our work with Global 5000 organizations, most organizations find an average of 16,500 keys and certificates that were previously unknown and each unknown key and certificate represents an unknown encrypted tunnel. These dramatic growth rates, combined with organizations’ haphazard approach to protecting keys and certificates presents a golden opportunity for cyber criminals.”
Privacy laws and security regulations require enterprises to encrypt an increasing percentage of network traffic. But most companies are unable to inspect encrypted traffic for threats. This is due to the inability to intelligently automate and protect the secure distribution of keys and certificates. This gap in security lets cyber criminals easily hide in encrypted tunnels and mask their activities. A recent study from A10 Networks found that 41 percent of cyber attacks used encryption to evade detection.