Research reveals failure of PKIs to follow best practices

Dec. 2, 2015
John Grimm of Thales offer his insight on PKI security trends and practices that threaten to undermine trust for core enterprise applications

In a recent study entitled the 2015 PKI Global Trends Study conducted by Thales, a leader in critical information systems and cybersecurity, which was based on independent research by the Ponemon Institute and sponsored by Thales, spotlights an increased reliance on public key infrastructures (PKIs) in today’s enterprise environment that is supporting a growing number of applications.

 At the same time, however, there is a general lack of clear PKI ownership, as well as a lack of resources and skills to properly support them. Current approaches to PKI are fragmented and do not always incorporate best practices, indicating a need for many organizations to apply increased effort to secure their PKI as an important part of creating a foundation of trust.

 More than 1,500 IT and IT security practitioners were surveyed in 10 countries: United States, United Kingdom, Germany, France, Australia, Japan, Brazil, Russian Federation, India and Mexico, with the aim of better understanding the use of PKI within organizations.

 Following up on this report, SecurityInfoWatch.com asked John Grimm, the senior director product marketing at Thales e-Security a few question about these trends in PKI security.

Grimm has over 25 years of experience in the information security field, starting as a systems and firmware engineer building secure cryptographic key distribution systems for government applications, and progressing through product management, solution development, and marketing leadership roles. He received his bachelor's degree in electrical engineering from Worcester Polytechnic Institute in Worcester, Mass., and is a member of Tau Beta Pi, the engineering honor society.

 Here is that Q&A:

 SecurityInfoWatch.com -- The Ponemon Institute recently released survey results describing the challenges of PKI infrastructure in today’s enterprise environment. According to the findings, what is the 10,000-foot view of the PKI landscape today?

 John Grimm -- We found that there is an increased dependency on public key infrastructure (PKI) today. Companies are using their PKIs to support an average of seven different applications – more than many of them were designed to support. As one would expect, cloud-based services are the most significant driver for the deployment of applications that use PKI. However, the most significant challenge organizations face around PKI is the inability of their existing PKIs to support new applications – 63 percent of respondents said this.

 SIW -- What other specific trends did you spot?

 Grimm -- There are some troubling trends regarding the security of PKIs. For instance, there is a significantly higher use of weaker security techniques like passwords (53 percent) than there is of hardware security modules (HSMs) (28 percent).  Another issue is that there are an increasing number of enterprise applications in need of certificate issuance services, but many older PKIs are not equipped to support them.

 There is also a general lack of clear PKI ownership within the enterprise, as well as a lack of resources and skills to properly support them. And surprisingly, a large percentage of respondents said they had no certificate revocation techniques in place, leaving them in a poor position to recover if an offline root or online issuing CA key is compromised.  This is particularly concerning given that PKIs typically support core enterprise applications that are an integral part of daily operations.

 Current approaches to PKI are fragmented and do not always incorporate best practices, indicating a need for many organizations to apply increased effort to secure their PKI as an important part of creating a foundation of trust.

 SIW -- What does that increased effort look like?

 Grimm -- Well, the use of HSMs to provide a hardened, tamper-resistant environment for performing secure cryptographic processing, key protection and key management is a well accepted industry best practice for PKI, recommended by leading industry analysts like Gartner and by leading technology providers like Microsoft. The study found that the top three places where HSMs are deployed to secure PKIs are issuing certificate authorities and both offline and online root certificate authorities. As organizations undertake a PKI upgrade cycle to support new applications and capabilities, many will look to improve the trust of their PKI by using HSMs to protect private keys for offline root certificate authorities as well as online issuing certificate authorities.

 SIW -- Don’t HSMs add another level of complexity to an already complex environment?

Grimm -- The bigger issue is risk.  PKI is a very common use case for HSMs, and has been for a long time.  As a result, integration with PKI software is mature, well-understood, and generally well documented.  Although security configuration and expertise is needed, the cost of that can pale in comparison to the risk and potential cost of a root or online CA private key compromise taking down a set of critical applications – particularly in light of the finding of the study around lack of revocation capabilities.  Additionally, HSM management tools have also matured to the point where online systems can be securely administered remotely – a useful development in the world of distributed, lights-out data centers.  The ability to remotely present quorums of smart cards possessed by multiple authorized personnel to complete actions that would ordinarily have to be carried out at the HSM reduces the need to travel and also reduces the risk of exposure (or loss) of critical assets in transit.