10-27-2021

3 Things that Stood Out to Us from DigiCert’s PKI Automation Survey

Previously, we discussed what separates a PKI automation leader from a laggard, as DigiCert learned in its 2021 State of PKI Automation Survey. I’ll now wrap up this blog series with a discussion of three trends that stood out in the study.

Trend #1: The wild west effect

When DigiCert examined its survey data, it noticed a discrepancy between its expectations of how easy it would be for some organizations to manage their certificates and the experience those organizations had with PKI certificate management. This was especially evident for organizations with the fewest number of certificates. Given those organizations’ relatively low PKI certificate imprint, DigiCert predicted that those entities wouldn’t have too many difficulties. But the opposite was true. They were more likely to have suffered outages related to unexpected certificate expiration, and they performed worse than organizations with greater numbers of certificates across a variety of PKI management metrics. Given those findings, it’s therefore not surprising that those “low-volume PKI certificate” organizations were 50% more likely to express concern about the time required for PKI management certificates than enterprises with more certificates.

This development boils down to PKI management maturity. If organizations have a low volume of certificates, they might be more inclined to look at their environments and say, “We really don’t have a lot of certificates to manage. Why do we need automation?” As a result, they might not work through the path of ironing out vital integrations and doing other tasks associated with PKI automation, as they might not be convinced that work is important.

That’s a problem, as those organizations aren’t exercising their PKI muscles. They’re not automating or dealing with PKI on a regular basis, so they’re putting less effort into automation. It’s like the wild west. There are no standard rules for organizations with fewer certificates to manage, so the logic goes, and everyone’s doing their own thing to get the job done.

Those low-volume PKI certificate organizations also don’t see that there’s more around the corner…or that there’s already quite a bit standing right in front of them. This gets into how the phrase “low-volume certificate organizations” might be a bit of a misnomer. Many of these organizations might be forgetting that certificates apply to all the inbound stuff. For instance, they might think they have only 5,000 certificates for their on-premises workloads, but they’re not taking their DevOps and cloud deployments into account. They just might not have visibility for other areas that are also using certificates. Hence why discovery across the enterprise is so important for any PKI certificate management program.

The flip side here is that high-volume PKI certificate organizations understand that they have a problem when it comes to certificate management. They also understand the need for automation, so they run down that hill as fast as possible. It becomes a turn-key experience that ultimately finds its place in their overarching security strategies.

Trend #2: Self-assessment paradox

The second trend spotted by DigiCert arose in how different organizations rated their efforts with PKI certificate management. Take organizations who said that they viewed PKI certificate management as a challenge. Those organizations were as many as 5x more likely to say they were concerned about spotting rogue certificates and suffering certificate outages. But it was a different story in practice. Indeed, those organizations reported fewer rogue certificates and certificate outages than some of the other survey participants.

This is something that sometimes comes up in security-related surveys. Organizations who pay attention end up rating themselves worse because they’re aware of their mistakes and what they’re not doing. With that knowledge, they implement changes that put them in a stronger position with their PKI certificates and other security efforts.

It’s a different story for organizations that aren’t as concerned. If they don’t think there’s a problem, they’re less likely to pay attention to how they’re approaching PKI certificate management. So, they might be more inclined to make mistakes and not catch them before they produce a security incident.

Trend #3: Persistent lack of visibility

The third and final trend has to do with the ongoing challenge of achieving visibility over all certificates. This obstacle is so persistent because different parts of an organization might be doing things. One group might have visibility, but another group might be doing something different. Security personnel might not know about it, which leaves their employer exposed.

DigiCert uncovered the full extent of this problem in its survey. It found that 37% of organizations had more than three departments managing certificates, for instance. This complexity explains why the typical enterprise has 1,200 certificates that are unmanaged and why nearly half (47%) of survey participants frequently discover these “rogue” certificates.

Organizations need to find and work with the folks who have visibility on these areas of their infrastructure. They then need to streamline their PKI certificate management processes as much as possible. The only way they can do both is by creating centralized policies for certificate procurement, installation, and management with an auditable trail for the security team.

Just the beginning

DigiCert’s survey contains lots of important findings of how organizations are approaching PKI certificate management and how PKI automation is evolving. To explore these and other results, download a report of DigiCert’s survey in full here.

Featured Stories

VMC Blog Featured Image

Getting Your Logo in Your User's Inbox: Tips Learned from the VMC Gmail Pilot

06-21-2021

What Makes Digital Signatures Secure

06-11-2021

How Vaccine Passports Could Change Digital Identity