In August, DigiCert released its 2021 State of PKI Automation Survey. The report includes the responses of IT directors, IT security managers, and IT generalists operating out of 400 enterprises with at least 1,000 employees in North America, EMEA, Asia Pacific and Latin America. Those individuals’ answers highlight how small, medium and large enterprises are managing digital certificates for users, servers and mobile devices.
DigiCert’s survey uncovered three important findings. First, it found that the typical enterprise now manages more than 50,000 certificates most commonly for users, web servers, mobile devices and email. The study also determined that enterprises manage a third more public certificates than private, a finding which is up from previous years. This could be influenced by the fact that those surveyed include a faction of IT pros managing server-side certificates.
DigiCert’s 2021 State of PKI Automation Survey
There are a couple of factors behind this growth. First, as folks began changing to work from home in 2020 and companies began scaling their services to address that increase, DigiCert saw a lift in providing those trusted services.
Second, it witnessed user certificates and general certificates grow as organizations continued along their digital transformations. Those journeys include migrating to the cloud and implementing DevOps deployments where certificates are not managed in the same way as traditional PKI. They also incorporate the tailwinds of many organizations’ efforts to roll out zero-trust environments, with PKI providing strong authentication in realizing that framework.
The issue is that this growth is overwhelming organizations. Organizations are expanding PKI out to zero-trust, device authentication and CI/CD pipelines. Tons of things are using PKI, but there aren’t many standard ways to integrate and manage these deployments effectively. That’s not to say that these environments that want to consume certificates don’t have a path to becoming functional. It’s about taking the next step with implementing a central way for achieving visibility and enforcing policy. Even so, organizations are feeling overwhelmed. There’s so much to understand, and when changes occur, it’s difficult for them to respond. Hence the need for organizations to embrace PKI automation.
Organizations that haven’t automated could end up feeling overwhelmed by PKI certificate management. If that’s the case, they might not be able to ensure the availability of their certificates. There’s evidence to suggest many organizations are struggling to manage the workload. Indeed, DigiCert found that two-thirds of organizations experienced an outage after a certificate expired unexpectedly, with 25% of organizations having experienced upwards of six outages in the first half of 2021.
DigiCert’s 2021 State of PKI Automation Survey
One of the most common sources of certificate outages is misconfigured PKI. As discussed above, there’s complexity in the fact organizations often do not have a standard way of deploying PKI across their environment. As people have changed to embracing work from home and putting it in new places where they’re not comfortable, sometimes security personnel don’t configure their certificates properly, providing a route for attackers to infiltrate their infrastructure.
That’s why centralized management is so important. Organizations are trying to use more PKI, so if there are guardrails that can help them, that can help make things easier.
Misconfigurations are part of a larger struggle of having the necessary time and visibility to manage certificates. Indeed, nearly two-thirds of survey respondents revealed that they are extremely concerned about how much time they’re managing their certificates. The number of resources dedicated to certificate management was also an issue, with 37% of survey participants revealing that they use more than three departments. This leads to confusion and inefficiency, with the typical enterprise having as many as 1,200 certificates unmanaged. Almost half (47%) of respondents went on to say that they frequently discover so-called “rogue” certificates that someone implemented outside of the IT team’s visibility.
DigiCert’s 2021 State of PKI Automation Survey
Organizations lack visibility into their PKI certificates because of all the ingress points as to how PKI gets into their environments. Personnel are buying routers, deploying phones, putting in software, running CI/CD DevOps, creating their own applications and allowing users to have laptops and mobile devices. All these assets have different ways for introducing and managing certificates, diversity which makes it difficult for organizations to achieve visibility.
This is the first installment of a three-part blog series on DigiCert’s survey. In the next post, I’ll focus on PKI automation and discuss how organizations are approaching this journey.