Pavel Ignatov - Fotolia

Common PKI practices undermine trust in applications, study shows

Current approaches to PKI are fragmented and do not always incorporate best practices, according to a Ponemon Institute study

Many firms lack the resources and skills to support public key infrastructure (PKI), despite an increasing reliance on PKI for enterprise applications, a Ponemon Institute study has revealed.

Current approaches to PKI are fragmented and do not always incorporate best practices, according to the 2015 PKI Global Trends Study, commissioned by cyber security firm Thales.

According to the report, the findings of the study indicate a need for many organisations to apply increased effort to secure their PKI as an important part of creating a foundation of trust.

The study polled 1,500 IT and IT security practitioners in the US, UK, Germany, France, Australia, Japan, Brazil, Russian Federation, India and Mexico.

The study also reveals that the most significant challenge organisations face around PKI is the inability of their existing PKIs to support new applications, according to 63% of respondents.

In the UK, the top challenges in managing and deploying PKI cited were: No clear ownership (74%), insufficient skills (61%) and insufficient resources (36%).

Only 11% of global respondents said there is accountability and responsibility for PKI and the applications that rely on it, while 37% said they have no revocation techniques.

However, the proportion with no revocation techniques was lower than the average in the UK (30%) and Australia (34%), making these countries the most likely to deploy a formal method or technique for certificate revocation.

The proportion of companies with no revocation techniques was highest in Japan (43%) and Brazil (42%).

According to the report, the level of visibility, influence and/or control over the applications that consume certificates managed by their PKI is minimal.

The study found there is a significantly higher use of weaker security techniques such as passwords (53%), compared with strong authentication mechanisms such as hardware security modules (28%).

In the UK, only 27% of organisations use hardware security models (HSMs), below Germany (46%), the US (35%) and Japan (32%), but above all other countries surveyed.

The top three places where HSMs are deployed to secure PKIs are issuing certificate authorities together with offline and online root certificate authorities.

Larry Ponemon, chairman and founder of the Ponemon Institute, said that on average, companies are using their PKI to support seven different applications.

“While the results of this study demonstrate some use of best practices, including strong authentication and hardware security modules, they also reveal that lower security options such as passwords are still prevalent – which is concerning in light of the increased dependency on PKIs today,” he said.

John Grimm, senior director of Thales e-Security, said an increasing number of enterprise applications are in need of certificate issuance services, and many older PKIs are not equipped to support them.

“As organisations undertake a PKI upgrade cycle to support new applications and capabilities, many will look to improve the trust of their PKI by using HSMs to protect private keys for offline root certificate authorities, as well as online issuing certificate authorities,” he said.

Grimm said Thales runs a dedicated PKI consulting service to help businesses design and deploy self-managed PKIs that build trust at the infrastructure level.

Read more about public key infrastructure

Read more on IT risk management