4 Takeaways from DigiCert’s 2021 PKI Automation Study | Server Security

What are the top PKI challenges organizations are facing in 2021, and how are they tackling them? Data from DigiCert’s 2021 State of PKI Automation unveils several important trends.

A whopping 91% of enterprises say they want to automate their public key infrastructure (PKI), according to data from DigiCert’s latest research report. And there’s a good reason for that — public key infrastructure is the backbone that supports virtually everything relating to internet security. If even one website security certificate expires on your server, all hell can break loose regarding service outages, security risks, and non-compliance issues. Not to mention all of the penalties and potential lawsuits those issues can bring…

When it comes down to it, PKI is a beast for enterprises and other large-scale environments if it’s not properly managed. This is where PKI automation can help. PKI automation helps to bring order to that chaos.

But what does PKI automation entail? We’ll quickly review what it is and why it’s necessary. Then we’ll move on to cover four key takeaways for enterprises from DigiCert’s latest PKI automation report. In each section, we’ll explore insights and statistics as well as useful recommendations for dealing with each situation.

Let’s hash it out.

A Quick Overview of the Advantages of PKI Automation

PKI automation is the processes and tools relating to managing PKI certificates’ and keys’ lifecycles. Basically, it’s all about taking the monotonous tasks associated with managing your digital certificates and keypairs — everything from requesting or renewing your certificates to deploying and revoking them (and everything in between) — and freeing up your team to focus on higher-level functions.

So, what happens if you don’t have strong PKI management practices and tools in place? If even just one of those certificates expires or keys becomes compromised, you’ll be in for a world of hurt for a range of reasons! For example, let’s consider what can happen when an SSL certificate expires:

• Insecure data can lead to costly and devastating data breaches.
• Non-compliance issues can lead to massive penalties and potential lawsuits.
• Service outages not only decrease productivity and also interfere with your customers.
• Reputation damage can deliver a devastating blow that could have lasting effects you can feel for months or years to come.
• Loss of customer trust and relationships could lead to sales and revenue losses that might force you to close your doors permanently.

By using automation to manage your certificates and keys, you reduce the likelihood of these scenarios occurring by making yourself a tougher target for attackers.

So, now that we know what PKI automation is and why it’s beneficial for enterprises, let’s time to look at the big takeaways from DigiCert’s survey data.

A screenshot example of the warning message that pops up when you try to access a website using an expired SSL/TLS certificate using Google Chrome.

Unexpected downtime is like a heart attack for businesses. It strikes suddenly — often without any warning — and can have devastating effects in terms of revenue losses and reputational damage.

To avoid a heart attack, you need to take steps to ensure that you’re living a healthy life: exercise regularly, drink plenty of water, eat a generally healthy diet, etc. Likewise, there are things you can do to reduce unexpected downtime relating to your public key infrastructure. (We’ll cover those recommendations momentarily.)

DigiCert’s State of PKI Automation report data shows that more than 33% of PKI leaders believe that automation is integral to that responsibility. These organizations, which are generally kicking butt and taking names when it comes to managing their PKIs, are significantly less likely to experience outages than other organizations that are PKI “laggards.”

In general, DigiCert’s data shows that two-thirds or organizations experience outages due to certificates expiring unexpectedly. However, the organizations they recognize as PKI leaders experienced far fewer of these expiration-related outages — only one outage in six months. (Compare this to the three to five outages that their less-concerned enterprise counterparts experienced — more on both types of organizations momentarily.)

What You Can Do to Mitigate This Issue

Downtime happens to virtually everyone at one point or another — the difference is whether the downtime is intentional (planned ahead of time) or unintentional (i.e., “oops!”). But what can you do to reduce unexpected downtime and its related costs?

1. Schedule downtime for necessary updates — This is the first critical step to avoiding any type of downtime in general. If you know that you need to apply updates, for example, you can plan for that ahead of time so your customers are aware and can plan accordingly. This courteous move helps your customers minimize their downtime as well because they know about it in advance.
2. Set up certificate discovery — Certificate discovery is a crucial took for PKI management as well as network security in general. If you don’t know what is on your network, how can you protect it? Certificate discovery should apply both to your public (external) and internal networks.
3. Enable certificate automation — Use automation to your advantage and set your certificate renewals to occur automatically whenever possible. This will make certificate management a breeze and will take many monotonous, renewal-related tasks off your plate.
4. Set up PKI alerts — Many PKI management-related tools offer the ability to set up alerts. This notification system informs you when things are going sideways so you can escalate anything right away to ensure it’s taken care of quickly and efficiently.

Takeaway #2: Overly Confident Organizations Tend to Have the Biggest Issues

Image data source: DigiCert’s 2021 State of PKI Report.

The organizations that worry the most about PKI certificate management tend to be the ones that have the fewest PKI security issues. (Note: This takeaway is also in line with research we previously shared in an article on a 2020 study by Keyfactor and the Ponemon Institute.)

In general, these worriers seem to be two or three times better at handling many security-related tasks:

• Managing their PKI digital certificates,
• Minimizing downtime and PKI-related security risks (such as rogue certificates),
• Staying compliant with industry and regional data security laws and regulations.

It makes sense, really. There are several key reasons why these A-game organizations likely do better in these areas:

• Their employees are more aware, so they tend to keep a closer eye on things.
• They recognize the importance of efficient certificate management and automation.
• They recognize their organizations’ shortcomings — as such, they tend to take steps to mitigate the issues as early as possible.

Needless to say, it’s for this reason DigiCert recognizes these organizations as the PKI “leaders.”

Now, let’s compare this to their more overly confident counterparts — the organizations DigiCert recognizes as the “laggards.” These are the enterprises that express fewer concerns about their PKI security effectiveness and processes. In general, organizations that are less aware of their shortcomings tend to have more rogue certificate issues and service outages. I guess it’s true about that popular saying: ignorance is bliss.

What You Can Do to Mitigate This Issue

There are several key recommendations that we can make. Of course, not every recommendation may apply to you but may apply to someone else in your organization (based on your role):

• Pay attention to the needs of your business and talk to people. How can you make informed decisions if you don’t know what’s happening? You can’t address issues if you’re not in touch with what’s happening within your organization.
• Use the right tools that increase efficiency without sacrificing security. Use tools that give you greater visibility of your network and greater IT environment as a whole. PKI discovery and monitoring helps you be aware of PKI-related issues before they happen (like certificate expirations). Ideally, you’ll want to use a tool that enables PKI automation of PKI-related processes such as certificate renewals to also nip these issues in the bud.  
• Implement strong PKI policies and procedures. No company is perfect — and neither are your employees. People can be lazy and sometimes make mistakes. This is why it’s a good idea to have documented resources in place that they can rely on to ensure they check all the boxes to ensure your PKI is managed as safely and securely as possible.
• Be forthright no matter how bad the truth may be. Don’t put lipstick on the pig — if something is wrong, you need to address it right away. Don’t sugar-coat bad situations that can lead to security events, data breaches, and non-compliance. Convey the seriousness of the situation and ask for the tools and resources you need to keep your organization and its data secure.
• Listen to what your employees have to say. Although not everyone wants to hear bad news, it’s better to face it head-on than deal with the consequences of a breach after the fact. Be open to what your PKI managers, IT team and CISO have to say when they share concerns and make suggestions. Taking this open-minded approach may help you avoid becoming the next certificate outage-related headline.

Takeaway #3: Enterprises Don’t Have the Capacity to Manually Manage PKIs

Image data source: DigiCert’s 2021 State of PKI Report.

Manually managing the public key infrastructure at scale within some largescale environments simply isn’t feasible. Why? Because managing your PKI equates to being a full-time job for multiple people. DigiCert’s survey data shows:

• 61% of surveyed enterprises worry about the time requirements of certificate management.
• The number of PKI certificates that enterprises need to manage increased by 43%.
• Enterprises typically manage more than 50,000 certificates within their environments!

Based on this number, it means you’d have to track and manage an average of nearly 137 certificates per day. Needless to say, that’s a recipe for disaster that worsens when you also consider the management of the cryptographic keys that accompany each digital certificate…

• Data from a 2020 Keyfactor report shows that organizations say they have upwards of 88,750 certificates and keys within their environments. (That’s an average of 243 certificates and keys per day that you and/or your team would have to manage.)
• Another Keyfactor report indicates that more than half (53%) of respondents say they have no clue how many of these assets they have. (This estimate includes self-signed certificates as well.)

Why You Need to Have PKI Management Practices Early On

DigiCert’s 2021 report data shows that as organizations grow, their struggles to manage certificates (and their PKI workloads overall) grow with them:

• Two in three enterprises have experienced outages due to expired certificates.
• 25% reported having up to six PKI-related outages in the previous six months.

That’s a lot of outages to have in such a relatively brief period. For obvious reasons, this can have a devastating effect on your brand.

Let’s compare this to going to eat at your favorite restaurant. How would you feel if the restaurant’s staff frequently screw up your order and provide poor service frequently when you visit? It would be a horrible experience for you and would likely ruin your trust and faith in that brand. Needless to say, that restaurant wouldn’t remain your favorite for long…

What You Can Do to Mitigate This Issue

Using a certificate management platform that offers…

4 Takeaways from DigiCert’s 2021 PKI Automation Study