Archive for Keyfactor

40% of Enterprises Face High Likelihood Of Outages According To New Report

Posted in Commentary with tags on April 6, 2021 by itnerd

Keyfactor, the leader in PKI as-a-Service and crypto-agility solutions, and Ponemon Institute today released the first-ever State of Machine Identity Management Report, a study exploring enterprises’ ability to manage and protect machine identities, keys and certificates in digital business.

Distributed workforces and the proliferation of connected devices have contributed to a rapid rise in the volume of machine identities. As a result, increased workloads, lack of visibility, misconfigurations and shorter SSL/TSL certificate lifespans are creating concern and risk for IT professionals and security leaders.

Additional key report findings:

  • Certificate-related outages are widespread: 88% of organizations reported experiencing at least one unplanned outage due to expired certificates in the past 24 months. Another 41% reported four or more outages.
  • The rate of failed audits is rising: on average, organizations experienced approximately five failed audits or compliance incidents due to insufficient key management within the past 24 months. Compared to other machine identity-related incidents, such as unplanned certificate outages or theft and misuse of keys and certificates, audit failures are considered the most serious, according to 75% of respondents. 
  • Neglected SSH credentials and code signing keys are increasing security risk: 57% of respondents do not have an accurate inventory of SSH keys and 26% say they never rotate SSH credentials. Many enterprise teams continue to store sensitive code-signing keys on build servers (33%) and developer workstations (19%).
  • Enterprises are struggling to establish internal policies, governance and best practices: only 1/3 of organizations report having a mature cryptographic center of excellence (CCoE) to support the direction and implementation of an enterprise-wide cryptography strategy. 
  • Staffing shortages: 40% of respondents identified a lack of skilled personnel as a barrier to setting an enterprise-wide cryptography and machine identity strategy. Only 45% of teams say they have sufficient staff dedicated to their PKI deployment.

The study was conducted by Ponemon Institute on behalf of Keyfactor and includes responses from 1,162 IT and infosec executives and practitioners in North America and EMEA, spanning 12 industries, including financial services, healthcare, manufacturing, retail and automotive.

View the complete findings and download the 2021 State of Machine Identity Management Report today.

40% of Enterprises Face High Likelihood of Outages According To State of Machine Identity Management Report: Keyfactor

Posted in Commentary with tags on April 6, 2021 by itnerd

Keyfactor, the leader in PKI as-a-Service and crypto-agility solutions, and Ponemon Institute today released the first-ever State of Machine Identity Management Report, a study exploring enterprises’ ability to manage and protect machine identities, keys and certificates in digital business.

Distributed workforces and the proliferation of connected devices have contributed to a rapid rise in the volume of machine identities. As a result, increased workloads, lack of visibility, misconfigurations and shorter SSL/TSL certificate lifespans are creating concern and risk for IT professionals and security leaders.

Additional key report findings:

  • Certificate-related outages are widespread: 88% of organizations reported experiencing at least one unplanned outage due to expired certificates in the past 24 months. Another 41% reported four or more outages.
  • The rate of failed audits is rising: on average, organizations experienced approximately five failed audits or compliance incidents due to insufficient key management within the past 24 months. Compared to other machine identity-related incidents, such as unplanned certificate outages or theft and misuse of keys and certificates, audit failures are considered the most serious, according to 75% of respondents. 
  • Neglected SSH credentials and code signing keys are increasing security risk: 57% of respondents do not have an accurate inventory of SSH keys and 26% say they never rotate SSH credentials. Many enterprise teams continue to store sensitive code-signing keys on build servers (33%) and developer workstations (19%).
  • Enterprises are struggling to establish internal policies, governance and best practices: only 1/3 of organizations report having a mature cryptographic center of excellence (CCoE) to support the direction and implementation of an enterprise-wide cryptography strategy. 
  • Staffing shortages: 40% of respondents identified a lack of skilled personnel as a barrier to setting an enterprise-wide cryptography and machine identity strategy. Only 45% of teams say they have sufficient staff dedicated to their PKI deployment.

The study was conducted by Ponemon Institute on behalf of Keyfactor and includes responses from 1,162 IT and infosec executives and practitioners in North America and EMEA, spanning 12 industries, including financial services, healthcare, manufacturing, retail and automotive.

View the complete findings and download the 2021 State of Machine Identity Management Report today.


Survey Findings From Pulse Research & Keyfactor Show Gap Regarding PKI’s Role In A Zero Trust Security Strategy

Posted in Commentary with tags on March 15, 2021 by itnerd

96% of North American enterprise IT security leaders say public key infrastructure (PKI) and digital certificates are essential to achieving zero trust architecture. Yet only 39% use PKI as part of their zero trust security strategy today according to an executive survey from Pulse Research and Keyfactor, the leader in PKI as-a-Service (PKIaaS) and crypto-agility solutions. The survey explores enterprise security priorities, the challenges of zero trust strategy implementation and the use of PKI and digital certificates within a zero trust architecture.

PKI is comprised of digital certificates and cryptographic keys that provide trusted and secure connections to protect user and machine identities. A zero trust model relies on trusted connections, controls and machine identity authentication to mitigate security risks and ensure machine-to-machine communications are secure.

Additional key findings:

  • Adoption drivers: 68% are prioritizing zero trust strategy implementation for security risk mitigation with 50% citing time-to-breach detection reduction.
  • Investment priorities: 72% of IT leaders cite cloud-first migration followed by remote workforce (65%) and digital customer experience improvements (46%).
  • Budget allocation: 92% of respondents have allocated up to 20% of their 2021 technology budget to PKI and/or cryptography investments.
  • Implementation challenges: 73% see technology gaps as their organization’s greatest barrier to implementation, followed by cost concerns (69%) and a talent or skills shortage (45%).
  • PKI requirements: 71% of IT leaders are prioritizing key and certificate visibility, followed by enabling automation (56%) and cloud-first PKI deployment (49%).

The survey was conducted by Pulse Research on behalf of Keyfactor and included responses from 100 North American executive and VP-level IAM leaders in enterprises with between 5,000 and 10,000+ global employees.

View the complete findings and download the report today.

Google Voice Outage Caused By Expired Certificates…. REALLY?

Posted in Commentary with tags , on March 1, 2021 by itnerd

Back in mid February, Google Voice went down for about four hours. That left users unable to log in and use their Google Voice accounts. That’s a problem if you rely on Google Voice. And a lot of people and companies do given the times that we live in. Well, Google has released an incident report [Warning: PDF] and it is eyebrow raising. The outage was caused by expired TLS certificates:

Google Voice uses the Session Initiation Protocol (SIP) to control voice calls over Internet Protocol. During normal operation, Google Voice client devices aim to maintain continuous SIP connection to Google Voice services. When a connection breaks, the client immediately attempts to restore connectivity. All Google Voice SIP traffic is encrypted using Transport Layer Security (TLS). The TLS certificates and certificate configurations used by Google Voice frontend systems are rotated regularly.

Due to an issue with updating certificate configurations, the active certificate in Google Voice frontend systems inadvertently expired at 2021-02-15 23:51:00, triggering the issue. During the impact period, any clients attempting to establish or reestablish an SIP connection were unable to do so. These clients were unable to initiate or receive VoIP calls during the impact period. Client devices with an SIP connection that was established before the incident and not interrupted during the incident were unaffected.

And this is what they are going to do to stop this from happening again:

To guard against the issue recurring and to reduce the impact of similar events, we are taking the following actions:

  • Configure additional proactive alerting for upcoming certificate expiration events.
  • Configure additional reactive alerting for TLS errors in Google Voice frontend systems.
  • Improve automated tooling for certificate rotation and configuration updates.
  • Utilize more flexible infrastructure for rapid deployment of configuration changes.
  • Update resource allocation systems to more efficiently provision emergency resources during incidents.
  • Develop training and practice scenarios for emergency rollouts of Google Voice frontend systems and configurations.

Now I expect a small or medium company to have issues keeping track of when certificates that power their infrastructure expire. But for a company the size of Google to have this issue is mind blowing.

Chris Hickman, chief security officer at Keyfactor (www.keyfactor.com), a provider of cloud-first PKI as-a-Service and crypto-agility solutions has this to say:

An outage happens when expired certificates fail to authenticate or establish secure communication tunnels. A certificate expiration on its own is not necessarily a security response incident but is disruptive and can lead to outages like that experienced by Google Voice customers. Certificate expiration is an important mechanism to make sure certificates are still being issued to a valid system, similarly to why a driver’s license or passport needs to be renewed periodically. It offers a check and balance system, in the form of workflow and approvals, to maintain legitimacy and authorization. Changes implemented last year by the CA/B forum reduced the lifetime of an SSL/TLS certificate to 398 days and therefore has compounded the issue of keeping up with expiring certificates.

Recent research found that 73% of enterprise respondents experienced unplanned downtime and outages due to mismanaged digital certificates. More than half of those organizations said they experienced four or more certificate-related outages in the past two years. Service outages due to expired certificates are fairly common – and avoidable. Whether you’re a large enterprise or a small business, certificates expire. The key is maintaining visibility to every certificate on the network to stay ahead of expirations and renewals or better yet, using automation to ensure certificates are renewed prior to expiration without the need for human intervention.

These steps can help IT teams avoid similar outages and potential disruptions: 

  • Conduct an audit to understand how many digital certificates the organization has.
  • Build an inventory to identify where certificates live and what they’re used for. 
  • Document the hash algorithm they use and their overall health. 
  • Flag certificate expiration dates. 
  • Assign or note who owns every certificate.
  • Map the methods used to protect valuable code-signing certificates. 
  • Ensure a centralized method is used to securely update every certificate.”

Maybe Google should reach out to Keyfactor as clearly this is a weak point for them.

Keyfactor Announces Strategic DevSecOps Partnership With Infinite Ranges

Posted in Commentary with tags on January 19, 2021 by itnerd

Keyfactor, the leader in PKI as-a-Service and crypto-agility solutions, today announced a strategic partnership with digital transformation solutions provider Infinite Ranges. The collaboration enables enterprise teams to overcome the DevSecOps gap through the implementation of best practices and automated solutions.

recent survey of more than 600 IT and security professionals identified likely occurrences of code signing and key misuse in enterprise environments over the next two years; 73% of respondents experienced unplanned downtime and outages due to mismanaged digital certificates. Many enterprises employ Public Key Infrastructure (PKI) and digital certificates in DevOps workflows to secure code through its lifetime. However, traditional PKI relies on manual processes, making it ill-equipped for agile process requirements.

Infinite Ranges’ specialization as an implementation partner for both Keyfactor and Hashicorp Vault provides a unique offering within the market.

Keyfactor provides cloud-hosted PKI-as-a-Service infrastructure through integrated certificate and key management, secure signing and secure IoT device design. The platform provides discovery, integration and orchestration capabilities, enabling teams to gain complete crypto-agility, extensibility and visibility.

Guest Post: Keyfactor Comments On The Mimecast breach

Posted in Commentary with tags on January 14, 2021 by itnerd

Cloud-based email management company Mimecast recently disclosed that a threat actor obtained one of its digital certificates and used it to gain access to some of its clients’ Microsoft 365 accounts.

Chris Hickman, chief security officer at Keyfactor, a leading provider of secure digital identity management solutions, says:

“These attacks are not about FireEye, SolarWinds or Mimecast; the disturbing trend we are seeing is that these breaches are becoming habitual. The threat actors behind the attacks, whether they are using the SolarWinds backdoor or another, are targeting certificates and credentials. They are leveraging cryptographic assets to gain network access and evade security controls. 

The current trendline indicates that parts of the industry are still treating certificates as ‘just certificates’ rather than cryptographic assets that play a more important role in hardening network security. Technology alone cannot prevent breaches like this – companies need to ensure that they have in place the right controls, policies and follow industry best practices in order defend themselves against the evolving thread landscape. Companies need to take a hard look at how they manage and secure digital certificates and cryptographic keys in order to better protect themselves and their customers.

Here are some best practices to mitigate misuse of keys and certificates:

  • Never store code-signing keys on developer workstations, web servers or build servers. Private keys should be kept in a FIPS 140-2 validated HSM
  • Segregate duties between who is authorized to sign code, who can approve the request, and who can monitor and enforce compliance with signing policies.
  • Maintain an active inventory of all certificates, where they are installed, who they were issued from, and who owns them (and your domains). 
  • Control certificate issuance and approval workflows to ensure that every certificate is trusted, compliant with policy, and up-to-date.
  • Test your certificate re-issuance and revocation capabilities to ensure you can respond effectively to a compromise.”

Keyfactor & Per Scholas Announce Partnership To Drive Skills Training & Diversity In Cybersecurity

Posted in Commentary with tags on October 21, 2020 by itnerd

Keyfactor, the leader in crypto-agility solutions, and Per Scholas, a national non-profit that drives positive and proven social change in communities across the country through technology training, today announced a partnership program providing traditionally underrepresented individuals with access to mentorship and skills training for high-growth careers in the cybersecurity industry.

Per Scholas partners with leading employers, developing student curriculum that aligns to specific roles in the technology industry, including IT and security. As a Per Scholas partner, Keyfactor provides mentorship, curriculum input and training to help close the cybersecurity skills gap while addressing use cases unique to the evolving IT and cybersecurity threat landscape.

Together, Keyfactor and Per Scholas have defined an employer diversity plan using a three-prong strategy to encourage innovative thinking, implement diverse hiring practices and build awareness of demographic and societal imbalances.

IT and cybersecurity leaders are invited to attend a fireside chat to learn more about the partnership and diversity plan by registering at: https://summit.keyfactor.com/talks/fireside-chat/.

Critical Trust Virtual Summit: Keynote Speakers Announced

Posted in Commentary with tags on October 14, 2020 by itnerd

Individuals from Netflix and Microsoft will be keynote speakers for Keyfactor’s upcoming Critical Trust Virtual Summit, taking place on October 21-22, 2020.  Session information and details are below:

Looking Past the Pandemic: Futureproofing Against Data Risk

Presented by Ann Johnson, Microsoft – Corporate VP of Security, Compliance & Identity (SCI) Business Development

October 21, 2020 @ 2:25pm ET

People will create more than 175 Zettabytes of data by 2025. While this abundance of data fuels machine learning, artificial intelligence and automation, this abundance also presents risks to our security, economies and fundamental right to privacy as data also becomes one of our great assets to help address global challenges. Enterprises must now look beyond AI as just a proactive defense and consider data both an asset and a risk.

More info: https://summit.keyfactor.com/talks/looking-past-the-pandemic-futureproofing-against-data-risk/

How Netflix Delivers with Speed and Agility (And you can too!)

Presented by Andy Glover, Netflix – Director of Productivity Engineering

October 22, 2020 @ 2:30pm ET

As security teams work more closely with DevOps engineering, they need to move fast and be agile.  Andy will discuss how Netflix’s competitive advantage is the ability to innovate with speed and agility, which is facilitated by their culture. He’ll share his lessons learned from investing in automation to building centralized teams and how these benefits can also be adopted by your organization.

More info: https://summit.keyfactor.com/talks/guest-keynote-day-2/

Keyfactor’s two-day online event will offer over a dozen additional sessions and panels delivered by industry-leading innovators and practitioners specializing in crypto-agile best practices across IT, security, engineering and DevOps:

You can register here.

Keyfactor Launches Inaugural Virtual Conference in October

Posted in Commentary with tags on September 29, 2020 by itnerd

Keyfactor, the leader in crypto-agility solutions, today announced its inaugural digitally delivered conference, the Critical Trust Virtual Summit, which will take place on October 21-22, 2020. The two-day online event will offer more than 15 sessions and panels delivered by industry-leading innovators and practitioners specializing in crypto-agile best practices across IT, security, engineering and DevOps.

The Critical Trust Virtual Summit includes panels and sessions featuring top industry experts focused on Public Key Infrastructure (PKI) best practices, certificate lifecycle automation, zero trust manufacturing and future industry trends. Event presenters, industry partners and highlighted sessions include:

IT, DevOps and security leaders and practitioners can register for their free Critical Trust Summit pass by visiting: https://summit.keyfactor.com/.

Keyfactor Expands End-to-End Crypto Capabilities with SSH Key Management

Posted in Commentary with tags on September 8, 2020 by itnerd

Keyfactor, the leader in crypto-agility solutions, today announced the release of SSH Key Manager for Keyfactor Command, its complete certificate lifecycle automation and PKI as-a-Service platform. The solution replaces manual management methods, automating access and distribution of SSH (Secure Shell) keys across machines, applications and devices within the enterprise.

SSH keys are used to secure remote access to critical systems and applications. However, lack of adequate management and evolving cyber-attack vectors make SSH keys increasingly vulnerable to exploit. Developers and system administrators often generate SSH keys using default configurations, with many left unmanaged on the network and vulnerable to compromise.

As enterprises expand their use of cryptography to protect sensitive data and secure connections across the business, managing sensitive SSH keys, X.509 certificates and cryptographic keys – sometimes referred to as machine identities – becomes critical. Keyfactor enables customers to establish an end-to-end machine identity strategy, with a centralized platform to manage all keys and certificates in the organization.

According to Gartner, machine identity management “encompasses a number of technologies, that today remain mostly siloed (i.e., X.509 certificate management, SSH key management, as well as secrets and other crypto-key management).” Gartner advises security and risk management leaders focused on identity and access management (IAM) to “use full life cycle management or discovery-centric tools to audit the number of deployed machine identities; and to identify the potential risks from expiry and overall compliance.”*

SSH Key Manager for Keyfactor Command enables:

  • Reduced risk exposure – maintaining a real-time inventory of SSH keys and the ability to delete or rotate weak or inactive keys.
  • Complete visibility – allowing teams to find SSH keys and map trust relationships to users, machines and web services, whether on-premises or in the cloud.
  • Greater control – providing a simple dashboard to identify risks, assign key permissions and simplify audits with easy-to-generate reports.
  • Seamless automation – automating SSH key deployment as workloads are spun up in multi-cloud and CI/CD environments.

To learn more or to request a demo of the SSH Key Manager for Keyfactor Command, please visit: www.keyfactor.com.

*Gartner Hype Cycle for Identity and Access Management Technologies, 2020, 16 July 2020, Ant Allan

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.