The IT Nerd

Keyfactor, the leader in PKI as-a-Service and crypto-agility solutions, and Ponemon Institute today released the first-ever State of Machine Identity Management Report, a study exploring enterprises’ ability to manage and protect machine identities, keys and certificates in digital business.

Distributed workforces and the proliferation of connected devices have contributed to a rapid rise in the volume of machine identities. As a result, increased workloads, lack of visibility, misconfigurations and shorter SSL/TSL certificate lifespans are creating concern and risk for IT professionals and security leaders.

Additional key report findings:

• Certificate-related outages are widespread: 88% of organizations reported experiencing at least one unplanned outage due to expired certificates in the past 24 months. Another 41% reported four or more outages.
• The rate of failed audits is rising: on average, organizations experienced approximately five failed audits or compliance incidents due to insufficient key management within the past 24 months. Compared to other machine identity-related incidents, such as unplanned certificate outages or theft and misuse of keys and certificates, audit failures are considered the most serious, according to 75% of respondents. 
• Neglected SSH credentials and code signing keys are increasing security risk: 57% of respondents do not have an accurate inventory of SSH keys and 26% say they never rotate SSH credentials. Many enterprise teams continue to store sensitive code-signing keys on build servers (33%) and developer workstations (19%).
• Enterprises are struggling to establish internal policies, governance and best practices: only 1/3 of organizations report having a mature cryptographic center of excellence (CCoE) to support the direction and implementation of an enterprise-wide cryptography strategy. 
• Staffing shortages: 40% of respondents identified a lack of skilled personnel as a barrier to setting an enterprise-wide cryptography and machine identity strategy. Only 45% of teams say they have sufficient staff dedicated to their PKI deployment.

The study was conducted by Ponemon Institute on behalf of Keyfactor and includes responses from 1,162 IT and infosec executives and practitioners in North America and EMEA, spanning 12 industries, including financial services, healthcare, manufacturing, retail and automotive.

View the complete findings and download the 2021 State of Machine Identity Management Report today.

Keyfactor, the leader in PKI as-a-Service and crypto-agility solutions, and Ponemon Institute today released the first-ever State of Machine Identity Management Report, a study exploring enterprises’ ability to manage and protect machine identities, keys and certificates in digital business.

Distributed workforces and the proliferation of connected devices have contributed to a rapid rise in the volume of machine identities. As a result, increased workloads, lack of visibility, misconfigurations and shorter SSL/TSL certificate lifespans are creating concern and risk for IT professionals and security leaders.

Additional key report findings:

• Certificate-related outages are widespread: 88% of organizations reported experiencing at least one unplanned outage due to expired certificates in the past 24 months. Another 41% reported four or more outages.
• The rate of failed audits is rising: on average, organizations experienced approximately five failed audits or compliance incidents due to insufficient key management within the past 24 months. Compared to other machine identity-related incidents, such as unplanned certificate outages or theft and misuse of keys and certificates, audit failures are considered the most serious, according to 75% of respondents. 
• Neglected SSH credentials and code signing keys are increasing security risk: 57% of respondents do not have an accurate inventory of SSH keys and 26% say they never rotate SSH credentials. Many enterprise teams continue to store sensitive code-signing keys on build servers (33%) and developer workstations (19%).
• Enterprises are struggling to establish internal policies, governance and best practices: only 1/3 of organizations report having a mature cryptographic center of excellence (CCoE) to support the direction and implementation of an enterprise-wide cryptography strategy. 
• Staffing shortages: 40% of respondents identified a lack of skilled personnel as a barrier to setting an enterprise-wide cryptography and machine identity strategy. Only 45% of teams say they have sufficient staff dedicated to their PKI deployment.

The study was conducted by Ponemon Institute on behalf of Keyfactor and includes responses from 1,162 IT and infosec executives and practitioners in North America and EMEA, spanning 12 industries, including financial services, healthcare, manufacturing, retail and automotive.

View the complete findings and download the 2021 State of Machine Identity Management Report today.

96% of North American enterprise IT security leaders say public key infrastructure (PKI) and digital certificates are essential to achieving zero trust architecture. Yet only 39% use PKI as part of their zero trust security strategy today according to an executive survey from Pulse Research and Keyfactor, the leader in PKI as-a-Service (PKIaaS) and crypto-agility solutions. The survey explores enterprise security priorities, the challenges of zero trust strategy implementation and the use of PKI and digital certificates within a zero trust architecture.

PKI is comprised of digital certificates and cryptographic keys that provide trusted and secure connections to protect user and machine identities. A zero trust model relies on trusted connections, controls and machine identity authentication to mitigate security risks and ensure machine-to-machine communications are secure.

Additional key findings:

• Adoption drivers: 68% are prioritizing zero trust strategy implementation for security risk mitigation with 50% citing time-to-breach detection reduction.
• Investment priorities: 72% of IT leaders cite cloud-first migration followed by remote workforce (65%) and digital customer experience improvements (46%).
• Budget allocation: 92% of respondents have allocated up to 20% of their 2021 technology budget to PKI and/or cryptography investments.
• Implementation challenges: 73% see technology gaps as their organization’s greatest barrier to implementation, followed by cost concerns (69%) and a talent or skills shortage (45%).
• PKI requirements: 71% of IT leaders are prioritizing key and certificate visibility, followed by enabling automation (56%) and cloud-first PKI deployment (49%).

The survey was conducted by Pulse Research on behalf of Keyfactor and included responses from 100 North American executive and VP-level IAM leaders in enterprises with between 5,000 and 10,000+ global employees.

View the complete findings and download the report today.

Keyfactor, the leader in PKI as-a-Service and crypto-agility solutions, today announced a strategic partnership with digital transformation solutions provider Infinite Ranges. The collaboration enables enterprise teams to overcome the DevSecOps gap through the implementation of best practices and automated solutions.

A recent survey of more than 600 IT and security professionals identified likely occurrences of code signing and key misuse in enterprise environments over the next two years; 73% of respondents experienced unplanned downtime and outages due to mismanaged digital certificates. Many enterprises employ Public Key Infrastructure (PKI) and digital certificates in DevOps workflows to secure code through its lifetime. However, traditional PKI relies on manual processes, making it ill-equipped for agile process requirements.

Infinite Ranges’ specialization as an implementation partner for both Keyfactor and Hashicorp Vault provides a unique offering within the market.

Keyfactor provides cloud-hosted PKI-as-a-Service infrastructure through integrated certificate and key management, secure signing and secure IoT device design. The platform provides discovery, integration and orchestration capabilities, enabling teams to gain complete crypto-agility, extensibility and visibility.

Cloud-based email management company Mimecast recently disclosed that a threat actor obtained one of its digital certificates and used it to gain access to some of its clients’ Microsoft 365 accounts.

Chris Hickman, chief security officer at Keyfactor, a leading provider of secure digital identity management solutions, says:

“These attacks are not about FireEye, SolarWinds or Mimecast; the disturbing trend we are seeing is that these breaches are becoming habitual. The threat actors behind the attacks, whether they are using the SolarWinds backdoor or another, are targeting certificates and credentials. They are leveraging cryptographic assets to gain network access and evade security controls. 

The current trendline indicates that parts of the industry are still treating certificates as ‘just certificates’ rather than cryptographic assets that play a more important role in hardening network security. Technology alone cannot prevent breaches like this – companies need to ensure that they have in place the right controls, policies and follow industry best practices in order defend themselves against the evolving thread landscape. Companies need to take a hard look at how they manage and secure digital certificates and cryptographic keys in order to better protect themselves and their customers.

Here are some best practices to mitigate misuse of keys and certificates:

• Never store code-signing keys on developer workstations, web servers or build servers. Private keys should be kept in a FIPS 140-2 validated HSM
• Segregate duties between who is authorized to sign code, who can approve the request, and who can monitor and enforce compliance with signing policies.
• Maintain an active inventory of all certificates, where they are installed, who they were issued from, and who owns them (and your domains). 
• Control certificate issuance and approval workflows to ensure that every certificate is trusted, compliant with policy, and up-to-date.
• Test your certificate re-issuance and revocation capabilities to ensure you can respond effectively to a compromise.”

Keyfactor, the leader in crypto-agility solutions, and Per Scholas, a national non-profit that drives positive and proven social change in communities across the country through technology training, today announced a partnership program providing traditionally underrepresented individuals with access to mentorship and skills training for high-growth careers in the cybersecurity industry.

Per Scholas partners with leading employers, developing student curriculum that aligns to specific roles in the technology industry, including IT and security. As a Per Scholas partner, Keyfactor provides mentorship, curriculum input and training to help close the cybersecurity skills gap while addressing use cases unique to the evolving IT and cybersecurity threat landscape.

Together, Keyfactor and Per Scholas have defined an employer diversity plan using a three-prong strategy to encourage innovative thinking, implement diverse hiring practices and build awareness of demographic and societal imbalances.

IT and cybersecurity leaders are invited to attend a fireside chat to learn more about the partnership and diversity plan by registering at: https://summit.keyfactor.com/talks/fireside-chat/.

Individuals from Netflix and Microsoft will be keynote speakers for Keyfactor’s upcoming Critical Trust Virtual Summit, taking place on October 21-22, 2020.  Session information and details are below:

Looking Past the Pandemic: Futureproofing Against Data Risk

Presented by Ann Johnson, Microsoft – Corporate VP of Security, Compliance & Identity (SCI) Business Development

October 21, 2020 @ 2:25pm ET

People will create more than 175 Zettabytes of data by 2025. While this abundance of data fuels machine learning, artificial intelligence and automation, this abundance also presents risks to our security, economies and fundamental right to privacy as data also becomes one of our great assets to help address global challenges. Enterprises must now look beyond AI as just a proactive defense and consider data both an asset and a risk.

More info: https://summit.keyfactor.com/talks/looking-past-the-pandemic-futureproofing-against-data-risk/

How Netflix Delivers with Speed and Agility (And you can too!)

Presented by Andy Glover, Netflix – Director of Productivity Engineering

October 22, 2020 @ 2:30pm ET

As security teams work more closely with DevOps engineering, they need to move fast and be agile.  Andy will discuss how Netflix’s competitive advantage is the ability to innovate with speed and agility, which is facilitated by their culture. He’ll share his lessons learned from investing in automation to building centralized teams and how these benefits can also be adopted by your organization.

More info: https://summit.keyfactor.com/talks/guest-keynote-day-2/

Keyfactor’s two-day online event will offer over a dozen additional sessions and panels delivered by industry-leading innovators and practitioners specializing in crypto-agile best practices across IT, security, engineering and DevOps:

• Morgan Stanley and Mastercard –  Leadership in Cybersecurity: Insights from FinServ Experts
• HID –  Reign in Your Rogue Admins: Best Practices for Managing SSL/TLS Certificates
• Abbott and General Motors – Real-world Results for IoT Device Design Manufacturers
• M&T Bank and Sensata Technologies – Lessons Learned from PKI Experts
• ISARA and Thales – What to Watch Out for in 2021: Top Trends in Crypto
• Infinite Ranges –  Securing the CI/CD Pipeline Without Disrupting Developers

You can register here.

Keyfactor, the leader in crypto-agility solutions, today announced its inaugural digitally delivered conference, the Critical Trust Virtual Summit, which will take place on October 21-22, 2020. The two-day online event will offer more than 15 sessions and panels delivered by industry-leading innovators and practitioners specializing in crypto-agile best practices across IT, security, engineering and DevOps.

The Critical Trust Virtual Summit includes panels and sessions featuring top industry experts focused on Public Key Infrastructure (PKI) best practices, certificate lifecycle automation, zero trust manufacturing and future industry trends. Event presenters, industry partners and highlighted sessions include:

• Microsoft –  Looking Past the Pandemic: Futureproofing Against Data Risk
• Morgan Stanley and Mastercard –  Leadership in Cybersecurity: Insights from FinServ Experts
• HID –  Reign in Your Rogue Admins: Best Practices for Managing SSL/TLS Certificates
• Abbott and General Motors – Real-world Results for IoT Device Design Manufacturers
• M&T Bank and Sensata Technologies – Lessons Learned from PKI Experts
• ISARA and Thales – What to Watch Out for in 2021: Top Trends in Crypto
• Infinite Ranges –  Securing the CI/CD Pipeline Without Disrupting Developers

IT, DevOps and security leaders and practitioners can register for their free Critical Trust Summit pass by visiting: https://summit.keyfactor.com/.

Keyfactor, the leader in crypto-agility solutions, today announced the release of SSH Key Manager for Keyfactor Command, its complete certificate lifecycle automation and PKI as-a-Service platform. The solution replaces manual management methods, automating access and distribution of SSH (Secure Shell) keys across machines, applications and devices within the enterprise.

SSH keys are used to secure remote access to critical systems and applications. However, lack of adequate management and evolving cyber-attack vectors make SSH keys increasingly vulnerable to exploit. Developers and system administrators often generate SSH keys using default configurations, with many left unmanaged on the network and vulnerable to compromise.

As enterprises expand their use of cryptography to protect sensitive data and secure connections across the business, managing sensitive SSH keys, X.509 certificates and cryptographic keys – sometimes referred to as machine identities – becomes critical. Keyfactor enables customers to establish an end-to-end machine identity strategy, with a centralized platform to manage all keys and certificates in the organization.

According to Gartner, machine identity management “encompasses a number of technologies, that today remain mostly siloed (i.e., X.509 certificate management, SSH key management, as well as secrets and other crypto-key management).” Gartner advises security and risk management leaders focused on identity and access management (IAM) to “use full life cycle management or discovery-centric tools to audit the number of deployed machine identities; and to identify the potential risks from expiry and overall compliance.”*

SSH Key Manager for Keyfactor Command enables:

• Reduced risk exposure – maintaining a real-time inventory of SSH keys and the ability to delete or rotate weak or inactive keys.
• Complete visibility – allowing teams to find SSH keys and map trust relationships to users, machines and web services, whether on-premises or in the cloud.
• Greater control – providing a simple dashboard to identify risks, assign key permissions and simplify audits with easy-to-generate reports.
• Seamless automation – automating SSH key deployment as workloads are spun up in multi-cloud and CI/CD environments.

To learn more or to request a demo of the SSH Key Manager for Keyfactor Command, please visit: www.keyfactor.com.

*Gartner Hype Cycle for Identity and Access Management Technologies, 2020, 16 July 2020, Ant Allan

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.