New research has evaluated current and projected growth rates of cryptographic keys and digital certificates in the enterprise for 2016 and 2017.
Critical cryptographic assets
The study, produced by Venafi, had respondents that included 505 IT professionals that manage these critical cryptographic assets in the U.S., U.K., France and Germany.
“This research shows the growth in encrypted HTTPS to create secure and authenticated connections for web applications, cloud services and IoT continues to explode,” said Kevin Bocek, Vice President of Security Strategy and Threat Intelligence for Venafi. “Despite this dramatic growth, more than half of organisations rely on chaotic, error prone, manual processes to protect these critical encryption assets.”
Key study findings for UK:
- 88% of UK respondents said key and certificate usage had increased in the last 12 months and half said that it had risen by more than a quarter
- 56% said that they expected key and certificate usage to rise by 25% or more in 2017
- Yet only 42% of British organisations manage their keys and certificates centrally
Key global study findings:
- 58% said their organisations used more than 2500 keys and certificates in 2016. One in four organisations used more than 10,000 keys.
- In 2016, 50% saw their key and certificate use grow by more than 25%, and one in five say key and certificate usage has increased by more than 50%.
- 49% say key and certificate use will grow by more than 25% over the next 12 months.
- Although 96% say that key and certificate management is part of their security program, only 34% say they manage their keys and certificates centrally.
DevOps, containers and the cloud
“Wide spread adoption of DevOps, containers, and cloud services is probably not factored into these growth rates and that means the total number of keys and certificates organisations believe they will use is probably still too low,” noted Bocek. “In our work with Global 5000 organisations, most organisations find an average of 16,500 keys and certificates that were previously unknown and each unknown key and certificate represents an unknown encrypted tunnel. These dramatic growth rates, combined with organisations’ haphazard approach to protecting keys and certificates presents a golden opportunity for cyber criminals.”
Privacy laws and encryption
Privacy laws and security regulations require enterprises to encrypt an increasing percentage of network traffic. But most companies are unable to inspect encrypted traffic for threats. This is due to the inability to intelligently automate and protect the secure distribution of keys and certificates. This gap in security lets cyber criminals easily hide in encrypted tunnels and mask their activities. Arecent study from A10 Networks found that 41% of cyber-attacks used encryption to evade detection.
Edited from press release by Jordan Platt.