Organizations Don't Know How Many Keys, Certificates They Have
Much of the problem, Ponemon and Hudson agree, comes down to the fact that organizations simply do not know how many cryptographic keys and certificates exist in their infrastructure. The survey found that 61 percent of U.K. organizations don't know exactly how many keys and certificates they have deployed.
The same is true of 59 percent of Global 2000 organizations in France, 54 percent in the U.S., 47 percent in Australia and 34 percent in Germany. And that inability to discover where keys and certificates are deployed, how they are being used and who is using them essentially means that an enterprise has lost its control over trust, Ponemon says.
The problem may also be even worse than the above numbers imply. Ponemon found that respondents, on average, estimated they had 17,807 keys and certificates each. But Hudson notes that organizations invariably have far more than they estimate.
"When we go into a Global 2000, on average, when we're done they have discovered five times more of these instruments than they thought they had," Hudson says.
"The scale of the problem means it's not a human problem anymore," Ponemon adds. "You really need to have the right tools in place to manage it."
Compromised SSH Keys Most Alarming Threat
Perhaps most alarming, and identified as the biggest threat by respondents working in the security trenches, is the possibility of SSH key theft and compromise, which has an average potential exposure cost of $75 million.
While not well-known outside the domain of the system administrator, SSH is used extensively to establish secure connections between computers and provides root access to systems. As organizations adopt cloud computing, SSH keys become an even more tempting target, as SSH is used to maintain control and ownership of cloud systems like Amazon Web Services and Microsoft Azure.
SSH has been infrequently audited in the past, despite the fact that criminals who obtain keys used by a trusted administrator or system could compromise all connected systems and data, even if it's encrypted.
"The journey to regaining control over trust will require bringing together process, policy, people and technology," Ponemon says. "Best practices, such as those from NIST on preparing and responding to CA compromises and on managing the key management lifecycle, are valuable. Guidance from regulators, such as the U.K. Information Commissioner's Office (ICO) on cloud computing and data privacy, also provide valuable frameworks for maintaining control over trust in the current and emerging age of computing."
Ponemon also suggested Forrester Research's report, Kill Your Data to Protect It from Cybercriminals as a primer on defending data and trust.
"Ultimately, as this research demonstrates, organizations' control over trust remains only as strong as their ability to manage cryptographic keys and digital certificates," Ponemon adds.
Sign up for CIO Asia eNewsletters.