British Airways experienced a severe IT outage on February 25, 2022, leading to flight cancelations, grounded aircraft, and frustrated travelers. The airline’s website and mobile applications were also down, which meant that customers were unable to check-in or make flight reservations. The British carrier insisted that problems were not the result of a cyberattack.
Passengers found themselves stuck at London Heathrow with the crew unable to access IT systems. Not only were travelers unable to check-in for flights, arriving passengers found themselves stuck on aircraft due to the airline’s inability to electronically secure a stand for parking planes.
In a statement, British Airways said that it was experiencing “significant technical issues” affecting the running of its operation and leading to the cancelation of some flights. “We are working as quickly as possible to resolve things, and we have backup plans in place so that customers flying can still check-in at the airport this evening,” the airline added.
Today’s IT infrastructures are highly complex. Unlike before, the data center is no longer the hub of the network activity. Majority of applications and workloads have moved to the cloud, and most of the work gets done outside the data centers. Organizations continue to add IoT devices, blockchain technology, and other cutting-edge innovations to their infrastructure, which is dramatically expanding the network. Further, large-scale remote work has led to employees accessing enterprise data and applications over the public internet on their devices.
All the above factors have opened up a huge attack surface and multiple opportunities for malicious actors to infiltrate corporate networks. Going by the trends in recent cyberattacks, it is increasingly evident that relying solely on network perimeter and legacy firewall puts enterprise security at high risk. The scale and complexity of today’s infrastructures demand advanced protection mechanisms that can adapt to changing security dynamics across all environments – on-premises, the cloud, and the edge.
Security has become the top priority for enterprises riding the digital wave, and Public Key Infrastructure (PKI) stands as the first and most crucial layer of defense against attackers for an internet-facing system. However, certificate-related issues still plague businesses, resulting in thousands of dollars worth of losses every single year.
PKI setups have a long way to go before they are considered truly secure and effective. Security teams continue to leverage legacy techniques to manage digital certificates and keys, resulting in outages and security breaches hitting corporations harder than ever before. What’s more, tech leaders anticipate the rapid growth of new technologies that will require authentication and security mechanisms, making the issue more pressing than ever – businesses need to step up their PKI management standards as quickly as possible.
According to MarketsandMarkets, the global PKI market size is projected to grow from USD 3.9 billion in 2021 to USD 9.8 billion by 2026, at a CAGR of 20.2%. The banking, financial services, and insurance (BFSI) industry vertical is expected to hold the highest market share in the PKI market.
The PKI ecosystem can experience turbulence for many reasons, and the effects are just as varied. Of course, remediation is a protracted effort in the real world. Determining the cause of a certificate issue alone takes a significant amount of analysis and time. Manually choosing the location and configuration of the certificate is not easy, either. What’s more, these come with a cost – outages and data breaches cost corporations millions of dollars in business losses, fines, and remediation costs every single year.
Outages are commonplace.
With the number of connected devices on the rise, the number of certificates they require is rising too – bringing with them a range of management issues and niggles that manual management only exacerbates.
A majority do not adhere to the mandated best practices for PKI management.
The methods used to manage certificates and keys are collectively a critical factor in determining the potency of an organization’s PKI management strategy. What is the tactic you employ for private key storage? Are you still using legacy systems, spreadsheets, and home-grown solutions to manage your PKI?
Private keys form the cornerstone of certificate management, acting as the decrypting key pair in asymmetric key encryption used by almost all x.509 certificates. Naturally, keeping them highly secure is a top priority for businesses. A compromised key is the weak link a hacker would need to infiltrate a network and commit espionage or data theft.
It is recommended that you use AES-256 encryption or Hardware Security Modules (HSM) for storing private keys. The latter offers the highest level of security available – both physically and in terms of encryption capabilities, making it nearly impossible for a criminal to misappropriate a private key by cracking it.
Does your organization enforce monitoring and auditing of certificate infrastructure in real-time? While monitoring the network aids administrators to realize the presence of anomalies and rectify them quickly, audits and audit trails enable organizations to adhere to policy and avoid undocumented large-scale network changes.
Businesses face significant fundamental challenges in deploying and managing PKI.
Over the last decade, the complexity of deploying PKI setups and efficiently managing them has multiplied manifold. Developments like shrinking certificate validity, emerging technology, a rapidly increasing number of connected devices, and evolving standards have made it increasingly challenging for NetOps and SecOps teams to keep their certificate infrastructures in perfect working order – the presence of thousands of certificates eventually result in slippages like unnoticed expirations or lost certificates.
The top concern is a lack of visibility into their certificate infrastructures. With multiple departments across geographies requesting and enrolling certificates onto endpoints, a lack of a structured process results in certificates being lost on the network. For instance, the expiration of one certificate could make it incredibly difficult for administrators to track, locate, and renew it.
A lack of understanding of PKI, a shortage of skilled PKI management personnel, and technological limitations are causes of concern as well. As more new technology like cloud applications and the internet-of-things find applications in the market, network teams often find it challenging to apply suitable PKI strategies stemming from a lack of awareness.
Disruptive new technologies will require PKI for security and authentication.
Network and security personnel foresee the rise of cutting-edge technology in the markets of tomorrow – and all of them will require their endpoints to be safeguarded by PKI to protect the data they transmit and store.
The Internet-of-things (IoT) followed by cloud applications and mobile technology will require specialized PKI setups to function, each with its own set of standards and protocols that need to be followed. Businesses poised for growth will most certainly have to include them on their roadmaps and their PKI infrastructures along with them.
Certificate lifecycle automation is the need of the hour.
A dedicated tool to automate and manage certificate lifecycles would alleviate most of the issues right from expiry-triggered outages, minimized visibility, lack of real-time monitoring, and so on.
While businesses continue to invest in technology that helps manage PKI, their money isn’t in the right place. Most organizations rely on the certificate authority (CA)-issued software and/or custom solutions developed by internal IT to manage certificates and keys, rather than investing in dedicated certificate management tools. While the immediate cost benefits with this approach are tangible, they aren’t feasible in the long run.
CA-provided software is an excellent alternative for businesses with a minimal quantum of certificates. However, with companies now using a veritably massive number of certificates issued by multiple CAs, and across varying endpoints, devices, and virtual instances, the effectiveness of software built by a CA, which focuses on managing certificates issued by themselves quickly, fades away. They also lack the deep multi-vendor integration and workflow automation capabilities that dedicated tools have.
Home-grown, custom solutions have their faults as well. In addition to the drawbacks of using CA-provided tools, these solutions also lack cohesive functionality. They are usually developed on an ad-hoc basis and not centrally deployed across a network, limiting visibility. Moreover, they aren’t scalable and fail to exert the intended level of control over a network’s constituent certificates once the number exceeds a certain threshold.
Use your certificate lifecycle management (CLM) tool to actively monitor the status of certificates and keys on your network. Create reports of key metrics (such as approaching renewals, expired certificates, and so on) that update in real-time to promote quicker response times. Run periodic scans across the network to ensure that your certificate inventory is always up-to-date.
Ensure that every change made to the PKI environment is thoroughly documented. Automate this process to reduce human effort in this regard. With an audit trail in place, anomalies can easily be detected, isolated, and resolved, saving teams the step of scanning the entire ecosystem for issues when a problem is detected.
A CLM tool integrates with your network to enable full-cycle automation. An end-to-end certificate lifecycle automation (enrollment, provisioning, validation, revocation, renewal, and auditing) platform like AppViewX CERT+ removes the need for manual intervention throughout the certificate lifecycle. Information security personnel can remain blissfully unaware of expiring certificates and run the show with zero service disruptions. Set up tasks that will automatically renew certificates when they near expiration or custom workflows that can revoke and reissue all the certificates issued by a particular CA.