The purpose of this research is to determine how effective the financial services industry is in managing the certificate lifecycle, PKI and securing the software supply chain. As shown in this research, 62 percent of respondents say their organizations experienced one or more outages or security incidents due to an issue with digital certificates that resulted in diminished service quality or availability. Forty-eight percent of respondents say their organizations have been impacted by one or more software supply chain attacks or exploits in the past year. Some of the adverse consequences included putting customers at risk due to a system compromise and prolonged disruption to operations.
Sponsored by DigiCert, Ponemon Institute surveyed 2,546 IT and IT security practitioners in the United States (507 respondents), the United Kingdom (295 respondents), Canada (272 respondents), DACH (Germany and Switzerland 363 respondents), France (361 respondents), Australia (237 respondents), Japan (252 respondents) and Singapore (259 respondents). Forty eight percent of respondents work in banking and 52 percent are in the insurance industry. All respondents are familiar with their organization’s PKI and involved in certificate lifecycle management (CLM). Ninety-six percent of respondents either have responsibility (47 percent) or share responsibility with others (49 percent) in setting and/or implementing their organizations’ software supply chain security strategy
Conducting inventories to identify every certificate is critical for crypto-agility and becoming quantum-ready. A key takeaway from the research is that more than half of respondents (51 percent) say their organizations are not taking an inventory to identify every certificate within the organization. Similarly, 51 percent of respondents do not know how many digital certificates, including private root or privately signed, their organizations have. Thirty-six percent of respondents agree, the most important feature of a CLM solution is the continuous discovery of public and internal certificates. Another 36 percent of respondents say lifecycle automation using standard and proprietary interfaces is another top two important feature.
The following research findings describe the current state of CLM, PKI and software supply chain security.
- Most organizations are in the dark about their certificate inventory and the kind of certificates they have. As discussed above, a key takeaway from the research is that more than half of respondents (51 percent) say their organizations are not taking an inventory to identify every certificate within the organization. Similarly, 51 percent of respondents do not know how many digital certificates, including private root or privately signed, their organizations have. Without this visibility, organizations are at risk because of unsecured certificates within their organization.
- A CLM solution must support multiple CAs to allow for redundancy and to accommodate the decentralized nature of PKI within enterprises. Thirty-three percent of respondents say support for multiple CAs is one of the most important features when choosing a CLM solution.
- Certificate outages are common mostly due to expirations or revocations, which can be solved by a CLM solution. Sixty-two percent of respondents say their organizations experienced one or more outages due to an issue with digital certificates. These outages were mainly due to expired certificates, revoked certificates and misconfigured certificates. These risks can be mitigated with an automated CLM system which streamlines the process of CLM through a variety of automated workflows done within a single platform.
- The most important feature of PKI solutions is the ability to consolidate management of public CA and private CA certificates. According to respondents, the most important feature when choosing a PKI, is a single vendor for public CA and private CA certificates (46 percent of respondents). Also important is scalability and performance (46 percent of respondents. The PKI technologies most often used are service provider/cloud provider managed private PKI (44 percent of respondents), internal private PKI (42 percent of respondents) and managed PKI service (e.g. SaaS PKI or PKI as a service) (29 percent of respondents)
- Digital certificates are also known as a public key certificate and used to cryptographically verify the ownership of a public key. Digital certificates are for sharing public keys to be used for encryption and authentication. According to the research, the most important use case for digital certificates is user authentication for WiFi, VPN or other network access (59 percent of respondents). Authenticating cloud workloads (55 percent of respondents) indicates progress in modernizing digital certificate security. Another important use case is digital signatures for electronic documents (54 percent of respondents).
- Software supply chain attacks are growing, primarily from security issues with open source software. Forty-eight percent of respondents say their organizations have been impacted by one or more software supply chain attacks in the past year. Most of these attacks were caused by malware, vulnerabilities or other threats in open source software. The two top consequences were customers at risk due to a system compromise and prolonged disruption to operations.
To read the full findings of this report, visit Digicert’s website.