Basic security protection still needs to improve
When it comes to securing PKI and certificate authorities it seems that there is a serious gap between current best practice and reality. Of the answers given, nobody identified 2-factor authentication as part of their security. Instead 53% still rely on passwords which is of major concern.
It is not all bad news. 41% are beginning to use documented formal security practices and 48% say that they are deploying strong authentication for administrators. Unfortunately, the study didn’t ask or look at exactly that meant. The use of hardware security modules is a good start but there is no reason why that shouldn’t be more common than passwords.
It is not just basic security that is lacking here. There is a real need for better ownership of PKI. Only 11% of respondents admitted to having responsibility for PKI with just 7% being closely involved in the specification and deployment of PKI. This low level of ownership is of great concern and is likely to be why so few companies have failed to make better use of PKI.
According to Dr. Larry Ponemon, chairman and founder of The Ponemon Institute: “On average, companies today are using their public key infrastructure (PKI) to support seven different applications. While the results of this study demonstrate some use of best practices, including strong authentication and hardware security modules, they also reveal that lower security options like passwords are still prevalent – which is concerning in light of the increased dependency on PKIs today.”
(next: What is the key security certification for PKI?)