What is the key security certification for PKI?

Unsurprisingly FIPS 140 is seen by 67% as an important security certification for PKI infrastructure and by 63% as important for deploying PKI applications. While FIPs 140 is a US standard required for anyone dealing with the US government, its impact is being felt worldwide as companies bid for work with the US government and service providers look to ensure that their infrastructure is as secure as possible.

Just behind FIPS 140 is the Common Criteria with 61% citing is for PKI infrastructure and 59% for deploying PKI-based applications. Again, its dominance is important and both of these show that companies are finally taking security seriously. However, it is not enough to use these as reasons for deploy PKI if companies are still going to use passwords as their primary means of securing access. This is another area where best practice and poor internal controls are in conflict which should concern the CISO.

Surprisingly regional standards such as digital signature laws come in third but are a long way behind FIPS 140 and Common Criteria. Just 31% see regional standards as a key requirement for deploying PIK infrastructure and only 28% see this as important for deploying PKI-based applications. With Europe about to enact the General Data Protection Regulation there is a need for all companies, irrespective of where they are located to pay more attention to digital signature laws.

What is of major concern is that 17% said that they do not see certification as an important factor when deciding on their PKI infrastructure and 25% do not see certification as a reason for deploying PKI-based applications. Without access to those companies to ask why they gave this response it is hard to know whether this is because they believe that PKI is a requirement irrespective of certification requirements or if they have little interest in the requirements of current certifications. If the former then this is an enlightened view and which is to be commended. If the latter then it points to potentially serious problems in the way security is considered inside these organisations.


PKI has had a bad reputation for many years in terms of its complexity and problems with deployment. Over the past few years however, vendors have done a lot to simplify their products and make it much easier for companies to deploy both PKI and enable PKI for their applications.

Given the results of this study it may be that the respondents have inherited older PKI environments and are not hitting the limits of what can be achieved or their existing installations are poorly defined. However with 52% of companies saying that they had specialist staff to look after their PKI the main reason for companies not reporting better deployment can only be down to a lack of resources and training.

As cybercriminals continue to develop their skills and capabilities there is no excuse for companies to fail to invest in training and resourcing their own security teams. If they do not, all that will happen is that the likelihood of a major breach will increase. We know that regulators are no longer willing to just go after IT and security administrators as sacrificial lambs. Instead they are looking at the decisions that are being made at the board level so it is important that boards make money and resources available to resolve the issues this report has identified with their PKI deployments and use of PKI for applications.


Please enter your comment!
Please enter your name here