1、State of Machine Identity Management2022Chris HickmanChief Security Officer(CSO)2ForewordTraditionally,IT and security leaders have viewed identity and access management(IAM)through the lens of human identity.In this context,IAM is about how users are identified,authenticated,and authorized to acces

2、s data and applications.Theres just one problem human identities are only one cog in the IAM machine.Today,your workforce is part human,part machine.In fact,the number of machines,including everything from servers,containers,end-user and IoT devices,likely far outnumbers humans on your network.And,t

3、heres only growth on the horizon.As we shift from tradi-tional IT to more dynamic workloads in the cloud and at the edge,the number of machines is growing.They run our websites and applications,they connect us with our customers,they even drive split-second decisions through AI and process automatio

4、n.Just like humans,every one of these machines needs an identity,and every one of these identities must be managed and protected.Unlike human identities,though,machine IDs come in the form of cryptographic keys,digital certificates,and other secrets.Growing use of machine IDs has forced IT organizat

5、ions to re-think how they define IAM.Thats why Im excited to share our second annual State of Machine Identity Management(MIM)report.This years report makes one thing clear;enterprises cannot ignore the role of public key infra-structure(PKI),cryptography,and machine IDs within the broader IAM lands

6、cape.No longer niche technologies,they are essential to IAM strategy.In the era of zero-trust,identity must be top of mind for CISOs,and building a solid machine identity management program is key.At Keyfactor,we work with security leaders,engineers,developers,and product teams to solve even the mos

7、t complex PKI and machine identity challenges,and Im excited to lift the veil on much of what we see every day.3ContentsForeword 2Executive summary 4Introduction 4The evolving role of PKI and machine identities in IAM strategy 5Key findings and takeaways 6Complete findings 10Trends in cryptography a

8、nd machine identity management 11PKI and certificate management practices 19Code signing practices 25SSH identity management practices 30The impact of outages,machine ID compromise,and failed audits 33Recommendations 38Methodology 41Respondent demographics 42Research limitations 46About Keyfactor an

9、d Ponemon 474IntroductionWelcome to the second-annual State of Machine Identity Management report,an in-depth look at the role of PKI and machine identities in securing modern enterprises.Within the overarching domain of identity and access management(IAM),machine identity management(MIM)focuses on

10、manag-ing device and workload identities,such as X.509 certificates,SSH credentials,code signing keys,and encryption keys.In this report,we explore findings from a survey independently conducted by the Ponemon Institute and published by Keyfactor.The report sheds light on how organizations are deplo

11、ying and managing their PKI and machine identities today,and what risks and challenges they face as the role of PKI and machine identities continues to evolve.This year,we analyzed survey responses from 1,231 individuals across North America and Europe,the Middle East,and Africa(EMEA).Survey respond

12、ents work in all areas of the IT organiza-tion,from information security to infrastructure,operations,and development.Executive Summary1,231122Survey respondentsIndustriesGlobal regions5The evolving role of PKI and machine identities in IAM strategy“Right now,machine identity management tooling deci

13、sions such as picking a best-of-breed or an all-in-one strategy often dont receive broad enough attention in organizations.”Executive SummaryGartner,2022 Planning Guide for Identity and Access Management,11 October 202166%Say they are familiar with the concept of machine identity managementAs we ref

14、lect on this years findings,two overarching themes come to the forefront:trust and agility.In the face of disruption and uncertainty,enterprises have embraced the zero-trust principle,“trust nothing,validate everything.”In this model,public key infrastructure(PKI)and machine identities have emerged

15、as essential technologies to authenticate and establish digital trust between users,devices,and workloads across the business.However,trust isnt static.As the threat landscape evolves,and new technologies like quantum computing emerge,security standards will inevitably change.An organizations abilit

16、y to effectively manage and quickly adapt PKI infrastructure and machine identities to new algorithms,standards,and environments a concept known as crypto-agility is equally important.Awareness of machine identity management is growing,but more attention is needed.IT and security leaders are becomin

17、g more aware of the need for a centralized strategy to manage cryptography and machine IDs,but more attention is needed.Sixty-six percent of respondents say they are either familiar or very familiar with the concept of machine identity management,up from 61 percent in last years study.6The key findi

18、ngs described here are based on Keyfactor analysis of the research data compiled by Ponemon Institute.PKI and machine identities are essential to zero-trust strategy and cloud migration.As zero-trust takes its place in modern cybersecurity,PKI and machine identities play an essential role.According

19、to respondents,the most important trends driving further adoption of PKI,keys and certificates are zero trust security strategy(54 percent of respon-dents),cloud-based services(49 percent),the remote workforce(45 percent),and IoT devices(44 percent).The volume of machine identities is growing rapidl

20、y especially internally issued certificates.On average,respondents say there are approximately 267,620 internally trusted certificates issued across their IT organization(e.g.,issued from an internal PKI),compared to just 1,942 publicly trusted certificates(e.g.,issued from a publicly trusted CA).Th

21、e average number of internally trusted certificates grew nearly 16%since last years study.More certificates and shorter lifespans are proving difficult to manage.Seventy percent of respondents say the growing use of keys and digital certificates has significantly increased the operational burden on

22、their IT organization,up from 62 percent in 2021.Another 65 percent are concerned about the increased workload and risk of outages due to shorter SSL/TLS certificate lifespans,up from 59 percent in last years study.It is worth noting that in September 2020,the lifespan of publicly trusted SSL/TLS ce

23、rtificates was cut in half,from 27 months to just 13 months.Since the 2021 study,the impact of this change has been fully realized.267kSay zero-trust is a top trend driving further use of PKI,keys and certificatesAverage number of inter-nally issued certificates in an IT organizationKey findingsExec

24、utive Summary54%65%Are concerned about the increased workload and risk of outages caused by shorter SSL/TLS certificate lifespans7The frequency and severity of certificate-related outages is growing.If left untracked,certificates expire unexpectedly,causing critical applications or services to stop

25、working.Most respondents(81 percent)report experiencing at least two or more certificate-related outages in the past 24 months,up from 77 percent in 2021.Time to recovery(TTR)is slow,with 67 percent of respondents saying it takes three or more hours to recover from an outage.PKI infrastructure is ev

26、erywhere and its trending toward the cloud.PKI no longer consists of just one or two CAs behind the four walls of a datacenter.While the most common method for deploying PKI is still an internal private CA(47 percent of respondents),many respondents also say theyre leveraging a managed or SaaS-deliv

27、-ered PKI solution(36 percent)or a private CA running in the public cloud(31 percent).Skills shortages and lack of personnel still hinder PKI deployments.Despite its importance,IT organizations often lack the skills and expertise to dedicate to their PKI deployment.Fifty-four percent of respondents

28、say they have six or more staff involved in deploying and managing PKI.However,half of respondents say they still dont have enough personnel dedicated to their PKI,a slight decrease from 55 percent in last years study.Theft and misuse of machine identities is a growing security concern.Sixty-one per

29、cent of respondents say the theft or misuse of machine identities,such as private keys associated with SSL/TLS or code signing certificates,is a serious or very serious concern,a significant increase from 34 percent of respondents in last years study.Further-more,50 percent of respondents say their

30、organization is likely or very likely to experience further incidents of machine identity theft or misuse in the next 24 months.3.3Hrs36%Average time it takes teams to recover from a certificate-related outageSay their organization leverages a managed/SaaS PKI solutionSay they dont have enough IT pe

31、rsonnel dedicated to their PKI Key findings|Executive Summary50%Say theft or misuse of keys and digital certificates is a serious concern61%1.Lifecycle automation2.Visibility of all certs3.Suport for multiple CAs 4.Flexible deployment 5.Extensibility 6.Detailed audits/reports8Adoption of certificate

32、 lifecycle management tools is growing,but spreadsheets still common.Forty-four percent of respondents say their organizations use a dedicated certificate lifecycle management(CLM)solution,a signif-icant increase from 36 percent of respondents in 2021.However,many still rely on a patchwork of manual

33、 spreadsheets(42 percent of respondents),tools provided by their SSL/TLS vendor,and homegrown tools(38 percent)to manage certificates.Visibility and lifecycle automation emerge as top priorities for PKI and certificate management.According to respondents,getting complete visibility of all certif-ica

34、tes and lifecycle automation were the top two most important factors when choosing a PKI and certificate management system,a significant increase over last years study.Key findings|Executive SummaryComplete visibility of all certificates 57%Lifecycle automation 60%Detailed auditing and reporting 37%

35、Extensibility 44%Support for multiple CAs 49%Flexible deployment options 48%Say their organization uses a dedicated certificate lifecycle management(CLM)solution 44%9Sensitive code signing keys are not being properly protected.Only 47 percent of respondents say their organization has formal access c

36、ontrols and approval processes for code-signing keys,an improvement from 36 percent in 2021,but still a significant gap.Many respondents also report that sensitive code-signing keys are still found on build servers(37 percent)and developer workstations(17 percent).Crypto-agility remains the top stra

37、tegic priority for machine identity management.Preparing for crypto-agility(e.g.,algorithm changes,post-quantum crypto,CA compromise)was ranked as a top strategic priority for digital security by 57 percent of respondents,followed by reducing complexity in IT infrastructure(55 percent)and investing

38、in hiring and retaining qualified personnel(53 percent).More organizations are recognizing the need for a Crypto Center of Excellence(CCoE).A crypto center of excellence(CCoE)provides leadership,defines ownership,and lays out guidance for the use of machine identi-ties.Forty percent of respondents s

39、ay they have a mature CCoE,an increase from 33 percent of respondents in the 2021 study.Another 30 percent of respondents say they have a CCoE,but its still immature.2157%Average number of code-signing certificates within IT organizations Say crypto-agility is a top priority for digital security in

40、their organization Key findings|Executive SummarySay their organization has a mature Crypto Center of Excellence(CCoE)40%“Assign an official organizational team name such as the machine identity platform team or the crypto center of excellence,or roll it up under the enterprise architect board whate

41、ver sticks for your organization.”Gartner,2022 Planning Guide for Identity and Access Management,11 October 202110In this section,we analyze the complete findings of the research.We have organized the topics in the following order:1.Trends in cryptography and machine identity management2.PKI and cer

42、tificate management practices3.Code signing practices4.SSH identity management practices5.The impact of outages,machine ID compromise,and failed auditsComplete findings11Enterprise-wide cryptography and machine identity management strategies increase slightly.As shown in Figure 1,42 percent of respo

43、ndents say they have an overall machine identity management strategy that is applied consistently across the entire enterprise.Another 42 percent of respondents say they have a limited strategy that is applied to certain applications or use cases.We have an overall crypto or machine identity managem

44、ent strategy that is applied consistently across the enterpriseWe have a limited crypto or machine identity management strategy that is applied to certain applications or use casesWe do not have a crypto or machine identity management strategyFigure 1.Does your organization have an enterprise-wide s

45、trategy for managing cryptography and machine identities?Strongly agree and agree responses combined.Trends in cryptography and machine identity managementComplete findings18%(2021)42%(2021)40%(2021)42%16%42%12Responsibility for cryptography strategy is unclear.Figure 2 shows that responsibility for

46、 cryptogra-phy strategy is not clearly aligned to any one group in the IT organization.IT operations leads the way(27 percent of respondents),followed by CISO/IT security(20 percent of respondents),Networking and DevOps/DevSecOps(both 14 percent of respondents).A possible reason why there is no comm

47、on owner for cryptography strategy in the enterprise is because PKI and machine identities are so widely used by different teams across the organization,including end-user devices,web servers,networking equipment,CI/CD toolchains,and many more use cases.Figure 2.Who is responsible for enterprise cry

48、ptography strategy?Trends in cryptography and machine identity management|Complete findingsIT OperationsCISO/IT SecurityNetworkingDevOps/DevSecOpsRisk/ComplianceNo defined owner/teamOther27%29%20%19%14%18%14%13%9%8%11%12%5%1%2022202113Figure 3.Biggest challenges in setting enterprise-wide cryptograp

49、hy or machine identity management strategyTwo responses permittedUncertainty and lack of skilled personnel remain top challenges.The two most common challenges involved in setting an enterprise-wide crypto or machine identity management strategy are too much change and uncertainty and lack of skille

50、d personnel(both 41 percent of respondents),as shown in Figure 3.Trends in cryptography and machine identity management|Complete findingsToo much change and uncertaintyLack of skilled personnelInsufficient resources(time/budget)Lack of executive-level supportNo clear ownershipInadequate or fragmente

51、d management toolsOther41%41%41%40%33%33%31%36%27%25%26%23%1%2%2022202114Figure 4.Strategic priorities for digital security within their organizationThree responses permittedCrypto-agility remains the top strategic priority for machine identity management.Figure 4 provides a list of seven strategic

52、priorities for digital security.We asked respondents to indicate the three most important priorities for their organization this year.Fifty seven percent of respondents say that preparing for crypto-agility(e.g.,algorithm deprecation,post-quantum cryptography,or CA compromise)is a top strategic prio

53、rity for their organization,an increase from 51 percent of respondents in 2021.Reducing the risk of unknown or self-signed certificates(35 percent of respondents)and reducing complexity in IT infrastructure(55 percent of respondents)notably increased in strategic importance as well,when compared to

54、2021 findings.Trends in cryptography and machine identity management|Complete findingsPreparing for crypto-agilityReducing complexity in IT infrastructureInvesting in hiring and retaining qualified personnelSupporting cloud transformation and DevOps initiatives57%51%55%50%53%50%36%35%27%34%35%30%202

55、22021Reducing the risk of unknown or self-signed certificatesInvesting in PKI and certificate automation solutionsPreventing unexpected outages caused by expired certificates15More organizations are implementing a crypto center of excellence(CCoE).As shown in Figure 5,CCoE implementation has improve

56、d significantly,with 38 percent of respondents saying their organization has a mature strategy,compared to just 33 percent of respondents in last years study.A CCoE is intended to be a cross-functional team that provides leadership,defines ownership,and sets out guidance for the deployment and use o

57、f PKI and machine identities.A CCoE does not necessarily own and operate all the tools for PKI and machine identity management,but rather it servers as a center for policy,governance and best practices.Figure 5.Has your organization implemented a Crypto Center of Excellence(CCoE)?Trends in cryptogra

58、phy and machine identity management|Complete findingsYes,we have a mature CCoENo,but we plan to implement a CCoE in the next 6 monthsYes,but our CCoE is still immatureNo,we do not plan to implement a CCoE17%38%30%15%33%(2021)17%(2021)29%(2021)21%(2021)16As the volume of certificates grows and lifesp

59、ans shrink,worries mount.As shown in Figure 6,70 percent of respondents are concerned about the increased operational burden associated with more keys and certificates.At the same time,65 percent of respondents are concerned about the increased workload and risk of outages due to shorter SSL/TLS cer

60、tificate lifespans.Likely due to the growing use of PKI and digital certificates,lack of visibility is a top concern as well.Fifty-five percent of respondents say their organization does not know exactly how many keys and certificates(including self-signed)it has.Figure 6.Perceptions and concerns ab

61、out managing machine identitiesStrongly agree and agree responses combined.Trends in cryptography and machine identity management|Complete findingsIncreasing use of keys and certificates has significantly increased operational burden on my organizations teamsMy organization is concerned about the in

62、creased workload and risk of outages due to shorter SSL/TLS certificate lifespansMy organization does not know exactly how many keys and certificates(including self-signed)it has53%(2021)59%(2021)62%(2021)70%65%55%17Zero-trust emerged as the top trend driving the use of PKI and machine identities.Fi

63、fty-four percent of respondents say that zero trust security strategy is one of the most important trends driving the deployment of PKI,keys,certificates,and other secrets.Other important trends include cloud-based services(49 percent of respondents),remote workforce(45 percent of respondents),and I

64、oT devices(44 percent of respondents).Figure 7.The most important trends driving the deployment of PKI,keys,certificates and other secretsThree responses permitted.Trends in cryptography and machine identity management|Complete findingsZero trust security strategyCloud based servicesRemote workforce

65、(e.g.,VPN,MFA,etc.)IoT devicesDevOps(e.g.,apps,containers,service mesh)Mobile devicesRegulatory and compliance requirementsOther54%50%49%52%45%43%44%43%40%40%37%38%27%32%4%2%2022202118Every machine identity must be protected,but SSL/TLS certificates remain the top priority.Respon-dents were asked to

66、 rate the importance of managing and protecting different types of machine identities on a ten-point scale from 1(not important)to 10(very important).As shown in Figure 8,81 percent of respondents say SSL/TLS certificates are important or very important,followed by code signing keys(68 percent of re

67、spondents),user and device encryption keys(67 percent of respondents),and keys used for workload or database encryption(52 percent of respondents).Notably,respondents seem increasingly concerned about managing and protecting code-signing keys,compared to results from last years study.Figure 8.The im

68、portance of managing and protecting machine identitiesOn a scale from 1 not important to 10=very important.7+responses combined.Trends in cryptography and machine identity management|Complete findingsPublicly trusted SSL/TLS certificatesCode signing keysUser and device encryption keysPrivately trust

69、ed certificatesKeys used for cloud workload and database encryptionSSH keys and certificates81%82%68%64%67%70%61%64%52%65%60%63%2022202119PKI and certificate management practicesComplete findingsPKI is everywhere,but its trending toward the cloud.Figure 9 shows that the most common PKI and CA techno

70、logy remains internal private PKI software(e.g.,Microsoft CA,Keyfactor EJBCA,etc.).However,managed or SaaS-delivered PKI services(36 percent of respondents)and private CA services provided by a cloud service provider(31 percent of respondents)are increasingly popular options for PKI deployment.One-t

71、hird of respondents say their organization uses self-signed certificates(i.e.,certificates not signed by a certificate authority).Open-source tools like OpenSSL make self-signed certificates easy to gener-ate.However,compared to CA-signed certificates,self-signed certificates are less trustworthy an

72、d can introduce several risks in the organization.Figure 9.Which of the following PKI and CA technologies does your organization have?More than one response permitted.Internal private PKI softwareManaged or SaaS-delivered PKISelf-signed certificatesBuilt-in certificate issuers(e.g.,Kubernetes,HashiC

73、orp Vault,etc.)Private CA service provided by a cloud service providerPublic CA serviceOther47%36%34%33%31%28%4%20PKI skills shortage is still a challenge.Public key infrastructure(PKI)can require significant effort and expense to run internally.As shown in Figure 10,more than half of respondents(54

74、 percent)say they have 6 or more staff involved in deploying and managing PKI,yet in Figure 11,50 percent of respondents say its still not enough.That said,fewer respondents say their PKI is understaffed compared to last years report.Figure 10.How many full-time equivalent(FTE)staff are involved in

75、deploying and managing PKI within your organization?Figure 11.In your opinion,does your organization have enough IT security staff dedicated to PKI?PKI and certificate management practices|Complete findings%3%6%15%21%27%27%6%14%23%29%25%45%Yes(2021)55%No(2021)50%Yes50%No21Most organizatio

76、ns have hundreds of thousands of certificates across their IT landscape.According to respondents,organizations represented in this study have an average of 267,620 internally trusted certificates(e.g.,issued from an internal private PKI)versus an average of 1,942 publicly trusted certifi-cates(e.g.,

77、issued from an SSL/STLS vendor,such as GoDaddy,DigiCert,Entrust,Lets Encrypt,etc.).Figure 12.How many public SSL/TLS certificates does your organization have?Figure 13.How many internally trusted certificates does your organization have?PKI and certificate management practices|Complete findings50100

78、1k5k505,0001 million11%7%7%9%16%10%20%20%21%23%14%14%7%9%4%8%22How are certificates being managed?In Figure 14,44 percent of respondents say their organization uses a dedicated certificate lifecycle management solution to track and manage certificates,a significant increase from 36 percent of respon

79、dents in the 2021 study.However,its also evident that many teams still rely on multiple disconnected and manual tools to track certificates,including tools provided by their SSL/TLS provider(44 percent of respondents),spreadsheets(42 percent or respondents),and homegrown and open-source tools(38 per

80、cent of respondents).Figure 14.How does your organization track and/or manage its certificates?More than one response permitted.Dedicated certificate lifecycle management solutionSpreadsheetsTools provided by SSL/TLS certificate vendorHomegrown tools(e.g.,open-source tools,database,scripts,etc.)PKI

81、and certificate management practices|Complete findings44%38%44%42%36%(2021)40%(2021)44%(2021)33%(2021)23Visibility and automation are essential for PKI and certificate management.Figure 15 lists six features or capabilities of PKI and certificate management solutions.We asked respondents to indicate

82、 the three most important features when considering a solution for their organization.While many features were considered important,complete visibility and inventory of all certificates(57 percent of respondents)and lifecycle automation(60 percent of respondents)emerged as the most important feature

83、s for PKI and certificate management.Figure 15.The most important features in choosing a PKI and certificate management solutionThree responses permitted.PKI and certificate management practices|Complete findingsLifecycle automationComplete visibility and inventory of all certificatesSupport for mul

84、tiple certificate authorities(CAs)Flexible deployment options(e.g.,on-premises,SaaS,hybrid)Extensibility(e.g.,integrations,APIs,protocol support)Detailed auditing and reportingOther60%57%49%48%44%37%5%24Adherence to standards and managed services are the most important features in a PKI solution.Fig

85、ure 16 lists six features or capabilities of PKI solutions(i.e.,certificate authority software or services).We asked respondents to indicate the three most important features when considering a PKI solution for their organization.The top two features considered important for a PKI solution were adhe

86、rence to standards and certi-fications(40 percent of respondents)and 24/7 managed services or PKI as a Service(39 percent of respondents).Due to the skills shortage highlighted in Figure 3 and Figure 11,it makes sense for organi-zations to use managed PKI services versus investing time and resources

87、 into running PKI internally.Figure 16.The most important features in choosing a PKI solutionTwo responses permitted.PKI and certificate management practices|Complete findingsAdherence to standards and certifications24/7 managed services(e.g.PKI as a Service)Support for protocols(e.g.,SCEP,ACME,EST,

88、CMP,etc.)Ease of installation and configurationFlexible deployment options(e.g.,software,hardware,SaaS)Scalability and performanceOther40%39%34%33%28%23%3%25In this section,we asked respondents if they are involved in code signing operations.Responses from individuals who said they are not involved

89、were excluded from the following analysis.Fifty two percent of overall survey respondents(640)are involved in code signing operations.Of those respondents,57 percent say there are at least 10 or more code signing certificates in use across their organization,as shown in Figure 17.While the volume of

90、 code signing certificates is insignificant when compared to SSL/TLS certificates,for example,the risk associated with these machine identities is often considered much higher.If a code signing key is compromised,an attacker can use it to sign malicious code and impersonate trust,a serious breach of

91、 trust.Figure 17.How many code signing certificates do you have in your organization?Code signing practicesComplete findings1-5 6-1011-%25%27%17%13%26Code signing keys are stills found on build servers and developer workstations.Hardware security modules(HSMs)and secure smartcards or USBs

92、 are often used to centrally store and protect private keys associated with code signing.However,many respondents say that code signing keys are stored locally on build servers(37 percent of respondents)or developer workstations(17 percent of respondents).Figure 18.Where are code signing keys stored

93、 in your organization?More than one response permitted.Code signing practices|Complete findingsHardware security moduleSmartcard or removable USBBuild serversDeveloper workstations58%51%49%45%37%33%17%19%2022202127How are code signing keys protected?In addition to securely storing private code signi

94、ng keys,proper access controls are critical to prevent unauthorized use or theft of code signing keys.According to Figure 19,only 47 percent of respondents say their organization has formal access control and approval processes for code signing keys.That said,this is a significant improvement from o

95、nly 36 percent of respondents in the 2021 study.Figure 19.Does your organization have a formal access control and approval process for code signing keys?Code signing practices|Complete findings60%(2021)4%(2021)36%(2021)50%3%47%YesNoUnsure28Responsibility for managing and protecting code signing keys

96、 in unclear.Respondents were asked who in their organization is responsible for the management and protection of code-signing keys.As seen in Figure 20,there have been no significant shifts in responsibility.Since there are many teams involved in the code signing,from developers or engineers signing

97、 code and artifacts,to IT or security teams managing the security of code-signing certificates,it comes as no surprise that responsibility for the overall process is unclear.Figure 20.Who is responsible for managing and protecting code signing keys?Code signing practices|Complete findingsSenior Deve

98、loper/ManagementDevelopersIT OperationsIT SecurityNo one function is responsible13%12%21%23%31%28%24%24%11%13%2022202129Secure key storage and integration with native signing tools are critical.Figure 21 lists six features or capabilities of code signing solutions.We asked respondents to indicate th

99、e two most important features when considering a code signing tool for their organization.Protecting sensitive code signing keys is critical,but developers and engineers also need the ability to sign code quickly and easily within their existing workflows.This was exemplified in the survey results,w

100、ith secure key storage(56 percent of respondents)and integration with native signing tools(54 percent of respondents)ranked far more important than other features.Figure 21.The most important features in a code signing solutionTwo responses permitted.Code signing practices|Complete findingsSecure ke

101、y storage(e.g.,HSM,virtual HSM)Integration with native signing tools(e.g.,Jarsigner,Signtool,etc.)Ease of integration with development processes and workflowsPolicy and workflow enforcementAuditing and reportingTime-stamping capabilities56%54%37%33%11%9%30In this section,we asked respondents if they

102、 are familiar with their organizations use of SSH identities.Responses from individuals who said they are not familiar were excluded from the following analysis.SSH password-based authentication is still prevalent.Eighty two percent of respondents(1,009)say they are at least somewhat familiar with t

103、heir organizations use of SSH identities.Of those respondents,59 percent say their organization uses password-based authentication for SSH connections,a surprising increase from 50 percent of respondents in last years study.Passwordless methods,such as SSH keys and certificates,are generally conside

104、red much more secure than password-based authentication since passwords are easily susceptible to hacks.Keys and certif-icates offer a more seamless and secure method for SSH connections.Figure 22.Which SSH credentials are used in your organization?More than one response permitted.SSH identity manag

105、ement practicesComplete findingsSSH password-based authenticationSSH keysSSH certificatesUnsure59%50%52%52%44%46%8%5%20222021In this section,we asked respondents if they are familiar with their organizations use of SSH identities.Responses from individuals who said they are not familiar were exclude

106、d from the following analysis.SSH password-based authentication is still prevalent.Eighty two percent of respondents(1,009)say they are at least somewhat familiar with their organizations use of SSH identities.Of those respondents,59 percent say their organization uses password-based authentication

107、for SSH connections,a surprising increase from 50 percent of respondents in last years study.Passwordless methods,such as SSH keys and certificates,are generally considered much more secure than password-based authentication since passwords are easily susceptible to hacks.Keys and certif-icates offe

108、r a more seamless and secure method for SSH connections.31How are SSH identities managed?Fifty nine percent of respondents say their organization has no centralized management for SSH identities,leaving admins to manage their own credentials.Another 51 percent of respondents say they use some form o

109、f manual tracking,while only a few respondents use a privileged access management solution(25 percent)or dedicated SSH key management solution(22 percent)to manage SSH identities.Figure 23.How does your organization manage SSH credentials?More than one response permitted.Practices in SSH key managem

110、ent|Complete findingsSSH identity management practices|Complete findingsNo centralized managementManual trackingFormal key management policyPrivileged access management(PAM)toolSSH key management solutionUnsure59%53%51%47%38%37%25%25%22%21%4%4%2022202132SSH identities are largely untracked and unman

111、aged.SSH passwords,keys and certificates are widely used across the organization,but many respondents(48 percent)say they still do not have an accurate inventory of SSH credentials,or they are unsure(3 percent).As seen in Figure 25,51 percent of respondents say their organizations rotate SSH identit

112、ies regularly(at least quarterly),but many only rotate credentials less than annually(21 percent of respondents)or not at all(25 percent of respondents).Figure 24.Do you have an accurate inventory of SSH credentials in your organization?Figure 25.How often does your organization rotate SSH credentia

113、ls?SSH identity management practices|Complete findings26%(2021)57%(2021)28%(2021)40%(2021)21%(2021)22%(2021)3%(2021)3%(2021)25%48%29%49%21%22%3%3%NeverLess than once a yearAnnuallyAt least quarterlyUnsureYesNoUnsure33Machine ID sprawl,caused by the expansive use of PKI,keys and certificates across t

114、he business,creates new risks and challenges.Without visibility or control over machine IDs,certificates often expire without notice,sensitive keys can be misused or compromised,and meeting compliance and audit requirements becomes much more difficult.In this section,we analyze the frequency,serious

115、ness,and risk impact of three common incidents that result from mismanaged machine identities.Here,weve provided a quick breakdown of these incidents with examples of high-profile events from the past year.The impact of outages,machine ID compromise,and failed auditsComplete findingsCertificate Outa

116、gesIf an unknown or untracked certifi-cate expires unexpectedly,it causes the application or service its used to protect to stop working,resulting in downtime for users and customers.Machine ID compromiseAttacks that leverage or target keys and digital certificates come in many forms,from small-scal

117、e business disruptions to large-scale,highly sophisticated hacks.Failed auditsUnexpected audit findings due to poorly implemented PKI and cryptog-raphy practices result in potential fines or costly remediation efforts.Epic Games outageOn April 6,2021,Epic Games experienced a more than five-hour long

118、 outage which halted their online store,frustrated gamers,and pulled away over 25 critical IT staff to remediate the damage.The root cause a wildcard certificate used across hundreds of production servers was left untracked and expired without warning.Attack on NvidiaOn February 25,2022,news broke a

119、bout a cyberattack on Nvidia.At least two of Nvidias code-signing certificates were compromised,which attackers can use to digitally sign malicious code and bypass security defenses.Soon after the incident,at least two binaries found online and not developed by Nvidia had already been signed using t

120、he stolen keys.Lets Encrypt expirationOn September 30,2021,the intermediate root CA used by Lets Encrypt expired.Despite advanced warnings,dozens of organizations failed to update their CA certificates,creat-ing widespread disruptions to their services.The incident raised questions about organizatio

121、ns ability to audit and effectively update their cryptographic assets.34Concerns about machine ID compromise and outages increase dramatically.Respondents were asked to rate the seriousness(Figure 26)and financial impact(Figure 27)of each incident on a scale from 1(not serious/no impact)to 10(very s

122、erious/high impact).Failed audits remain the most costly and serious incident related to mismanaged machine identities.That said,61 percent of respondents say that theft or misuse of keys and certificates is a very serious concern,a significant increase from just 34 percent of respondents in 2021.Wh

123、ile not as dramatic,respondents ranked the seriousness of unplanned outages higher as well,with 43 percent considering these incidents to be very serious.The impact of outages,machine ID compromise,and failed audits|Complete findingsFigure 26.The seriousness of machine identity-related incidentsOn a

124、 scale of 1=not serious to 10=very serious.7+responses presented.Figure 27.The financial impact of machine identity-related incidents On a scale of 1=not serious to 10=very serious.7+responses presented.Failed audits or lack of compliance due to insufficient practicesFailed audits or lack of complia

125、nce due to insufficient practicesStolen or misused keys and certificatesStolen or misused keys and certificatesUnplanned outages due to expired certificatesUnplanned outages due to expired certificates74%61%61%40%43%43%75%(2021)53%(2021)34%(2021)38%(2021)34%(2021)34%(2021)35Failed audits are the mos

126、t frequently experienced incidents.Respondents were asked to estimate the number of time each incident occurred in the past 24 months.Figure 28 shows that failed audits were the most frequently experienced incident.On average,respondents say their organizations experienced 4.4 failed audits in the p

127、ast 24 months,followed by key misuse or theft(4.52 incidents)and unplanned outages due to expired certificates(3.29 incidents).As seen in Figure 29,the frequency of failed audits decreased noticeably from 2021 findings,while the frequency of unplanned outages increased,likely as a result of shorter

128、SSL/TLS lifespans taking full effect.Figure 28.The frequency of machine identity-related incidents in the past 24 monthsFigure 29.Average number of times each incident occurred in the past 24 months Extrapolated values presented.The impact of outages,machine ID compromise,and failed audits|Complete

129、findings1 timeZero2 times3 times4 times5 times5 times34%4%2%8%6%3%11%10%7%13%11%11%18%19%23%25%21%17%29%20%8%Failed AuditsMisuse or theftOutagesFailed auditsMisuse or theftOutages4.49(2021)4.92(2021)3.10(2021)3.294.404.5236Time to recovery(TTR)from a certificate-related outage is slow.Respondents we

130、re asked,on average,how much time it takes for their teams to identify and remediate a certificate related outage,including initial detection,locating the expired certificate,issuing a new certificate,replacing the expired certifi-cate,and restarting services.More than one-third of respondents(38 pe

131、rcent)say it takes their teams more than 4 hours to recover from a certificate-related outage,while another 29 percent of respondents say it takes 3 to 4 hours to fully recover.Without visibility of certificates and their locations,or automated processes to renew and replace certif-icates,it can tak

132、e teams hours,rather than minutes,to remediate certificate-related outages,not to mention preventing them in the first place.The impact of outages,machine ID compromise,and failed audits|Complete findingsFigure 30.On average,how much time does it take your teams to identify and remediate a certifica

133、te-related outage?4 hours22%38%11%29%37Failed audits most likely to occur in the next 24 months.Respondents were asked about the likelihood of these incidents occurring in the next 24 months,with options to select very likely,likely,somewhat likely,and not likely.As seen in Figure 31,68 percent of r

134、espondents say their organization is likely to experience a failed audit due to insufficient key and certificate management practices,followed closely by unplanned outages(63 percent of respondents).Figure 31.The likelihood of these incidents occurring in the next 24 monthsLikely and very likely res

135、ponses combined.68%50%63%Failed audits or lack of compliance due to insufficient practicesStolen or misused keys and certificatesUnplanned outages due to expired certificatesThe impact of outages,machine ID compromise,and failed audits|Complete findings384 steps to successful machine identity manage

136、ment.In this section,Keyfactor provides steps that organizations can take to improve their machine identity management strategy and recommended resources to support these efforts.Establish a Crypto Center of Excellence(CCoE)for your organization.In the study,only one-third of organizations identifie

137、d a mature crypto center of excellence(CCoE)in their business.Technology is an obvious ingredient in machine identity management.However,the proper implementation of technology relies on the right foundation of people,processes,and practices.According to Gartner,organizations should“Define ownership

138、 of tools,keys,secrets and certificates respectively.Use the guidance to move the PKI team from an in the way management structure to a delegated management structure by focusing on the guardrails and policies more than the centralization of tools.”*Invest in your machine identity management toolset

139、 to help improve security and automate processes.Investing in your machine identity management toolset can help your organization improve visibility,accelerate incident response and productivity with automation,and standardize security controls by integrating with existing tools and applications.Use

140、 best practices established by your CCoE to audit your machine identity landscape,determine where gaps exist,and find tools and processes that fit the unique requirements of different teams within your organization,including:Recommendations*Gartner,Solution Comparison for PKI and Certificate Managem

141、ent Tools,2 March 2021,Erik Wahlstrom,Paul Rabinovich PKI and certificate management SSH key management Privileged access management(PAM)Enterprise code signing Secrets managers Key management systems(KMS)Hardware security modules(HSMs)Managed PKI services39Build crypto-agility into your incident re

142、sponse plans.In the report,respondents identified crypto-agility as a leading strategic priority for digital security.Algorithms evolve,certificates expire,and with the advent of quantum computing,the threat of sudden and unpredictable crypto-compromises is a serious risk.The worst time to evaluate

143、your risk is after a compromise has already occurred.IT and security leaders must understand which applications use cryptography,how to identify and replace vulnerable keys or algorithms,and prepare formal crypto-agile incident response plans.Use managed crypto services to help close the skills gap.

144、Forty percent of respondents in the study identified skills shortages as a barrier to setting an enter-prise-wide crypto and machine identity strategy.Another 55%say they do not have sufficient staff dedicated to their PKI deployment.PKI and cryptography experts are hard to find and even harder to r

145、etain.A managed PKI or crypto-services provider can help significantly reduce infrastructure costs,mitigate risks,and eliminate the operational burden associated with running PKI in house.4 steps to successful machine identity management|Recommendations40Helpful resourcesRecommendationsWHITE PAPERHO

146、W TO SCALE PKI AND CERTIFICATE MANAGEMENT INHybrid&Multi-Cloud OperationsThe guide to managing decentralized PKI in a zero-trust worldThe practical guide to managing decentralized PKI in a zero-trust,multi-cloud worldWatch this session for insight on:Key risks and challenges in managing keys and cer

147、tificates;Where your organization is today in monitoring and secur-ing machine identities;Practical advice for developing a roadmap for machine identity management.Learn More Learn More 2022 Emerging Trends in CryptographyINDUSTRY REPORTDiscover the top six security trends in cryptography for 2022 a

148、nd what they mean for your organization.Learn More EBOOKWhy its time to Re-think your PKIMigrating to the cloud?Here are 5 reasons to modernize your PKIMigrating to the cloud?Discover the 5 reasons to modernize your PKILearn More 41This years study included 1,346 survey respondents across a wide ran

149、ge of industries and geographies.The study examined organizations in the global region of Europe,the Middle East and Africa(EMEA),in addition to North America.A sampling frame of 31,205 IT security professionals in North America and EMEA were selected as partic-ipants to this survey.The table below

150、shows 1,346 total returns.Screening and reliability checks required the removal of 115 surveys.Our final sample consisted of 1,231 surveys or a 3.9 percent response.All respondents are familiar with their organizations PKI.Research methodologySample ResponseFrequencySampling frame31,205Total returns

151、1,346Rejected or screened surveys115Final sample1,231Response rate3.9%42Heres a closer look at the 1,231 individuals who completed the survey in January 2022.Figure 32 shows the distribution of respondents by their role within the organization.By design,more than half(70 percent)of respondents are a

152、t or above the supervisory levels.The largest category at 23 percent of respondents is manager.Distribution of sample by role in companySurvey respondentsResearch methodologyExecutive/VP 7%Director 18%Manager 23%Supervisor 22%Staff/technician 18%Administrative 4%Consultant 5%Other 3%43Figure 33 show

153、s distribution of the 1,231 respondents by their department or team.The most prevalent departments were IT security/InfoSec,Engineering,IT Operations and Infrastructure.Survey respondents|Research methodologyDistribution of sample by department or teamIT Security/InfoSec 26%Engineering 17%IT Operati

154、ons 15%Infrastructure 14%Networking 9%DevOps/DevSecOps 9%Risk&Compliance 8%Other 2%44Figure 34 shows the distribution of respondents by the size of their company(headcount).The sample was weighted relatively evenly across large,mid-size and small companies.Survey respondents|Research methodologyDist

155、ribution of sample by company sizeMore than 75,000 9%25,001 to 75,000 12%10,001 to 25,000 15%5,001 to 10,000 18%1,000 to 5,000 24%Less than 1000 22%45Figure 35 shows the distribution of organizations by industry.Thirteen industries were represented in this years study.The largest sectors were financ

156、ial services,industrial and manufacturing,public sector,technology and software,and healthcare and pharmaceuticals.Survey respondents|Research methodologyDistribution of sample by industryFinancial Services 18%Industrial&manufacturing 11%Public sector 10%Technology&software 9%Healthcare&pharmaceutic

157、al 9%Services 8%Retail 8%Education&Research 7%Energy&utilities 6%Consumer products 4%Communications 3%Transportation 3%Agriculture&food services 1%Other 3%46There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings.The following it

158、ems are specific limitations that are germane to most web-based surveys.Non-response bias:The current findings are based on a sample of survey returns.We sent surveys to a representative sample of individuals,resulting in a large number of usable returned responses.Despite non-response tests,it is a

159、lways possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.Sampling-frame bias:The accuracy is based on contact information and the degree to which the list is representative of individ-uals who are famil

160、iar with their organizations PKI.We also acknowledge that the results may be biased by external events such as media coverage.Finally,because we used a web-based collection method,it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings

161、.Self-reported results:The quality of survey research is based on the integrity of confidential responses received from subjects.While certain checks and balances can be incorporated into the survey process,there is always the possibility that a subject did not provide accurate responses.Limitations

162、Research methodology47The 2022 State of Machine Identity Management Report was a joint effort between Ponemon Institute and Keyfactor.The research is conducted independently by Ponemon Institute,and results are sponsored,analyzed and published by Keyfactor.The Ponemon Institute is dedicated to advan

163、cing responsible information and privacy management practices in business and government.To achieve this objective,the Institute conducts independent research,educates leaders from the private and public sectors and verifies the privacy and data protec-tion practices of organizations in a variety of

164、 industries.About Ponemon Institute and KeyfactorKeyfactor is the machine and IoT identity platform for modern enterprises.The company helps security teams manage cryptography as critical infrastructure by simplifying PKI,automating certificate lifecycle management,and enabling crypto-agility at scale.For more information,visit or follow us on LinkedIn,Twitter,and Facebook.Built on a foundation of trust and security,Keyfactor is a proud equal opportunity employer,supporter and advocate of growing a trusted,secure,diverse and inclusive workplace.