1、State of Machine Identity ManagementForewordThe challenges of identity and access management(IAM)continue to grow.The ongoing evolution in the workplace employees working remotely,high turnover rates,and economic pressures still in place as the pandemic eases creates a turbulent environment for thos

2、e tasked with IAM.One response has been the continued rapid growth of machines as part of the workforce.This has resulted in more servers,IoT devices,containers,applications,and end-user devices as organizations scramble to improve customer responsiveness while improving efficiency.Last year I obser

3、ved that the forces driving this growth of the machine workforce were only going to accelerate.I am not prescient;the trends are very clear.Yet as these organizations incorporate machines into their ecosystems,identifying and providing them with an identity(and then managing it)has become more diffi

4、cult.More than 60%of respondents to our third annual State of Machine Identity Management Report with the Ponemon Institute said they do not know how many keys and certificates they have which is 7%more than last year.The embrace of zero trust,whether in a government agency or a corporation,the incr

5、eased use of IoT devices,and the adoption of cloud-based services are all driving the deployment of keys,PKI,and certificates.As a result,finding ways to get a handle on the challenge and reducing the complexity of the PKI environment is one of this years top priorities.And new challenges are arisin

6、g.Concerns about a post-quantum world,where quantum computers hold the potential for being able to break current cryptographic algorithms,are increasing,and the understanding that most cryptographic providers will need to migrate to new quantum-resistant ones is driving organizations to rethink PKI

7、and invest in certificate management to address these concerns.These are just a few of the findings in this years report.It makes clear that the IAM landscape is continuing to change rapidly,and organizations are struggling to keep up with those changes.But there are signs of progress.More organizat

8、ions than ever understand the importance of having an overall MIM strategy that can be applied across their enterprises.Included in that is a recognition of the importance of visibility into PKI use and distribution and an inventory of all assets.The 2023 State of Machine Identity Management Report

9、reflects many of the day-to-day experiences Keyfactor encounters in engaging security leaders,developers,and engineers to identify organizational obstacles to effective identity management for both humans and machines.It also illuminates the challenges and possible solutions organizations of all siz

10、es are experiencing.We hope you find it as enlight-ening and helpful as we find the exciting work and research we are conducting in this field.Chris HickmanChief Security Officer(CSO)2ContentsForeword 2Executive summary 4Introduction 4Key findings 6Complete findings 9Strategies and trends in PKI and

11、 machine idenitity management 10PKI and certificate management practices 19Code signing practices 28SSH identity management practices 35The impact of outages,key misuse,and failed audits 39Recommendations 48Research methodology 52Respondent demographics 53Research limitations 58About Keyfactor and P

12、onemon 593IntroductionWelcome to the third annual State of Machine Identity Management report,an in-depth look at the role of PKI and machine identities in establishing digital trust and securing modern enterprises.Within the overarching domain of identity and access management(IAM),machine identity

13、 management(MIM)focuses on managing device and workload identities,such as X.509 certificates,SSH credentials,code signing keys,and encryption keys.In this report,we explore findings from a survey independently conducted by the Ponemon Institute and published by Keyfactor,the identity-first security

14、 solution for modern enterprises.The report provides insights into how organizations are deploying and managing PKI and machine identities and what challenges and risks are top of mind as the role of PKI and machine identities continues to evolve and become more complex.This year,we analyzed survey

15、responses from 1,280 individuals across North America,Europe,the Middle East,and Africa(EMEA).Survey respondents work in all areas of the IT organization,from information security to infrastructure,operations,and development.The findings from this years survey show that an effective machine identity

16、 management strategy is critical to keeping track of all machines to ensure each one has appropriate access permission.As shown in this research,responsibility for deploying and managing PKI is dispersed throughout organizations.One of the consequences of no clear ownership is that less than half(47

17、 percent)of organizations have an enterprise-wide strategy for managing PKI and machine identities.Only 31 percent of respondents say their organizations have a mature machine identity working group.1,280122Survey respondentsIndustriesGlobal regionsExecutive summary4The results of this years survey

18、show that zero-trust strategies,IoT devices,and cloud-based services are driving further use of PKI,keys,and digital certificates in the enterprise.However,shorter certificate lifecycles have made it much more difficult to keep pace with certificate issuance and management.Moreover,53 percent of res

19、pondents say their organizations do not have enough staff and resources dedicated to their PKI deployment.In short,this growth is leading to significant challenges and most organizations do not have enough team members to keep pace with the change and the challenges presented by todays enterprise PK

20、I infrastructure.A prominent theme throughout the research is the growing need to reduce the complexity of PKI infrastructure.For the first time,the top strategic priority for digital security in organizations is reducing complexity in their PKI infrastructure,an increase from 50 percent in 2021 to

21、58 percent this year.Seventy-four percent of respondents,an increase from 61 percent in 2021,say their organizations are deploying more cryptographic keys and digital certificates.As a result,this has significantly increased the operational burden on their organizations teams,according to 72 percent

22、 of respondents,up from 62 percent in 2021.A key takeaway from this years report is that complexity is increasingly recognized as the enemy of a secure PKI infrastructure and makes organizations vulnerable to data breaches.Contributing to complexity is the exponential increase in the number and vari

23、ety of machines with different keys and certificates required.The ongoing evolution in the workplace employees working remotely,high turnover rates,and economic pressures still in place as the pandemic eases creates a turbulent environment for those tasked with IAM.Introduction|Executive summary5Key

24、 findingsExecutive summaryThe key findings described here are based on Keyfactors analysis of the research data compiled by the Ponemon Institute.PKI for IoT and DevOps is on the riseWFH trend declines post-pandemicPKI continues to be a critical component in zero-trust strategy and cloud security.Ho

25、wever,theres been a notable increase in usage of PKI to secure emerging DevSecOps and IoT environments,with the number of respondents indicating IoT as a top trend increasing from 43 percent in 2021 to 49 percent in 2023.DevSecOps similarly increased in impor-tance,with 40 percent of respondents say

26、ing it is a top use case in 2021 compared to 45 percent this year.Skills shortage is getting worsePKI experts are hard to find and retainCISOs and security teams are grappling with a labor shortage,and its taking a toll on PKI and machine identity strategy.In fact,respondents say that lack of skille

27、d personnel and too much change and uncertainty are the two biggest challenges facing their teams today.Its not just impacting strategy,though,with 53 percent of respondents saying they dont even have enough staff to deploy and maintain their PKI effectively,up from 50 percent in 2022.Decentralized

28、PKI is the new normCA sprawl is a serious challengePKI is everywhere,with different teams leveraging different tools to issue certificates from internal CAs and self-signed certificates to cloud-based PKI and CAs built into DevOps tooling.On average,respon-dents estimate they have 9 different CA and

29、 PKI solutions in use across the organization.Unsurprisingly,reducing complexity in PKI infrastruc-ture became the top strategic priority for machine ID management in 2023,as teams struggle to regain control and prevent the sprawl of non-compliant and untrusted CAs.Zero-trust strategyIoT devicesClou

30、d servicesDevSecOpsMobile devicesRemote workforce50%49%48%45%41%38%9Average number of different PKI and certificate authority(CA)solutions used within organizations53%Say they dont have enough staff to deploy and maintain their PKI6More certificates,more problemsIf you cant manage themFor the third

31、consecutive year,the average number of internally trusted certificates(i.e.,certificates issued from an internal private PKI)increased significantly,from 231,063 in 2021 to 255,738 in 2023.With more certificates,teams responsible for PKI are struggling to maintain visibility and control.Sixty-two pe

32、rcent of respondents say they dont know exactly how many keys and certificates they have,up from 53 percent of respondents in 2021.Outages are hitting organizations hardWhat happens when certs expire unexpectedlyIf left untracked or ignored,certificates expire unexpectedly,causing applications and s

33、ervices to stop working.Most respondents(77 percent)report experiencing at least two of these incidents in the past 24 months.Certificate-related outages arent a trivial incident,with 55 percent of respondents saying these outages caused severe disrup-tion to customer-facing services.Another 50 perc

34、ent say these events caused major disruption to internal users or a subset of customers.Time to recovery(TTR)is slowWithout visibility or automationSo,what happens when an outage strikes?According to respondents,it takes an average of nearly 4 hours to identify and remediate a certificate outage,whi

35、ch involves identifying the root cause,finding the expired certificate,then re-issuing and provisioning it to all affected services.Respondents say an average of 11 staff are directly involved in remedi-ating these outages when they occur,pulling them away from priorities and into incident response

36、tasks.Code signing usage is expandingNot just for software anymoreThe definition of“code”is changing.As teams shift to developer-driven,software-defined infrastructure,they are signing more than just software deliverables.According to respondents,use cases for signing range from software and firmwar

37、e to artifacts,scripts,and containers.Virtually every company is signing software in some shape or form,but responses are based on each respondents individual perspective.256kAverage number of internally trusted certificates within organizations77%Say their organization experienced at least two sign

38、ificant outages caused by expired certificates in the past 24 months3.79hrsThe average time it takes teams to identify,remediate,and recover from certificate-related outagesKey findings|Executive summarySoftwareArtifactsContainersFirmwareDocumentsScripts60%54%50%41%40%33%7Key findings|Executive summ

39、aryCode signing keys are vulnerableBut security practices are improvingRecent incidents involving the theft and abuse of code signing keys highlight the need to protect them against would-be attackers.Unfor-tunately,more than half of respondents(56 percent)say they are not confident in their ability

40、 to protect keys against theft or misuse.While many organizations still store sensitive keys on build servers or worksta-tions,where they are vulnerable to attack,68 percent of respondents say they have adopted best practice use of an HSM to generate and store keys,an increase of 17 percent since 20

41、21.Executives are paying attentionMachine identity isnt just a tech problemWithout support from the C-level,priorities will always fall elsewhere.The good news is that only 22 percent of respondents say lack of execu-tive support was a serious issue in setting an enterprise strategy for PKI and mach

42、ine identity management,down significantly from 36 percent of respondents in 2021.Bottom line is,executive awareness is growing around the need to invest in the right tools,people,and processes for machine identity management.68%Say their organization stores code-signing keys within an HSM22%Say lac

43、k of executive-level support is a serious challengeOnly8In this section,we analyze the complete findings of the research.We have organized the topics in the following order:1.Strategies and trends in PKI and machine identity management2.PKI and certificate management practices3.Code signing practice

44、s4.SSH identity management practices5.The impact of outages,key misuse,and failed auditsComplete findings9Strategies and trends in PKI and machine identity managementComplete findingsMachine identity management is gaining traction,but organizational hurdles stand in the way.As shown in Figure 1,47 p

45、ercent of respondents say they have an overall strategy for managing PKI and machine identities,such as keys,certificates,and secrets,an increase from 40 percent in 2021.Machine identities,as opposed to human or user identities,are becoming an increasingly important piece of the identity and access

46、management(IAM)landscape.However,Figure 2 shows that its still unclear who owns identity and access management(IAM)strategy,never mind where machine identities fit in.We have an overall machine identity management strategy that is applied consistently across the entire enterpriseWe have a limited ma

47、chine identity management strategy that is applied to certain appli-cations or use casesWe do not have a machine identity management strategy Figure 1Does your organization have an enterprise-wide strategy for managing PKI and machine identities?42%(2022)40%(2021)42%(2022)43%(2021)16%(2022)18%(2021)

48、19%34%47%10Figure 2Who is responsible for Identity and Access Management (IAM)within your organization?Strategies and trends in PKI and machine identity management|Complete findingsA machine identity working group could be the solution.If a developer or engineer asks how to attain a certifi-cate as

49、they deploy a new service,who do they consult with?The answer is they need insight from several teams to gather the right information and make the right decisions,which could include PKI,I&O,DevOps,and IAM.Bottom line,it requires cross-functional collaboration.Once formed,a cross-functional machine

50、identity working group can define guidelines and best practices for issuing and managing certificates and other machine IDs,making tooling decisions,and setting clear policies.As seen in Figure 3,50 percent of respondents say their organization has an established machine identity working group at va

51、rying levels of maturity.No defined teamIT SecurityIT OperationsNetworkRisk and complianceDedicated IAM teamDevSecOpsOther21%20%19%17%10%6%6%1%11Strategies and trends in PKI and machine identity management|Complete findingsFigure 3Does your organization have a team or working group dedicated to PKI

52、and machine identity management?31%19%Yes,we have a mature machine identity working group that provides leadership,research,implementation,strategy,ownership and best practicesYes,but our machine identity working group is still immature28%22%No,but we plan on implementing a machine identity team or

53、working group within the next 6 monthsNo,and we do not have plans to implement a machine identity team or working groupIoT and DevOps are the fastest-growing use cases for PKI and machine IDs.Figure 4 shows the most important trends driving the deployment of PKI,keys,certificates,and other secrets.Z

54、ero trust strategy and cloud-based services remain top trends for PKI,consistent with results from previous years.IoT devices(49 percent of respondents)and DevOps/DevSecOps(45 percent of respondents)represent the fastest-growing trends,up from 43 percent and 40 percent of respondents in 2021,respect

55、ively.Conversely,the importance of the remote workforce has decreased from 43 percent of respondents in 2021 to 38 percent of respondents in this years report,likely due to a post-pandemic shift in priorities.12Strategies and trends in PKI and machine identity management|Complete findingsFigure 4The

56、 most important trends and use cases driving deployment of PKI,keys,certificates,and other secretsThree responses permitted202320222021Zero trust security strategyIoT devicesCloud based servicesDevOps/DevSecOps(e.g.,apps,containers,service mesh)Mobile devicesRemote workforce(e.g.,VPN,MFA,etc.)Regula

57、tory and compliance requirementsOther50%54%50%49%44%43%48%49%52%45%40%40%41%37%38%38%45%43%28%27%32%1%4%3%13Skills shortage and uncertainty are still the top challenges facing teams;fragmented tools are becoming a bigger problem.Figure 5 provides a list of six challenges involved in setting an enter

58、prise-wide strategy for PKI and machine identity management.We asked respondents to indicate the top two challenges facing their organization.Forty-two percent of respondents say that a lack of skilled personnel and too much change and uncertainty are top challenges,consistent with previous years.Ho

59、wever,there is a notable increase in respondents that say inadequate and fragmented management tools are a top challenge,increasing from 23 percent of respondents in 2021 to 31 percent of respondents in this years report.On a positive note,it appears executives are becoming more aware and supportive

60、 of the need for machine identity management,with only 22 percent of respondents saying lack of executive-level support is a top challenge,compared with 36 percent of respondents in 2021.Strategies and trends in PKI and machine identity management|Complete findingsLearn more The tech industry is in

61、flux and the demand for cybersecurity talent continues to surpass the resources available.Discover 3 strategies to navigate the cybersecurity labor shortage.14Figure 5Biggest challenges involved in setting enterprise-wide strategy for PKI and machine identity managementTwo responses permitted2023202

62、22021Too much change and uncertaintyLack of skilled personnelInadequate or fragmented management toolsInsufficient resources(time/budget)No clear ownershipLack of executive-level supportOther42%41%41%42%41%40%31%26%23%31%33%33%28%27%25%22%31%36%4%1%1%Strategies and trends in PKI and machine identity

63、 management|Complete findings15My organization does not know exactly how many keys and certificates(including self-signed)it has55%(2022)53%(2021)62%Strategies and trends in PKI and machine identity management|Complete findingsMore certificates create more problems,if organizations cant track or man

64、age them effectively.As shown in Figure 6,72 percent of respondents say the increasing use of key and certificates has significantly increased their operational burden,up from 62 percent of respondents in 2021.As the volume of certificates within organizations increases,visibility also becomes a ser

65、ious challenge.Sixty two percent of respondents say they dont know exactly how many keys and certificates(including self-signed)their organization has,compared to 53 percent of respondents in 2021.Misconfiguration of keys and certificates is also an increasing concern.In June 2022,NIST chose the fir

66、st group of algorithms to become part of its post-quantum cryptographic standard,expected to be finalized within two years.Forty-eight percent of respondents say they are concerned about their ability to adapt to these post-quantum algorithms,up from 44 percent last year,before the NIST announcement

67、.Figure 6Perceptions and concerns about managing machine identitiesStrongly agree and agree responses combinedIncreasing use of keys and certificates has significantly increased operational burden on my organizations teams70%(2022)62%(2021)72%16My organization is concerned about the ability to adapt

68、 to changes in cryptography(i.e.post-quantum algorithms)44%(2022)44%(2021)48%Misconfiguration of keys and certificates is an increasing concern in my organization55%(2022)55%(2021)58%Reducing PKI complexity,preventing certificate-related outages,and preparing for post-quantum cryptogra-phy top the l

69、ist of strategic priorities.Figure 7 provides a list of seven strategic priorities for machine identity management.We asked respondents to indicate the top three priorities.As organizations increasingly rely on PKI and digital certificates to authenticate workloads and devices,its clear that teams a

70、re struggling to maintain visibility and control.Unsurprisingly,respondents say their top priorities are to reduce complexity in PKI infrastructure(58 percent)and prevent outages caused by expired certificates(53 percent).Forty-three percent of respondents say preparing for post-quantum cryptography

71、 is also a top priority.Strategies and trends in PKI and machine identity management|Complete findingsFigure 6 Cont.17Figure 7Strategic priorities for PKI and machine identity management in 2023Three responses permitted202320222021Reducing complexity in our PKI infrastructurePreventing unexpected ou

72、tages caused by expired certificates Preparing for post-quantum cryptographyInvesting in PKI and certificate automation solutionsReducing the risk of unknown or self-signed certificatesSupporting cloud transformation and DevOps initiativesInvesting in hiring and retaining qualified personnel58%55%50

73、%53%30%N/A43%57%51%40%34%35%37%35%27%35%36%N/A34%53%50%Strategies and trends in PKI and machine identity management|Complete findings*Note:additional response options were included in the 2022 and 2023 survey18PKI and certificate management practicesComplete findingsDecentralized PKI is the new norm

74、al.According to respondents,there are an average of 9 different certificate authorities(CA)and PKIs being used within organizations.As seen in Figure 9,respondents say that their PKI commonly includes a mix of internal private PKI(50 percent),CAs built into DevOps tools(35 percent),self-signed certi

75、ficates(33 percent),managed PKI services(33 percent),private CA services in the cloud(31 percent),as well as public CA services(25 percent).Gone are the days of one or two CAs behind the four walls of the datacenter.Today,different teams are using multiple CA and PKI deployments to support various l

76、evels of trust,use cases,and requirements for security and performance.While necessary,this results in new risks and challenges as PKI becomes more fragmented and complex,creating the need for control and consolidation,wherever possible.Figure 8How many different PKIs and Certificate Authorities(CAs

77、)are in use within your organization?1-2 solutions3-5 solutions6-10 solutions11-15 solutions15+solutions17%28%18%17%20%19Figure 9Which of the following PKI and certificate authority(CA)solutions are deployed in your organization?More than one response permitted202320222021Internal private PKI(e.g.,M

78、icrosoft CA/ADCS,EJBCA,etc.)Built-in certificate issuers(e.g.,Kubernetes,HashiCorp Vault,etc.)Self-signed certificates(e.g.,OpenSSL,CFSSL)Managed PKI services(e.g.,SaaS PKI or PKI as a Service)Private CA service provided by a cloud service providerPublic CA service(e.g.,DigiCert,Entrust,Lets Encrypt

79、,etc.)Other50%47%42%35%33%29%33%34%N/A33%36%N/A31%31%23%25%28%18%4%4%3%*Note:additional response options were included in the 2022 and 2023 surveyPKI and certificate management practices|Complete findings20PKI and certificate management practices|Complete findingsThe volume of internally trusted cer

80、tificates is growing fast.According to respondents,organizations repre-sented in this study have an average of 255,714 internally trusted certificates(i.e.issued from an internal PKI)and 1,024 publicly-issued SSL/TLS certificates(i.e.issued from an SSL/TLS provider or public CA).The average number o

81、f internally trusted certificates grew significantly over the past year,with an average of 235,084 reported in 2022.5,000Figure 10How many public SSL/TLS certificates does your organization have?2023202211%7%16%20%21%14%7%4%13%8%16%17%20%14%9%3%*Note:this question was not included in the 2021 survey

82、21Figure 11How many internally-trusted certificates does your organization have?2023202220211 million5%7%5%8%9%8%10%10%10%19%20%18%23%23%28%15%14%13%11%9%11%9%8%7%*Note:the extrapolated average value from 2022 has been corrected.The average number of internally trusted certificates within organizati

83、ons was 235,084 in 2022,not 267,620,as previously reported.PKI and certificate management practices|Complete findings22PKI and certificate management practices|Complete findingsHow are certificates being managed?Figure 12 shows that many organizations still rely on a patchwork of disparate and manua

84、l solutions to manage digital certificates.Forty-one percent of respondents use spread-sheets and/or homegrown tools,and another 42 percent of respondents use tools provided from their SSL/TLS certificate provider.Use of homegrown solutions to manage certificates has increased consistently year-over

85、 year,from 33 percent of respondents in 2021 to 41 percent in 2023.Figure 12How does your organization track and manage certificates?More than one response permitted202320222021Dedicated certificate lifecycle management solutionTools provided by SSL/TLS certificate vendorsSpreadsheetsHomegrown solut

86、ions(e.g.,open-source tools,database,scripts,etc.)44%44%36%42%44%44%41%42%40%41%38%33%23PKI and certificate management practices|Complete findingsFigure 13In your opinion,does your organization have enough resources and staff to deploy and maintain PKI effectively?50%(2022)55%(2021)50%(2022)45%(2021

87、)47%Yes53%NoLack of PKI staffing and resources still a problem.PKI isnt just software,its critical infrastructure.Without the right skills and expertise,its difficult to configure,deploy,and most importantly,maintain properly over its lifespan.As seen in Figure 13,more than half of respondents say t

88、hey do not have enough staff and resources to deploy and maintain PKI effectively,showing a relatively consistent year-over-year trend over the past three years.24PKI and certificate management practices|Complete findingsFigure 14Who is currently responsible for deploying and managing PKI at your co

89、mpany?Who is responsible for PKI?Figure 14 shows the different teams responsible for deploying and managing PKI within organizations represented in this study.IT and security teams are more commonly responsible for PKI,but IAM and infrastructure teams arent uncommon owners of PKI either.Seventeen pe

90、rcent of respondents say that there is no clear owner.Flexibility and visibility are critical to PKI and certificate management.Figure 15 lists six features or factors considered important when evaluating PKI solutions.Thirty-nine percent of respondents say that flexible deployment options,such as s

91、oftware,hardware,and SaaS-delivered PKI,are a critical feature,followed by adherence to standards and certifications(35 percent of respondents)and support for protocols(29 percent of respondents).Similarly,Figure 16 shows the most important features or capabilities of certificate management solution

92、s.Sixty-two percent of respondents say complete visibility and inventory of all certificates is an important capability.This comes as no surprise,considering 62 percent of organizations do not know how many keys and certificates they have,as shown previously in Figure 6.ITSecurityIAMInfrastructureNo

93、 clear ownerOther29%24%15%14%17%2%*Note:this question was not included in the 2021 or 2022 survey25Figure 15The most important features when evaluating PKI solutionsThree responses permitted20232022Flexible deployment options(e.g.,software,hardware,SaaS,etc.)Adherence to standards and certifications

94、Support for protocols(e.g.,SCEP,EST,CMP,ACME,etc.)Cost24/7 managed servicesScalability and performanceOther39%28%35%40%29%34%26%N/A25%39%18%23%4%3%*Note:this question was not included in the 2021 surveyPKI and certificate management practices|Complete findings26Figure 16The most important features w

95、hen evaluating certificate management solutionsThree responses permitted20232022Complete visibility and inventory of all certificatesLifecycle automation(i.e.automated renewal,provisioning,etc.)Flexible deployment options(e.g.,on-premises,hybrid,and SaaS)Detailed auditing and reportingSupport for mu

96、ltiple certificate authorities(CAs)Extensibility(e.g.,integrations,APIs,and protocols)Other62%57%53%60%52%48%47%37%45%49%37%44%4%0%*Note:this question was not included in the 2021 surveyPKI and certificate management practices|Complete findings27Code signing practicesComplete findingsIn this section

97、,we asked respondents if they are involved in code signing operations.Responses from individuals who said they are not involved were excluded from the following analysis.Code signing use cases are expanding.The definition of“code”has changed.As organizations shift toward a“Trust nothing,sign and ver

98、ify everything”approach,DevOps and security teams are leveraging code signing not just for the software they deliver to end-users,but also for scripts,containers,artifacts,and infrastructure as code used throughout the software development lifecycle(SDLC).Figure 17 shows that code signing is most of

99、ten used for software(60 percent of respondents),artifacts(54 percent),and containers(50 percent).For organizations that manufacture hardware or develop firmware,signing and verification are also critical to enable security features such as secure boot and secure over-the-air(OTA)updates.Figure 17Wh

100、at are the current use cases for signing within your organization?More than one response permittedSoftwareArtifactsContainersFirmwareScripts/Macros60%54%50%41%33%28Code signing practices|Complete findingsResponsibility to protect and manage code signing keys varies.Figure 18 reveals that organizatio

101、ns repre-sented in the 2023 study use an average of 23 code signing certificates to digitally sign software,artifacts,containers,and other digital assets.Sensitive private keys associated with code signing certificates must be securely managed and protected to avoid misuse or theft.As seen in Figure

102、 19,the responsibility to manage and protect these assets is divided between senior developers and management(12 percent of respondents),developers(24 percent),IT operations(29 percent),and IT security(24 percent).Another 11 percent of respondents say no one function is responsible.Figure 18How many

103、 code signing certificates do you have in your organization?2023202220211-56-1011-2021-5050+19%18%16%26%25%24%16%27%26%24%17%18%15%13%16%29Figure 19Who is most responsible for managing and protecting code signing keys?202320222021IT OperationsIT SecurityDevelopersSenior Developer/ManagementNo one fu

104、nction is responsible29%31%28%24%24%24%24%21%23%12%13%12%11%11%13%Code signing practices|Complete findings30Code signing practices|Complete findingsWhere are code signing keys stored?Code signing without protecting private keys exposes organizations to serious risk.The problem is that developers and

105、 the tools they use need access to these keys to sign code.As a result,private keys are often stored in easily accessible locations,such as servers or workstations,where they are inadvertently exposed to attackers that steal keys to sign and distribute malicious code masked as legitimate software.As

106、 shown in Figure 20,sixty-eight percent of respondents say they follow best practices by storing code signing keys within a hardware security module(HSM),a significant improvement.Another 46 percent of respondents say they store code signing keys in a smartcard or removable USB,which may or may not

107、be encrypted.Many respondents say that code signing keys are stored insecurely on build servers(39 percent)and developer workstations(19 percent).Figure 20Where are code signing keys stored in your organization?More than one response permitted202320222021Hardware security module(HSM)Smartcard or rem

108、ovable USBBuild serversDeveloper workstationsOther68%58%51%46%49%45%39%37%33%19%17%19%5%0%4%31Code signing practices|Complete findingsOrganizations lack formal code signing access controls.Its not enough to securely generate and store code signing keys.To prevent code signing abuse or misuse in toda

109、ys dispersed and automated CI/CD environments,organizations must implement policies and access controls that ensure only specific people,machines,and tools with the right permissions have the authorization to sign code.However,Figure 21 shows that less than half of respondents(47 percent)say their o

110、rganization has formal access control and approval processes in place for code signing keys.Figure 21Does your organization have formal access control and approval processes in place for code signing keys?50%(2022)60%(2021)3%(2022)3%(2021)47%(2022)36%(2021)47%Yes51%No2%Unsure32Organizations are not

111、confident in their ability to protect code signing keys.Unsurprisingly,only 30 percent of respondents say they are confident in their organizations ability to protect code signing keys against theft or misuse(7+responses combined),while 55 percent say they have little to no confidence(5 timesFailed

112、auditsMisuse or theftOutages6%2%8%8%5%15%10%9%20%10%13%16%19%20%20%21%30%14%26%21%7%4.194.373.00Failed AuditsMisuse or theftOutages43The impact of outages,machine identity compromise,and audit failures|Complete findingsCertificate-related outages disrupt critical systems.Outages caused by unexpected

113、 certificate expiration can wreak havoc on critical infrastructure from customer-facing applications and online storefronts to internal devices and networks.As shown in Figure 31,fifty-five percent of respondents say that certificate outages in the past 24 months resulted in severe incidents that ca

114、used major disruption to customer-facing services.Another 50 percent say outages triggered major incidents disrupting a subset of customers or internal users,while 59 percent say outages caused minor inconvenience to customers and internal users.Figure 31Which of the following incidents have occurre

115、d due to certificates unexpectedly expiring in the past 24 months?More than one response permittedMinor incident causing inconvenience to customers and/or internal usersMajor incident causing disruption of services to customers and/or internal usersSevere incident causing major disruption of custome

116、r-facing services55%50%59%44The impact of outages,machine identity compromise,and audit failures|Complete findingsTime to recovery(TTR)from a certificate-related outage is slow.Remediating a certificate-related outages isnt as simple as renewing the expired certificate;it involves identifying the ro

117、ot cause,locating the expired certificate,and then renewing,re-issuing,and provisioning the certificate to all affected systems before they can be restarted.Respondents were asked how long it takes their teams to identify and remediate certificate-related outages.As seen in Figure 32,forty-two perce

118、nt of respondents say it takes their teams more than 4 hours to recover,while another 26 percent of respondents say it takes 3 to 4 hours.On average,it takes organizations 3.79 hours to fully recover,compared to an average of 3.28 hours in last years study.Without visibility of certificates and thei

119、r locations,or the ability to automate renewal and provisioning,it can take teams hours,rather than minutes,to recover from these incidents,not to mention preventing these incidents from occurring in the first place.Figure 32On average,how much time does it take your teams to identify and remediate

120、a certificate-related outage?*Note:this question was not included in the 2021 survey4 Hours38%(2022)42%45The impact of outages,machine identity compromise,and audit failures|Complete findingsOutages pull multiple IT staff away from their day-to-day priorities.Respondents were asked,on average,how ma

121、ny staff members are directly engaged during a certificate-related outage,including those involved in diagnosing,resolving,and remediating the incident.According to respondents,an average of 11 staff are directly involved in remediating a typical certificate outage,with 46 percent saying it requires

122、 more than 11 staff.Figure 33How many staff members,on average,are directly involved during a typical outages caused by an expired certificate?2012%17%25%31%15%*Note:this question was not included in the 2021 or 2022 survey46The impact of outages,machine identity compromise,and audit fail

123、ures|Complete findingsMachine identity-related incidents expected to continue.Respondents were asked about the likelihood of audit failures,misuse or theft of keys and certificates,and certificate-related outages occurring within the next 24 months on a scale from not likely,somewhat likely,likely,a

124、nd very likely.As seen in Figure 34,a majority of respondents predict that these incidents are likely or very likely to continue in the next 24 months.The most likely incident to occur is failed audits or lack of compliance,followed by certificate outages,and misuse or theft of keys and certificates

125、.Figure 34The likelihood of these incidents occurring in the next 24 monthsLikely and very likely responses combinedFailed audits or lack of complianceStolen or misused keys and certificatesUnexpected outages due to expired certificates68%(2022)50%(2022)63%(2022)69%51%66%*Note:this question was not

126、included in the 2021 survey47RecommendationsFive steps to successful machine identity managementIn this section,Keyfactor provides steps that organizations can take to improve their machine identity manage-ment strategy and recommended resources to support these efforts.Establish ownership of Machin

127、e Identity.Clear ownership is imperative.In the study,78%of respondents said they have an immature or no machine identity management working group or team.Technology is an obvious consideration for machine identity management.However,properly implementing technology relies on the right foundation of

128、 people,processes,and practices.According to Gartner,organizations should“Define ownership of tools,keys,secrets and certificates respec-tively.Use the guidance to move the PKI team from an in the way management structure to a delegated management structure by focusing on the guardrails and policies

129、 more than the centralization of tools.”*Invest in your machine identity management.Investing in your machine identity management platform can help your organization improve visibility and accel-erate incident response and productivity.Automate and standardize security controls by integrating them w

130、ith existing tools,workflows,and applications.Use best practices established by your working group to audit your machine identity landscape,determine where gaps exist,and find tools and processes that fit the unique requirements of different teams within your organization,including:PKI and certifica

131、te management SSH key management Privileged access management(PAM)Enterprise code signing Secrets managers Key management systems(KMS)Hardware security modules(HSMs)Managed PKI services*Gartner,Solution Comparison for PKI and Certificate Management Tools,2 March 2021,Erik Wahlstrom,Paul Rabinovich 4

132、8Five steps to successful machine identity management|RecommendationsReduce complexity in your PKI infrastructure.For the first time,the top strategic priority for digital security in organizations is reducing complexity in the PKI infrastructure,an increase from 50 percent in 2021 to 58 percent in

133、this years research.More organiza-tions are making the prevention of unexpected outages caused by expired certificates a priority(53 percent of respondents vs.only 30 percent of respondents in 2022).Notably,74 percent of respondents,an increase from 61 percent in 2021,say their organizations are dep

134、loying more cryptographic keys and digital certificates.As a result,this has significantly increased the operational burden on their organizations teams,according to 72 percent of respondents,an increase from 62 percent in 2021.Reducing complexity is hindered by not having a mature machine identity

135、working group supported by enough resources.Only 31 percent of respondents say their organizations have a mature machine identity working group that provides leadership,research,implementation strategy,ownership,and best practices.Further,53 percent of respondents say their organizations do not allo

136、cate enough resources and staff dedicated to PKI deployment.Use managed services to help close the skills gap and alleviate the effects of the cybersecurity labor shortage.Forty-two percent of respondents in the study identified skills shortages as barriers to setting an enter-prise-wide cryptograph

137、y and machine identity strategy.Another 31%cite insufficient resources time and money as an obstacle.PKI and cryptography experts are hard to find and even harder to retain.A managed PKI or crypto-services provider can help significantly reduce infrastructure costs,mitigate risks,and eliminate the o

138、perational burden associated with running PKI in-house,especially during a global labor shortage.Code signing security should be an important part of machine identity management strategies.Code signing without securing private keys can expose organizations to significant risks.Software developers ar

139、e often required to sign code to support installation.Without secure code signing,attackers can compro-mise these keys to sign and distribute malicious code to an organizations customers masked as legitimate software or firmware.Respondents were asked how they are involved in code signing,and 71 per

140、cent said it is to sign code and software digitally.Sixty-one percent said they are responsible for managing these keys,and 50 percent of respondents audit and protect access to code signing keys.According to the research,the respondents most responsible for managing and protecting code signing keys

141、 are IT operations(29 percent),developers(24 percent),and IT security(24 percent).49Code signing use cases are expanding:Organizations often use code signing for software,artifacts,and containers.Best practices in code signing include having a formal code signing process,enabling developers to sign

142、code from everywhere while ensuring the keys remain safe.However,security and development teams need to work collaboratively and integrate code-signing processes with existing tools and workflows without the burden of extra steps to access keys that are securely stored.Leveraging a signing solution

143、can help to ensure that proper security is adhered to while maximum flexibility is available to sign artifacts when and as required,all while maintaining an auditable trail to ensure compliance.In our software-driven world,trust is everything.Ensuring that an organizations security and development t

144、eams are working together to protect the digital certificates and keys used for code signing is key to ensuring their software remains secure and trusted making code signing a critical part of a secure software supply chain.Five steps to successful machine identity management|Recommendations50Helpfu

145、l resourcesRecommendationsThree Strategies to Navigate the Cybersecurity Labor ShortageFind out how to navigate the cybersecurity labor shortage and its impacts with strategies to help your team do more with less,plus tips on building a business case to modernize and automate your PKI.Planning Ahead

146、 for Post-Quantum CybersecurityFind out why now is the time for organizations to plan how to protect their data and identities from the future threat of quantum computing.The Definitive Roadmap to Secure Code SigningLearn about the importance of secure code signing and the risks of poor implementati

147、on.Discover four practical steps to overcome security challenges and the solutions to put you on the right track.Outlook of IoT Cybersecurity in 2023 and beyondWatch this on-demand webinar with Admir Abdurahmanovic,SVP of Strategy,Keyfactor,to learn how to prepare for the changing IoT security lands

148、cape in 2023.Learn more Learn more Learn more Learn more 51Research methodologyA sampling frame of 31,817 IT security professionals in North America and EMEA and organizations with a PKI were selected as participants in this survey.Table 1 shows 1,411 total returns.Screening and reliability checks r

149、equired the removal of 131 surveys.Our final sample consisted of 1,280 surveys or a 4.0 percent response.All respondents are familiar with their organizations PKI.Sample ResponseFrequencySampling frame31,817Total returns1,411Rejected or screened surveys131Final sample1,280Response rate4%52Survey res

150、pondentsResearch methodologyHeres a closer look at the 1,280 individuals who completed the survey in January 2023.Figure 35 reports the respondents organizational level within participating organizations.By design,more than half(69 percent)of respondents are at or above the supervisory levels.The la

151、rgest category at 23 percent of respondents is supervisor.Figure 35Current position within the organizationExecutive/VP 7%Director 17%Manager 22%Supervisor 23%Staff/technician 16%Administrative 5%Consultant 5%Other 5%53As shown in Figure 36,29 percent of respondents report to the CIO or head of corp

152、orate IT,23 percent of respondents report to the CISO/CSO or head of IT security,20 percent of respondents report to the business unit leader or general manager.Figure 36Direct reporting channelSurvey respondents|Research methodologyCIO or head of corporate IT 29%CISO/CSO or head of IT security 23%B

153、usiness unit leader or general manager 20%CEO/executive ocmmittee 8%Head of compliance or internal audit 8%COO or head of operations 5%CFO,controller or head of finance 2%Other 5%54According to Figure 37,28 percent of respondents are located within the IT security/Info sec department.This is followe

154、d by infrastructure(16 percent of respondents),IT operations(15 percent of respondents),engineering(14 percent of respondents),and networking(9 percent of respondents).Figure 37Respondents department or teamSurvey respondents|Research methodologyIT Security/InfoSec 28%Infrastructure 16%IT Operations

155、 15%Engineering 14%Networking 9%Risk&Compliance 8%DevOps/DevSecOps 7%Other 3%55As shown in Figure 38,59 percent of respondents are from organizations with a global headcount of more than 5,000 employees.Figure 38Global full-time headcountSurvey respondents|Research methodologyMore than 75,000 9%25,0

156、01 to 75,000 12%10,001 to 25,000 16%5,001 to 10,000 22%1,000 to 5,000 19%Less than 1,000 22%56Figure 39 reports the industry classification of respondents organizations.This chart identifies financial services(18 percent)as the largest industry focus,which includes banking,investment management,insu

157、r-ance,brokerage,payments and credit cards.This is followed by industrial and manufacturing(12 percent of respondents),healthcare and pharmaceuticals(9 percent of respondents),services(9 percent of respondents),energy and utilities,retail and technology and software(each at 8 percent of respondents)

158、.Figure 39Distribution of sample by industrySurvey respondents|Research methodologyFinancial services 18%Industrial&manufacturing 12%Healthcare&pharmaceutical 9%Services 9%Energy&utilities 8%Retail 8%Technology&software 8%Education&research 7%Consumer products 5%Public sector 5%Transportation 4%Comm

159、unications 3%Agriculture&food services 2%Other 2%57LimitationsResearch methodologyThere are inherent limitations to survey research that must be carefully considered before drawing inferences from findings.The following items are specific limitations that are germane to most web-based surveys.Non-re

160、sponse bias:The current findings are based on a sample of survey returns.We sent surveys to a representative sample of individuals,resulting in a large number of usable returned responses.Despite non-response tests,it is always possible that individuals who did not participate are substantially diff

161、erent in terms of underlying beliefs from those who completed the instrument.Sampling-frame bias:The accuracy is based on contact information and the degree to which the list is representative of individuals who are familiar with their organizations PKI.We also acknowledge that the results may be bi

162、ased by external events such as media coverage.Finally,because we used a web-based collection method,it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings.Self-reported results:The quality of survey research is based on the integrity

163、 of confidential responses received from subjects.While certain checks and balances can be incorporated into the survey process,there is always the possibility that a subject did not provide accurate responses.58About Ponemon Institute and KeyfactorThe 2023 State of Machine Identity Management Repor

164、t was a joint effort between Ponemon Institute and Keyfactor.The research is conducted independently by Ponemon Institute,and results are sponsored,analyzed,and published by Keyfactor.Keyfactor brings digital trust to the hyper-connected world with identity-first security for every machine and human

165、.By simplifying PKI,automating certificate lifecycle management,and securing every device,workload,and thing,Keyfactor helps organizations move fast to establish digital trust at scale and then maintain it.In a zero-trust world,every machine needs an identity and every identity must be managed.For m

166、ore,visit or follow keyfactor.Built on a foundation of trust and security,Keyfactor is a proud equal opportunity employer,supporter,and advocate of growing a trusted,secure,diverse,and inclusive workplace.The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government.To achieve this objective,the Institute conducts independent research,educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.59