Since 2021, Keyfactor’s State of Machine Identity Report has helped organizations assess the machine identity and PKI landscape. The report’s findings illustrate how PKI is being used across the enterprise world, as well as the priorities and challenges that occupy the minds of security and C-suite leaders alike.
Keyfactor is proud to present the 2023 State of Machine Identity Report, conducted in partnership with the Ponemon Institute. This year’s report shows how organizations are still struggling to lay the foundation for efficient PKI management at scale — even as awareness of PKI as a business-critical necessity continues to rise.
- The adoption of zero trust, IoT devices, and cloud-based services are driving the deployment of keys, PKI, and certificates.
- For the first time in the history of the report, “reducing the complexity of PKI infrastructure” ranked as the top priority.
- The labor shortage continues to challenge organizations in setting an enterprise-wide PKI and MIM strategy.
The reality of quantum computing is drawing closer, use cases for machine identities are expanding, and outages are becoming more high stakes. While it’s widely recognized that every machine needs an identity, there is a dearth of discussion and understanding about managing those identities.
So what can organizations start doing now to manage machine identities better? This year’s State of Machine Identity Management Report offers several considerations on which to build a machine identity management (MIM) strategy that can enable greater crypto-agility for the future.
1. Establish ownership of machine identity
Certificates are used by teams across the enterprise — security, IT, DevOps, cloud, and others. Each team has its own needs around tooling and usage, yet no one truly owns any overall machine identity strategy.
That’s partly because there isn’t one. In this year’s report, only 47% of organizations said they have an enterprise-wide strategy for managing PKI and machine identities.
When no one owns the PKI strategy, there can be no alignment around best practices, decision-making around identity-related conflicts, or cross-organizational support for certificate issues. This results in a higher risk of outages and longer response times.
In the past, organizations have used security teams to deploy and manage certificates and cryptography. However, cryptography has become a strategic set of initiatives that require broader knowledge and a longer-term strategy.
Establishing a Crypto Center of Excellence (CCoE) or a machine identity working group that includes cross-functional participants has proven effective at preventing silos and maintaining visibility of cryptographic assets. The stakeholders who make up this group live and breathe their use cases every day, so they can make decisions around tooling and processes that truly enable productivity and deliver business value. Additionally, they can serve as a single point of contact for users across the enterprise, offering unified answers that enforce the overall mission.
2. Invest in your machine identity management strategy
The formulation of any strategy requires a human element, which the machine identity working group supplies. Once the vision is defined, organizations must make investments that enable and accelerate that vision with automation, visibility, and centralized control over certificate lifecycles.
Gaining visibility is the first and perhaps most difficult step. In this year’s report, 62% of respondents said they don’t know how many keys and certificates their organization has — that’s up from 55% in 2022 and 53% in 2021.
This may feel conflicting, as awareness of machine identities and the maturity of management technologies are on the rise. But it goes to show that the explosion in volume and use cases around machine identities is outpacing the organizational ability to manage them. This challenge will only grow more difficult as certificate lifecycles become shorter.
One of the first steps of a newly-formed machine identity working group should be to audit the organization’s machine identity landscape and identify the gaps. From there, they can explore tools and processes that fit the unique requirements of various teams and integrate them with existing tools, workflows, and applications.
The tradeoff between a centralized, PKI-dedicated CCOE and a working machine identity group is that members of the working group have other responsibilities. Especially under the pressures of an ongoing labor shortage, organizations would do well to empower members of the working group to manage machine identity responsibilities as efficiently as possible.
3. Reduce complexity in your PKI
A major headline emerging from this year’s State of Machine Identity Report is the importance of reducing the complexity around PKI. Reducing complexity in PKI ranked as the top strategic priority, up from 50% in 2021 to 58% in this year’s report.
But making PKI less complicated can be, well, complicated. There are a few factors at play.
- Higher volume of machine identities
71% of respondents said their organizations are deploying more cryptographic keys and digital certificates, up from 60% in 2021.
- Fewer resources to dedicate to PKI
53% of respondents said their organizations don’t allocate enough resources and staff dedicated to PKI deployment. - PKI and CA sprawl clutter machine identity strategies
On average, organizations use 9 different PKI and CA solutions, with a mix of internal private PKI, self-signed certificates, cloud-based services, and tools built into DevOps platforms.
This kind of sprawl results from a lack of ownership around PKI. Only 31% of respondents said their organizations have a mature machine identity working group.
Teams working in silos adopt their own tools, increasing redundancy and expanding the organization’s attack surface. Without an overarching strategy or at least a unified process for making PKI decisions, it’s difficult to identify solutions that meet numerous ends.
Certificate-related outages are hitting organizations hard
In this year’s report, 55% of respondents said certificate-related outages have caused severe disruption to customer-facing services, while another 50% said outages have caused major disruption to internal users or a subset of customers.
Making matters more dire, the time to recover from certificate outages is getting longer — 3.79 hours on average compared to 3.3 hours in last year’s report.
Other factors are making PKI a more urgent problem to solve. The cyber skills labor shortage continues, while code signing security is becoming a more integral part of machine identity management strategies.
Keyfactor’s 2023 State of Machine Identity Report speaks to these challenges. No matter where you are in your PKI journey, enabling long-term scale and efficiency is possible. We hope this year’s report gives you clarity and excitement about the future. At Keyfactor, we’ll keep working to deliver insights that help you navigate the machine identity landscape and establish digital trust enterprise-wide.