Venafi Survey Finds Management, Auditing for Keys and Certificates Lags Usernames and Passwords

A recent survey by Venafi has shown that organizations are failing to protect keys and certificates as effectively as they do with usernames and passwords.  While 85% of security professionals have policies to govern password length for human identities, just over half govern keys for machine identities.

Tags: auditing, keys, machine identities, management, passwords, policy, Venafi,

A recent survey by Venafi has shown that organizations are failing to protect keys and certificates as effectively as they do with usernames and passwords. 


The survey found more than half (54%) of security professionals admit to having a written policy on length and randomness for keys for machine identities, but 85% have a policy that governs password length for human identities.


The survey also showed that people rely more on usernames and passwords to identify themselves to machines so they can gain access to data and services. 


In addition, organizations also spent over $10 billion protecting human identities this year, but they are just getting started with machine identity protection. This is because cybercriminals understand the power of machine identities and their lack of protection; they target them for exploitation, according to the survey.

Based on the percentage of respondents who say they have basic machine identity policies in place, a majority of organizations grasp the importance of safeguarding their machine identities. In fact, it’s gratifying that, according to the data in this study, a majority of organizations have written policies in place to secure machine identities just as they do for human identities. This is in spite of the fact that the security challenges created by the proliferation of machine identities only recently has gained traction.

Nevertheless, there is still a large number that do not have written policies in place—for some security aspects discussed above, close to half—and organizations struggle with the implementation and auditing of their written machine identity policies because they don’t yet have the level of guidance they have had for human identities over the last decade or so. But new standards from regulatory bodies of all stripes can be expected to follow with more prescriptive guidance, especially now that the release of the NIST 1800-16B framework provides a template for protecting TLS machine identities.

Additional findings from the Venafi study include:

  • Less than half (49%) of organizations audit the length and randomness of their keys, while 70% do so for passwords.
  • Only 55% have a written policy stating how often certificates and private keys should be changed, while 79% have the equivalent policy for passwords.
  • Only 42% of organizations automatically enforce the rotation of TLS certificates, compared with 79% that automatically enforce the rotation of passwords.
  • Only 53% audit how often certificates and private keys should be changed, compared with 73% for passwords.

“Identities are widely recognized as a key element in the threat landscape,” said Kevin Bocek, Venafi’s vice president of security strategy and threat intelligence in a statement.  “Machine identities are relatively new, and very effective, point of attack, but there is a huge gap between the security controls applied to human identities and those applied to machine identities.”


Bocek shared his view on the impact of this ‘gap’ between security for human and machine identities. 


“This is a problem because the future of digital business relies heavily on machines. Enterprises are seeing dramatic growth in container usage, artificial intelligence, microservices and IoT devices, as well as machines in the cloud and virtualized environments. Everyone – from CISOs to security architects and security practitioners – must prioritize the protection of machine identities for their organizations’ digital transformation to be successful,” Bocek added.


For context, Venafi’s report includes a detailed summary of what are “Machine Identities” and how they are used.


Machine identities are required for a wide range of transactions, including:


Securing web transactions with HTTPS: Digital certificates, such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates, enable encrypted connections between a web browser and a web server.


Securing privileged access: Secure Shell (SSH) is often used to secure system administrator-to-machine access for routine tasks. SSH is also used to secure the machine- to-machine automation of critical business functions, such as automatically triggering operations and routine file transfers.


Securing Fast IT and DevOps: Development teams are focused on speeding up the delivery of software. To do this, developers use cloud computing and software-defined containers to run individual microservices. These function as separate machines and use SSL/TLS certificates that serve as machine identities for secure authentication and machine-to-machine communication.


Securing communication on consumer devices: Digital certificates are a vital element of mobile security because they provide the foundation for authenticating mobile devices that access enterprise networks. Also, mobile device certificates are increasingly being used to enable access to enterprise Wi-Fi networks and for remote enterprise access using SSL and IPSEC VPNs. In addition, mobile access to Internet of Things (IoT) devices on enterprise networks relies on certificates for authentication.


Authenticating software code: Software is usually signed with a certificate to verify its integrity. Users implicitly trust products when they are signed by a reliable publisher’s code signing certificates.


Venafi commissioned the survey to better understand what it sees as the “gap” between the implementation of security controls for human identities and those for machine identities. The survey also evaluated similar security controls for each type of identity.

Among the conclusions in Venafi’s report is the following:

Even though many organizations seem to understand the importance of automating the rotation of machine identities, it still isn’t surprising that only half do so relative to human identities, as shown in the chart below. After all, if organizations have difficulty writing clear policies for securing machine identities or lack the means to effectively audit policies, they are unlikely to have the necessary building blocks to deploy automated programs that ensure these things are enforced.

The Venafi survey work was publisher as Venafi Research Brief:  Comparing Security Controls for  Machine Identities and Human Identities. Data included reflects information from 1,500 IT security professionals from the U.S., U.K., France, Germany and Australia.


Readers can review the material here.