VPN Articles and News

Study Says Trust Based On Security Certificates Is In Peril

By Paul Liu
Wednesday, August 5th, 2015

A new study shows that enterprises the world over are increasingly concerned about the rampant abuse of security keys and certificates. The study entitled “2015 Cost of Failed Trust Report” was conducted by Ponemon Institute in association with the cybersecurity company Venafi. The results of the survey clearly show that while enterprises are increasingly relying on secret keys and certificates for conducting their day-to-day business activities, their abuse is pushing digital trust to almost breaking point.

To carry out the study, Venafi interviewed 2,394 professionals from United States, United Kingdom, Germany, France and Australia. As far as the role of the survey participants was concerned, 17 percent of the respondents were Executive Vice Presidents or Directors, 37 percent were Managers or Supervisors and 42 percent were Administrators. The survey targeted small as well as large enterprises with 59 percent of the participants belonging to organizations having 5000 or more employees. And as far as the business verticals represented by the participants was concerned, 17 percent of respondents worked in financial services sector, 11 percent were from government organizations, 8 percent belonged to the services sector whereas 7 percent worked in consumer products or retail companies.

The survey reveals a dramatic increase in the number of security certificates being used by the organizations. As per Venafi, the average number of keys and certificates per company was 24,000 in 2014; an increase of 34 percent over the last two years. However, this increase was also accompanied by a sizeable increase in security concerns related to the abuse of such keys. For instance, 54 percent of the respondents admitted that they were unsure of whether the security certificates used by their companies could be trusted since there was no clarity on how they were being stored or used.

The uncertainty related to secret keys and certificates directly affected business operations as well with 50 percent of the participants (up from 45 percent a couple of years ago) replying that digital trust needed to operate their communications, data centers and cloud operations was in jeopardy. The survey participants also believed that security attacks based on compromised keys and certificates could cost Global 5000 at least 53 million dollars over the next two years (an increase of 51 percent from 2013 estimates). Even more significant is the fact that almost every organization that participated in the survey had faced a number of such attacks over the last few years.

Since mobile devices are increasingly finding favor among corporate employees, the study also talks about the dangers posed by compromised mobile security certificates and keys. Among the participants, 62 percent admitted that their organizations were not in a position to detect unusual or erratic mobile certificate usage. Kevin Bocek, who oversees threat intelligence and security strategy at Venafi, said that mobile based attacks were far dangerous since the abuse of mobile keys and certificates could provide direct access to corporate VPNs, Wi-Fi networks and even compromise data that is supposed to be protected by enterprise security systems.

The survey results clearly show that despite the drastic increase in the number of security certificates being used by the enterprises, security concerns regarding their abuse remain unanswered.