A Ponemon Institute studyhighlights critical vulnerabilities in existing public key infrastructure (PKI) systems. Nearly 56% of organisations have reported experiencing disruptions due to unplanned outages tied to expired certificates, indicating an urgent need for a reevaluation of PKI management practices.
PKI, which secures digital identities through the creation and management of digital certificates, is becoming increasingly strained due to the rapid rise of machine and workload identities.
As organisations transition to cloud-native and zero-trust environments, they face an exponential increase in certificate volume and complexity. However, many are still relying on outdated PKI approaches that are not equipped to handle these growing demands.
The study reveals that 34% of organisations cite high costs and risks associated with legacy PKI systems as the primary barriers to secure certificate management. On average, firms manage over 114,000 internal certificates with only four full-time staff members dedicated to PKI oversight. This resource scarcity has forced 63% of participants to outsource their PKI management, exacerbating the risks involved.
The consequences of manual PKI processes are significant. The report notes that 60% of organisations have suffered security exploits due to weak cryptography, while a further 58% experienced compromises through third-party certificate authorities. Notably, 43% reported incidents of private key theft, underlining the urgent need for more robust and automated security measures.
Commenting on on the findings, Kurt Sand, general manager of machine identity security at CyberArk, says: “The rapid expansion of machine identities has completely changed the PKI operating model."
Kurt Sand
"The complexity of managing an increasing number of certificates is compounded by legacy systems, manual processes, and resource constraints.” Kurt Sand
He emphasises that the financial and operational impact of unmanaged PKI will worsen unless organisations modernise and automate their certificate management processes.
Despite the critical role of PKI in ensuring digital trust and security, only 46% of organisations expressed confidence in their PKI systems' compliance capabilities.
Those that have implemented automation and unified visibility report fewer outages and a higher likelihood of meeting compliance requirements. Interestingly, 61% of organisations confirming effectiveness in their PKI strategies have integrated AI technologies, compared to just 50% overall.
Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, echoes these concerns: “PKI is critically important to ensuring trust, security, and privacy in digital communications. However, as shown in the research, organisations lack confidence in their ability to protect against security threats.”
