Encompassing nearly 2,000 IT and security practitioners globally on the state of public key infrastructure (PKI) security, the CyberArk-commissioned study reveals that outdated PKI systems are the leading barrier to secure certificate management globally, fueling security exploits in 60% of organisations
CyberArk, a leading player in Identity Security space, released the findings of a new report: Trends in PKI Security: A Global Study of Trends, Challenges & Business Impact. Conducted by Ponemon Institute, a leading independent research firm, the CyberArk-commissioned research analyses perspectives from nearly 2,000 IT and security practitioners globally on the state of public key infrastructure (PKI) security. It reveals that outdated PKI systems are the leading barrier to secure certificate management globally, fueling security exploits in 60% of organisations.
In APAC, the findings highlight a growing confidence gap between security effectiveness and regulatory readiness. While APAC respondents report relatively stronger confidence than other regions in PKI’s ability to protect against external attacks and insider threats, fewer than half (45%) say they are highly confident their PKI can meet compliance requirements. More than half of APAC organisations have experienced unplanned outages due to configuration errors, with nearly half also impacted by expired certificates, as visibility and control remain critical challenges.
“PKI is critically important to ensuring trust, security and privacy in digital communications. However, as shown in the research, organizations lack confidence in the ability of PKI to protect against security threats and keep up with their growing devices and workload demand.”
-Dr. Larry Ponemon, chairman and founder of Ponemon Institute
PKI is a system for creating and managing digital certificates that verify the identities of users and devices. Modern identity demands – driven by the rise of machine and workload identities across cloud native and zero trust environments – have resulted in unprecedented certificate growth and complexity.
Legacy PKI systems and rapid certificate growth are hidden cost drivers
The report shows that PKI remains essential for secure digital identity, but legacy systems with fragmented approaches and manual, human-led processes can’t keep up with today’s certificate needs. Without a modern, automated approach, the gap between certificate demand and organisational capacity will only widen, leaving organisations facing resource constraints and increased operational costs.
- The top two barriers to secure PKI in APAC are the inability to have a centralised view of all internal certificates (39%) and security, compliance and audit failures (38%) – compared to 34% of global organisations citing legacy PKI costs and risks as the top barrier
- On average, organisations oversee more than 105,000 internal certificates but have only three full-time staff dedicated to PKI management.
- 60% say they currently use or plan to outsource PKI management to an MSSP due to resource and expertise shortages.
“The rapid expansion of machine identities has completely changed the PKI operating model. The complexity of managing an increasing number of certificates is compounded by legacy systems, manual processes and resource constraints.”
-Kurt Sand, GM of Machine Identity Security at CyberArk
Manual processes amplify security risks
Manual tracking and renewal processes are both inefficient and potentially risky for organisations, causing costly services disruption and security exploits. Yet, nearly a third of APAC organisations still deploy this method.
- 59% weren’t able to respond to a CA compromise.
- 55% have suffered unplanned outages due to configuration errors and 49% due to expired certificates.
- 50% experienced mistakes and inefficiencies due to a lack of in-house expertise.
“The rapid expansion of machine identities has completely changed the PKI operating model. The complexity of managing an increasing number of certificates is compounded by legacy systems, manual processes and resource constraints,” said Kurt Sand, GM of Machine Identity Security at CyberArk. “As certificate volumes grow and certificate lifespans continue to shrink, the financial and operational impact of unmanaged PKI will escalate rapidly. Now is the time for organisations to automate and modernise their PKI to reduce operational burdens and improve their overall security posture.”
Unified visibility and automation boost PKI effectiveness
The report finds that overall confidence in compliance and security is low. Organisations investing in automation and unified visibility see reduced operational burdens, fewer outages and better levels of PKI compliance.
- Only 45% of APAC organisations are highly confident that their PKI can meet compliance requirements, and less than half (48%) are certain that their PKI is effective against cyberattacks or internal threats.
- More APAC respondents believe their PKI infrastructure is highly effective in handling the growth of devices and workload demands (52%) compared to 47% globally.
- APAC is most effective in having visibility into how many certificates there are and where they are (53%). APAC and EMEA (49%) are also most effective in their PKI protecting against outside attacks and insider threats by ensuring a secure framework for authentication, encryption, and data integrity
“PKI is critically important to ensuring trust, security and privacy in digital communications. However, as shown in the research, organizations lack confidence in the ability of PKI to protect against security threats and keep up with their growing devices and workload demand,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “To increase PKI’s effectiveness, I believe more companies will be adopting AI to reduce operational burdens and have stronger security outcomes.”
