Legacy PKI leaves APAC exposed to outages, breaches

CyberArk has published a new study on public key infrastructure in the Asia-Pacific region that points to rising operational disruption and weak confidence in compliance as organisations manage growing numbers of digital certificates.

The research, carried out by Ponemon Institute, surveyed nearly 2,000 IT and security practitioners worldwide about PKI security and certificate management. It found that older PKI systems and manual processes remain widespread. The study linked these approaches to outages, security incidents and higher costs.

PKI underpins digital certificates that verify the identities of users, devices and services. Many organisations now run far more machine and workload identities across cloud environments than in the past. That shift has increased the number of certificates in use and added complexity to renewal and governance processes.

Outages and errors

In APAC, more than half of organisations reported unplanned outages caused by configuration errors. Nearly half also reported outages caused by expired certificates. The study also found that 59% of APAC respondents said their organisations could not respond to a certificate authority compromise.

The study reported that almost a third of APAC organisations still rely on manual tracking and renewal for certificates. It said 50% experienced mistakes and inefficiencies because of a lack of in-house expertise.

CyberArk said the data showed a confidence gap in the region. Respondents in APAC reported higher confidence than other regions in PKI performance in some areas, but fewer than half said they were highly confident their PKI could meet compliance requirements.

Only 45% of APAC organisations said they were highly confident their PKI could meet compliance requirements. Less than half, 48%, said they were certain that their PKI was effective against cyberattacks or internal threats.

Visibility gap

The report identified a lack of central visibility as one of the main obstacles to secure PKI in APAC. It found that 39% cited an inability to gain a centralised view of all internal certificates as the top barrier. It also found that 38% pointed to security, compliance and audit failures as a top barrier.

Across the global sample, the study said outdated PKI systems represented the leading barrier to secure certificate management. It said this contributed to security exploits in 60% of organisations.

The research also highlighted the scale of certificate management work. It said organisations, on average, oversee more than 105,000 internal certificates. It said most have three full-time staff dedicated to PKI management.

Resourcing and outsourcing

Resource constraints appeared as a recurring theme in the study. It found that 60% said they currently use or plan to outsource PKI management to a managed security service provider due to shortages in expertise and staffing.

The report linked those constraints with the pace of change in certificate usage. Many organisations face shorter certificate lifecycles and more frequent renewals. That increases the risk of missed renewals and misconfigurations when teams rely on manual processes.

"The rapid expansion of machine identities has completely changed the PKI operating model. The complexity of managing an increasing number of certificates is compounded by legacy systems, manual processes and resource constraints," said Kurt Sand, GM of Machine Identity Security, CyberArk.

"As certificate volumes grow and certificate lifespans continue to shrink, the financial and operational impact of unmanaged PKI will escalate rapidly. Now is the time for organisations to automate and modernise their PKI to reduce operational burdens and improve their overall security posture," said Sand.

Automation focus

The report said organisations that invest in automation and unified visibility report fewer outages and better compliance outcomes. It also said overall confidence in security and compliance remains low, despite PKI's central role in authentication and encryption.

APAC respondents reported stronger performance than the global average in some operational areas. The study said 52% of APAC respondents believed their PKI was highly effective at handling device and workload growth, compared with 47% globally. It said 53% of APAC respondents reported effectiveness in visibility into how many certificates they have and where they are.

The report also said APAC and EMEA respondents reported the highest levels of effectiveness for PKI protecting against outside attacks and insider threats, at 49%.

"PKI is critically important to ensuring trust, security and privacy in digital communications. However, as shown in the research, organisations lack confidence in the ability of PKI to protect against security threats and keep up with their growing devices and workload demand," said Dr. Larry Ponemon, Chairman and Founder, Ponemon Institute.

"To increase PKI's effectiveness, I believe more companies will be adopting AI to reduce operational burdens and have stronger security outcomes," said Ponemon.

CyberArk said it expects ongoing growth in machine identities and certificates across cloud and modern application environments, with more organisations reviewing certificate inventory, renewal processes and governance in response to outage risk and compliance requirements.