Skip to main content
banner image
venafi logo

4 Misconceptions about PKI that Deserve to be Debunked

4 Misconceptions about PKI that Deserve to be Debunked

pki management poll
May 2, 2018 | Terrie Anderson
PKI is dead, long live PKI

I’m often frustrated by the misconception that PKI is dead—there’s an idea in some circles that it’s an old technology and we’ve grown beyond it. Actually, nothing could be further from the truth. PKI is still on its way in. And it’s only going to become more vital as we look for scalable ways to manage and secure communication across the skyrocketing number of new machines and applications.


Why do I care about PKI? There are not a lot of people floating around in this market who have 20+ years of PKI experience. It’s just kind of weird that I’ve stayed with it all these years. Some people think PKI is boring, but actually it is quite exciting as IoT and Smart Infrastructures emerge. I always believed that it was going to have its day eventually. And I was right; that day is today.

PKI been getting a misleading rap for quite a while now and I’d like to set the record straight. Here are 4 common misconceptions about PKI and its relevance to our future security.

#1 PKI Misconception: PKI technology is too old to be relevant today

The problem with putting PKI out to pasture is that there really isn’t anything else that is a suitable replacement. In fact, instead of becoming less relevant, PKI is becoming more relevant as we increase our adoption of cloud and DevOps infrastructure. Both of these technologies consume large numbers of certificates that are only used for short periods of time. What other technologies are there out there that can authenticate effectively, verify that data hasn’t been changed, and cost only a few cents? There aren’t any. No one has been able to develop an alternative that is as ubiquitous and easily deployed, or one that is as cost effective.

#2 PKI Misconception: PKI is a minor, back-office support technology

Granted, PKI was created for a specific purpose and then it kind of went to sleep for a few years. During that time, it was used quietly in the background and nobody thought too much about it. And then, what I think of as PKI 2.0 started happening about 4 or 5 years ago. We started to see certificates used on smart cards, and other devices, to identify humans as well as machines (the non-human actors on your network). And now we’ve got an exploding population of IoT, virtual, cloud and DevOps machines and they all need unique identities. Each of these relatively short-lived machines need a way to authenticate themselves to other machines so they can communicate securely. And PKI is still the only way you can even begin to tame all of that madness.

#3 PKI Misconception: PKI is too complicated to be effective

If you’re not a PKI person, you may be a little scared of PKI because it seems very deep and complicated. It’s not actually. But because it appears that way to people there’s a misperception that it is causing a lot of pain. If you dig a little deeper you’ll realize that it’s not the underlying PKI technology that’s causing the pain, it’s the management of PKI assets (or keys and certificates) that’s causing the real problem. The problem is that most organizations are not managing these critical security assets at all. And, as a result of this lack of even basic oversight, when certificate issues arise they consume large amounts of scarce, highly skilled resources and things get ugly fast, and very stressful. It’s relatively easy to avoid all these difficulties, and substantially simplify PKI, by automating the management and workflow of the certificate life cycle. This isn’t nearly as difficult as some nay-sayers make it out to be; a better understanding of the root cause of perceived PKI pain would eliminate an enormous amount of confusion, frustration and public embarrassment.

#4 PKI Misconception: PKI is an administrative tool, not a security technology

Executives often perceive PKI costs as unpalatable until they realize that by not tracking machine identities, they can literally cripple the business. Unmanaged machine identities can impact your business in two ways. First, from an unexpected expiry which causes an outage and, from an external user perspective, looks like a serious security compromise. Second, from an actual compromise, which is extremely serious. When a certificate and its corresponding keys are stolen, attackers can use them to appear to be trusted. They can then move around inside your network completely undetected and do all kinds of things you don’t want to think about, and your security controls generally won’t be able to detect them. Effective management of your PKI will neutralize these dangers.

What’s next for PKI?

PKI is a long way from dead—PKI management is going to become an increasingly critical component of every security program and is already becoming a part of IT audit. Private keys will even form part of securing most block chain technology. The explosion of machines in all of your external environments means that you’re putting a stunning number of keys and certificates out there. It’s crucial for you to know where they all are. But that’s not all—you also need to validate that they are where they should be, and have not been damaged in any way that could result in breach or compromise. If you’re not actively managing your PKI, then you could be in for a really rough ride because analysts tell us attackers are targeting keys and certificates.

So, PKI is here for the long haul. It can be your best friend or your worst enemy.

Do you know which it is in your organization?

Learn more about machine identity management. Explore now.


Related blogs

Like this blog? We think you will love this.
Featured Blog

What Is a Private Key?

How Are Private Keys Used?<

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Terrie Anderson
Terrie Anderson

Terrie is Country Manager (ANZ) for Forescout Technologies Inc., and a speaker and futurist in Digital Enterprise Leadership, Cyber Security Strategy and Workplace of the Future.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more