In May 2018, Sen. Ron Wyden of Oregon sent the Department of Defense a letterdetailing implementation issues with HTTPS on public-facing DOD websites. As a result of these issues, many browser makers were marking these websites as insecure and issuing warnings to visitors. DOD officials agreedthat the department’s PKI needed to be improved and set up an aggressive timetable to complete this transition.
These requirements, however, should not come as a surprise. In 2015, the Office of Management and Budget issued memo M-15-13, requiring all publicly accessible federal websites and web services to only provide service through a secure connection (HTTPS), using HTTP Strict Transport Security (HSTS) to ensure this.
In addition, the Department of Homeland Security issued Binding Operational Directive (BOD) 18-01in 2017, which requires all US federal agency websites to improve the way they handle machine identities, such the TLS keys and certificates used in PKI. The goal of BOD 18-01 is the achievement of 100% HTTPS usage.
Venafi recently released the results of a study that evaluated federal organizations’ preparedness to respond to BOD 18-01. Conducted by Dimensional Research on behalf of Venafi, the study examined the views of 100 IT security professionals working for the federal government.
According to Venafi’s study, federal IT security professionals believe they can swiftly respond to events that impact the keys and certificates that serve as machine identities. However, the study found that few organizations have the tools and automation needed to respond effectively. For example, while 54% of respondents were confident that their networks do not contain certificates from unauthorized CAs, only 46% have the controls in place needed to detect this.
In addition, many federal IT security professionals admit they do not regularly audit the Federal Public Key Infrastructure (FPKI) processes required to ensure that encryption can be used securely on federal websites. Key findings from the study include:
Only 30% have a complete certificate inventory. Without a complete certificate inventory, organizations cannot see every certificate being used, including those from unauthorized authorities. The resulting CA sprawl increases security risks and the likelihood of service outages.
29% believe their certificate inventory includes the location of every certificate that has been installed. This information is critical to upgrade efforts in large organizations, because a certificate may be installed on multiple devices, such as load balancers.
37% believe their certificate inventory includes certificate ownership information. In many organizations, the PKI team does not have administrative access to every system where certificates need to be updated. Without ownership information, timely updates are much more difficult.
“Unfortunately, even the world’s most sophisticated security teams rarely have the visibility, intelligence or automation necessary to effectively scale the use of their machine identities,” said Kevin Bocek, chief cyber security strategist for Venafi.
“This is true for both private and public organizations,” continued Bocek. “For example, only 69% of all federal sites enable HTTPS, despite BOD 18-01 requiring 100% HTTPS usage. It’s great that the Department of Homeland Security is driving agencies to improve their use of machine identities, but the federal government should also develop comprehensive machine identity protection strategies to achieve this goal.”
Do you find the results of Venafi’s research surprising?