Venafi Study: Federal IT Professionals Overconfident in Ability to Respond to Binding Operational Directive 18-01
September 26, 2018
Study evaluated the views of 100 federal IT security professionals on HTTPS protection practices
SALT LAKE CITY – September 26, 2018 – Venafi®, the leading provider of machine identity protection, today announced the results of a study that evaluated federal organizations’ preparedness to respond to Binding Operational Directive (BOD) 18-01. Conducted by Dimensional Research on behalf of Venafi, the study examined the views of 100 IT security professionals working for the federal government.
According to Venafi’s study, federal IT security professionals believe they can swiftly respond to events that impact the keys and certificates that serve as machine identities. However, the study found that few organizations have the tools and automation needed to respond effectively. For example, while fifty-four percent of respondents were confident that their networks do not contain certificates from unauthorized CAs, only forty-six percent reported that they have controls in place needed to detect this.
In addition, many federal IT security professionals admit they do not regularly audit the Federal Public Key Infrastructure (FPKI) processes required to ensure that encryption can be used securely on federal websites. Key findings from the study include:
Only thirty percent reported that they have a complete certificate inventory. Without a complete certificate inventory, organizations cannot see every certificate being used, including those from unauthorized authorities. The resulting lack of clarity increases security risks and the likelihood of service outages.
Twenty-nine percent believe their certificate inventory includes the location of every certificate that has been installed. This information is critical to upgrade efforts in large organizations, because a certificate may be installed on multiple devices, such as load balancers.
Thirty-seven percent believe their certificate inventory includes certificate ownership information. In many organizations, the PKI team does not have administrative access to every system where certificates need to be updated. Without ownership information, timely updates are much more difficult.
“Unfortunately, even the world’s most sophisticated security teams rarely have the visibility, intelligence or automation necessary to effectively scale the use of their machine identities,” said Kevin Bocek, chief cyber security strategist for Venafi. “This is true for both private and public organizations. For example, only 69% of all federal sites enable HTTPS, despite BOD 18-01 requiring 100% HTTPS usage. It’s great that the Department of Homeland Security is driving agencies to improve their use of machine identities, but the federal government should also develop comprehensive machine identity protection strategies to achieve this goal.”
In 2015, the Office of Management and Budget issued memo M-15-13, requiringall publicly accessible federal websites and web services to only provide service through a secure connection (HTTPS), using HTTP Strict Transport Security (HSTS) to ensure this. In May 2018, Sen. Ron Wyden of Oregon sent the DOD a letterdetailing implementation issues with HTTPS on public-facing DOD websites. As a result of these issues, many browser makers were marking these websites as insecure and issuing warnings to visitors. DOD officials agreedthat the department’s PKI needed to be improved and set up an aggressive timetable to complete this transition.
BOD 18-01 requires all US federal agency websites to improve the way they handle machine identities, such as TLS keys and certificates used in public key infrastructure (PKI). The goal of BOD 18-01 is the achievement of 100% HTTPS usage, which is necessary to protect the privacy and authentication of government web services.