Why your multi-cloud security strategy needs an overhaul

Feb. 13, 2023
As cloud use expands cybercriminals are honing their tactics and identifying new ways to infiltrate networks and systems

There’s a reason why nearly 90% of organizations operate on a multi-cloud strategy. The use of multiple cloud servers empowers geographically dispersed teams — like global enterprises and organizations with remote and hybrid operations — to improve collaboration and distribute apps and services. But the rise of multi-cloud environments also means a larger attack surface that gives bad actors more opportunities to infiltrate networks and systems.

Without clear visibility into all aspects of their IT infrastructure, security and IT teams often fail to implement security measures consistently across their environments. As enterprises expand their cloud ecosystems to take advantage of additional cloud-based services and the Internet of Things (IoT), visibility becomes more critical — and a lack of visibility means increased risk. 

The bottom line? Fundamental security has never been more critical.

Enter public key infrastructure (PKI) — the combination of software, hardware, processes, policies and people that facilitate secure business transactions and communications. PKI enables entities to create, issue and manage digital certificates that establish trust using identity, encryption and signing between people, systems and devices. PKI is also a key component of a zero-trust security approach — all users and devices are deemed untrustworthy until their identity is verified.

Nearly every digital connection today is backed by PKI, but few organizations have full visibility into their security infrastructure and its capabilities, further increasing the risk of ransomware and other cyberattacks. So as cloud environments continue to expand and evolve, PKI maturity needs to remain on the front burner.

Immature PKIs Create Unacceptable Risks

Enterprises collect and store more sensitive customer and company information than ever before, and out-of-date PKI governance and technology places that data at risk. As organizations communicate, sign documents and verify identities in cloud environments, the security of the multi-cloud infrastructure that makes it all possible has to remain airtight.

Yet, we still see some IT and security teams using Excel spreadsheets to manage their digital certificates, or lacking clear ownership over PKI roles and responsibilities. Security is far from airtight. The mismanagement of these functions means reduced control and visibility into PKI environments, creating noncompliance and vulnerabilities for threat actors to exploit.

Why are so many organizations struggling to level up their PKI? When it comes to deploying and managing PKI, research points to a lack of ownership, and insufficient resources and skills as organizations’ most significant pain points. Nationwide technical labor shortages contribute to the absence of required skills to deploy and manage PKI, so it’s unsurprising that insufficient skills also present obstacles in enabling applications to use existing PKI. 

Additionally, many organizations rely on outdated PKI that fails to support new applications. The individual who implemented the technology may no longer be employed by the organization, which leaves IT and security teams unsure of its capabilities. This becomes even more of an issue as organizations work to secure an increasing number of machine identities and devices — especially when it involves highly regulated IoT.

4 Ways to Enhance Your PKI

From authenticating virtual private network (VPN) connections to encrypting data and emails, PKI is a critical investment and core element of your overall IT security strategy. But if you mismanage or fail to level up your PKI governance and technology alongside evolving business needs and use cases, you won’t see the anticipated ROI — and you’ll increase your risk of losing sensitive data to fraudsters.

However, the ability to maintain secure connections and communications is very achievable when you prioritize the health of your PKI. Here’s what this might look like for your organization:

1.   Conduct health checks. Whether you manage audits internally or outsource to a third party, regular PKI health checks are essential to your cybersecurity posture. These “checkups” should review every component of your PKI to surface the use cases supported by your current infrastructure, and ensure everything from your policies to system configuration are up to date. Health checks also help determine whether your current PKI deployments are scalable and aligned with future business needs so it’s easier to navigate change.

 2.    Gain visibility into your PKI environment. Confidence in your security posture can’t exist without awareness. You need to remain aware of every person, process and technology involved in your IT security, which is only possible with increased visibility into your PKI. You must have visibility into everything across environments, including cryptographic assets and credentials. 

 Most importantly, don’t assume anything when it comes to your PKI. Following deployment, hold ongoing conversations with the people involved in your IT security about changes to the business and how they impact your PKI framework. Establish roles and responsibilities upfront to avoid overlaps — or worse, gaps — in PKI maintenance and security.

 3.    Don’t be afraid to trust your security with security experts. Architecting a PKI is not a DIY project — it’s a complex undertaking that requires specialized knowledge and resources. So, don’t hesitate to outsource deployment or management functions to a security provider, especially if you lack internal resources and personnel. Security providers can help with everything, from ensuring you have the right policies in place to entirely handling the maintenance and day-to-day management of your hardware and software. Security experts can also implement automation into the lifecycle management of certificates, eliminating the risk of data loss through the use of Excel spreadsheets.

 Additionally, it’s important to note the difference between the services a security provider offers versus that of a cloud provider. Ultimately it’s up to you to secure your organization's data, so only rely on internal teams or vetted security providers to help manage IT security functions.

 4.    Follow PKI best practices. Hardware security modules (HSMs) are the best practice for managing private keys, yet the number of IT and security professionals managing private keys with HSMs decreased in 2022 from the previous year. This means organizations are likely relying on software key stores and inadequate default security from cloud service providers. So even though using HSMs may seem obvious in PKI management, research indicates a need for increased awareness of security and PKI best practices. 

You can stay current on best practices — like how to securely store certificates or how often to conduct audits — by talking to your peers, subscribing to industry newsletters and following communications from associations like the PKI Consortium.

The use of multi-cloud environments continues to rise, IoT devices are cropping up left and right, and cybercriminals are honing their tactics and identifying new ways to infiltrate networks and systems. And that means the need for mature security infrastructure isn’t going away.

The time to start prioritizing your PKI is now. By increasing your awareness of and visibility into every component of your framework, you can gain confidence in your PKI — and better equip your organization to navigate both businesses and IT challenges.

About the author: Samantha Mabey is a Product Marketing Director at Entrust. Samantha is responsible for driving the marketing, strategy and communications of the private trust offerings within the portfolio which include PKI, IoT, Machine Identity Management, and the Cryptographic Center of Excellence. She also leads the marketing initiatives around Post Quantum Cryptography, including acting as host for the podcast Entrust Engage.