IDCA NewsAll IDCA News
6 Jul 2022
Weak keys and outdated machine identity management undermine digital economies
Cybersecurity is often focused on malware and ransomware. Countries often overlook the fact that machine identities are a major security concern when stimulating their digital economies. In other words, machines and applications talking to each other and performing transactions without any humans involved.
The security firm Venafi evaluated the use of encryption in the top one million sites in the world during the past six months in a recent report. It shows, among other things, that cloud environments becoming increasingly complex require a solution to automate management of machine identities.
There has been progress in some areas, but more education is needed to ensure machine identities are most effectively used to protect the online world. TLSv1.2 usage has dropped 13% in the past six months, while v1.3 is being used at nearly 50% of the sites surveyed - twice as many as v1.2. The adoption of v1.3 is being driven by cloud migration and cloud native stacks.
Although organizations are adopting stronger TLS protocols, they fail to link this to stronger keys for TLS machine identities. Just 17% of websites use industry-standard ECDSA keys, up from 14% six months ago. 39% of the top one million websites still use slower, less secure RSA keys.
HTTPS usage has stabilized at 72%, the same as in December. The top one million users still use Let's Encrypt as their Certificate Authority (CA), but Cloudflare is catching up. Cloudflare appears to be driving the adoption of TLSv1.3, with 50% of websites using v1.3 using it. Following a change by browser manufacturers that drastically reduced the value of Extended Validation (EV) certificates for website owners, the use of EV certificates has also declined by 16% in the last six months.
There is also good news in the analysis. Data shows that organizations are taking more steps to manage their machine identity environments. There has also been a 13% increase in the number of sites using Certificate Authority Authorization (CAA), which allows organizations to create a list of approved CAs. Organizations are becoming more vigilant in managing machine identities after adopting this control, indicating that they realize the importance of machine identities to their security.
Photo credit: Christopher Gower
Follow us on social media: