Two-thirds of respondents say their organisation is adding additional layers of encryption to comply with industry regulations and IT policies; however, shorter certificate validity has doubled the management workload on short-staffed IT and security teams," notes the study. An estimated average of 88,750 keys and certificates are used by organizations today to secure data and authenticate systems. However, 74 percent of respondents believe their organizations do not know exactly how many keys and certificates (including self-signed) they have, much less where to find them or when they expire. Furthermore, 76 percent of respondents say that failure to secure keys and certificates undermines the trust their organisation relies upon to operate.
More information here: https://www.securitymagazine.
With this in mind, Baan Alsinawi, Managing Director of Cerberus Sentinel has the following comment: Our assessments of various clients and government agencies confirm these findings. Add that NIST requires FIPS 140-2 encryption, and you add another layer of complexity and confusion to long term management of the various SSL keys, self signed certificates, PKI if used.
Changing the keys upon expiration mostly takes people by surprise since they are not prepared and suddenly critical functions are not accessible. i will add also the risk of using same keys for the primary data source and the backups. it is advised to use one key for primary and separate key for the backups to protect from risk of ransomware and ability to recover if your primary data source was compromised. all security standards have specific controls that are designed to audit and test the key management aspects of organisations such as NIST Cybersecurity Framework, ISO etc. Managing the risk should be included in an overall risk management strategy integrated into COOP and Disaster recovery, incident response and several other key aspects of a comprehensive risk management strategy.