Public key infrastructure (PKI) remains the cornerstone of nearly every IT security environment, but even as the technology matures, new use cases, and rising compliance mandates are adding new challenges to infosec professionals charged with managing PKI implementations. This is a key theme that comes out of the 2022 Global PKI and IoT Trends Study, conducted by the Ponemon Institute, and sponsored by Entrust, a global leader in trusted payments, identities and digital infrastructure.
The study found that while the top use cases for PKI are still of the traditional variety, such as TLS/SSL, securing VPN and private networks, and digital signing, it’s the regulatory landscape and newer use cases – such as cloud-based services and IoT – that are driving the adoption of PKI. As a case in point, IT security teams report rising demand for PKI driven by the regulatory environment – ranked by 31% of respondents from 24% the previous year– and BYOD and internal device management, which more than doubled from 11% in 2021 to 24% in 2022.
And yet, organizations continue to struggle with applying the resources needed to effectively manage their PKI implementations, with 64% of respondents citing insufficient resources, lack of skills, and no clear ownership as the top three challenges to enabling applications to use PKI – rising from 51% in last year’s survey. Highlighting the need for resources, nearly half (48%) identified a ‘lack of visibility of the application that will depend on PKI’, rising from 34% in 2021. Similarly, another jump came with 35% of respondents identifying requirements being too fragmented or inconsistent, up from 28% in 2021.
Challenges and opportunities
When it comes to existing PKI implementations, the top challenge continued to be the ability to support new applications – cited by 41% this year – as well as lack of visibility into the security capabilities of existing PKI at 29%. The fact that organizations might not have the right technology in place to secure these new use cases or might not know if their PKI is capable of it, is concerning though perhaps not surprising, considering only 38% of organizations said they have a PKI specialist on staff.
“The top three challenges in deploying and managing PKI have remained fairly consistent over the years of conducting this research,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “But looking at some of the trends over time, it paints a picture of a landscape that continues to recognise the importance of PKI, but constantly evolving use cases and compliance requirements means that organizations find themselves running to stand still. The lack of skilled and experienced staff to help alleviate this pressure is clearly being increasingly felt, as is the lack of clear ownership across stubbornly siloed business structures for many.”
New enterprise applications driving change and uncertainty
As organizations plan the evolution of their PKI, new applications such as IoT devices and external mandates and standards continue to drive the most change and uncertainty, but change drivers are diversifying. For example:
- IoT was the top ranked change driver, cited by 33% of respondents. But this total is a drop from 41% in 2021 and 52% in 2020
- Similarly, external mandates and standards were cited as a top change driver by 30% of respondents that said external mandates and standards will drive change, but this is down from 37% in 2021 and 49% in 2020
Enterprise applications are the rising PKI change agent. While ranked fifth, enterprise applications were cited by 23% of respondents in the 2022 survey – representing a steady increase from 11% of respondents in 2020 and 17% in 2021.
The role of IoT
With IoT highlighted as a primary trend and the top agent for change, it’s not surprising that scalability to millions of managed certificates continues to be the most important PKI capability for IoT employments. While scalability is ranked as the most important capability, it has decreased in importance from 53% of respondents in 2018 to 39% of respondents in 2020. The ability to sign firmware for IoT devices has increased from 27% of respondents in 2021 to 33% in 2022 – highlighting the critical need to ensure security and trust in these connected devices.
The question then becomes how PKI will be used to support IoT device credentialing. According to those surveyed, in the next two years, an average of 44% of IoT devices in use will rely primarily on digital certificates for identification and authentication. Just over a third (35%) of respondents believe that as the IoT continues to grow, supporting PKI deployments for IoT device credentialing will be a combination of cloud-based and enterprise-based – again, down from 42% in 2021.
“What we’re seeing is that securing cloud applications and IoT are top of mind for organizations – these are things that have significantly changed the digital security landscape by moving security outside the four walls of an organizations,” said Samantha Mabey, Product Marketing Director of PKI & IoT, at Entrust. “But when we see that new applications like IoT are also the top areas expecting the most change and uncertainty, this suggests that while they might be thinking about it, organizations haven’t quite figured that area out just yet. Very much related but arguably more important, the number two area expecting change and uncertainty is external mandates and standards. Not just IoT, but cybersecurity in general, is being evaluated at all levels across the globe, and those mandates can be difficult to navigate, especially without the right skills and resources internally to do so. This will only continue to become challenging with future threats like post quantum, where the transition will be very involved and take several years.”