Organisations are rapidly increasing the size, scope and scale of their data protection infrastructure, reflected in dramatic rises in adoption of public key infrastructure, PKI, across enterprises worldwide, according to new research from Entrust. PKI is at the core of nearly every IT infrastructure, enabling security for critical digital initiatives such as cloud, mobile device deployment, identities and the internet of things. The annual 2020 Global PKI and IoT Trends Study, conducted by research firm the Ponemon Institute and sponsored by nCipher Security, an Entrust company, is based on feedback from more than 1,900 IT security professionals in 17 countries, including the United Arab Emirates and Saudi Arabia.
IoT, authentication and cloud are the top drivers in PKI adoption growth
As organisations become more dependent on digital information and face increasingly sophisticated cyberattacks, they rely on PKI to control access to data and ascertain the identities of people, systems and devices on a mass scale.
IoT is the fastest growing trend driving PKI application deployment, up 26% over the past five years to 47% in 2020, with cloud-based services the second highest driver cited by 44% of respondents.
PKI usage surging for cloud and authentication use cases
TLS and SSL certificates for public-facing websites and services are the most often cited use case for PKI credentials, 84% of respondents. Public cloud-based applications saw the fastest year-over-year growth, cited by 82%, up 27% from 2019, followed by enterprise user authentication by 70% of respondents, an increase of 19% over 2019. All underscore the critical need of PKI in supporting core enterprise applications.
The average number of certificates an organisation needs to manage grew 43% in the 2020 study over the previous year, from 39,197 to 56,192 certificates, highlighting a pivotal requirement for enterprise certificate management. The rise is likely driven by the industry transition to shorter certificate validity periods, and the sharp growth in cloud and enterprise user authentication use cases.
Challenges, change and uncertainty
The 2020 study found that IT security professionals are confronting new challenges to enabling applications to use PKI. 52% cited lack of visibility of an existing PKI’s security capabilities as their top challenge, an increase of 16% over the 2019 study. This issue underscores the lack of cybersecurity expertise available within even the most well-resourced organisations, and the need for PKI specialists who can create custom enterprise roadmaps based on security and operational best practices. Respondents also cited inability to change legacy applications and the inability of their existing PKIs to support new applications as critical challenges, both at 51%.
When it comes to deploying and managing a PKI, IT security professionals are most challenged by organisational issues such as no clear ownership, insufficient skills and insufficient resources. In the Middle east, challenges around skills and resources for enabling applications to use PKI are not as high as global averages, 29 and 27%, vs 34 and 35% globally, despite the fact that Middle East respondents don’t employ PKI specialists as much as the global average. PKI deployment figures from the study clearly indicate a trend toward more diversified approaches, with as-a-service offerings even becoming more prevalent than on-premise offerings in some countries.
The two greatest areas of PKI change and uncertainty come from new applications such as IoT, 52% of respondents, and external mandates and standards, 49%. The regulatory environment is also increasingly driving deployment of applications that use PKI, cited by 24% of respondents.
Businesses in Brazil, the UK and the US reported that IoT applications are driving the most change in PKI since 2019, but those in the Middle East and Mexico said that external mandates and standards are having the biggest impact. Middle East respondents are dealing with change and uncertainty due to external mandates and standards at the highest rate globally in the survey, 60% vs 49% global average.
Security practices have not kept pace with growth
In the next two years, a forecasted average of 41% of IoT devices will rely primarily on digital certificates for identification and authentication. Encryption for IoT devices, platforms and data repositories, while growing, is at just 33%, a potential exposure point for sensitive data. Respondents cited several threats to IoT security, including altering the function of IoT devices through malware or other attacks, 68%, and remote control of a device by an unauthorised user, 54%. However, respondents rated controls relevant to malware protection, like securely delivering patches and updates to IoT devices, last on a list of the five most important IoT security capabilities.
The US National Institute of Standards and Technology recommends that cryptographic modules for certificate authorities, key recovery servers and OCSP responders should be validated to FIPS 140-2 level 3 or higher. Thirty-nine% of respondents in this study use hardware security modules to secure their PKIs, most often to manage the private keys for their root, issuing, or policy CAs. Yet only 12% of overall respondents indicate the use of HSMs in their OSCP installations, demonstrating a significant gap between best practices and observed practices.
Respondents in the Middle East use HSMs for offline root CAs at higher rates than the global average, 52% vs 47% globally, however their HSM use for online issuing CAs is significantly lower than the global average, 27% vs 42% globally.
“PKI underpins the security of both the business and the consumer world, from digitally signing transactions and applications to prove the source as well as integrity, to supporting the authentication of smart phones, games consoles, citizen passports, mass transit ticketing and mobile banking, says Larry Ponemon, Founder of the Ponemon Institute. “The 2020 Global PKI and IoT Trends Study shows a surge in the use of PKI credentials for cloud-based applications and enterprise user authentication, underscoring the criticality of PKI in supporting core enterprise applications.”