Public key infrastructure (PKI) remains the base of nearly every IT security environment, but even as the technology matures, new use cases and rising compliance mandates are adding new challenges to infosec professionals charged with managing PKI implementations.
This is a key theme that comes out of the 2022 Global PKI and IoT Trends Study, conducted by the Ponemon Institute, and sponsored by Entrust, a global leader in trusted payments, identities and digital infrastructure.
The survey collects feedback from over 2,500 IT professionals around the globe – ranging from CISO and CIO, to IT Security managers – all of which have indicated they are involved in their organization’s enterprise PKI.
When people discuss data protection, they usually mean encryption. But it is not enough just to encrypt your data to protect it in a connected environment.
The study found that while the top use cases for PKI are still of the traditional variety, such as TLS/SSL, securing VPN and private networks, and digital signing, it’s the regulatory landscape and newer use cases – such as cloud-based services and IoT – that are driving the adoption of PKI. As a case in point, IT security teams report rising demand for PKI driven by the regulatory environment – ranked by 31% of respondents from 24% the previous year– and BYOD and internal device management, which more than doubled from 11% in 2021 to 24% in 2022.
And yet, organizations continue to struggle with applying the resources needed to effectively manage their PKI implementations, with 64% of respondents citing insufficient resources, lack of skills, and no clear ownership as the top three challenges to enabling applications to use PKI – rising from 51% in last year’s survey. Highlighting the need for resources, nearly half (48%) identified a ‘lack of visibility of the application that will depend on PKI,’ rising from 34% in 2021. Similarly, another jump came with 35% of respondents identifying requirements being too fragmented or inconsistent, up from 28% in 2021.
Challenges and opportunities
When it comes to existing PKI implementations, the top challenge continued to be the ability to support new applications – cited by 41% this year - as well as the lack of visibility into the security capabilities of existing PKI at 29%. The fact that organizations might not have the right technology in place to secure these new use cases or might not know if their PKI is capable of it, is concerning though perhaps not surprising, considering only 38% of organizations said they have a PKI specialist on staff.
“The top three challenges in deploying and managing PKI have remained fairly consistent over the years of conducting this research,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “But looking at some of the trends over time, it paints a picture of a landscape that continues to recognize the importance of PKI, but constantly evolving use cases and compliance requirements means that organizations find themselves running to stand still. The lack of skilled and experienced staff to help alleviate this pressure is clearly being increasingly felt, as is the lack of clear ownership across stubbornly siloed business structures for many.”
The role of IoT
With IoT highlighted as a primary trend and the top agent for change, it’s not surprising that scalability to millions of managed certificates continues to be the most important PKI capability for IoT employments. While scalability is ranked as the most important capability, it has decreased in importance from 53% of respondents in 2018 to 39% of respondents in 2020. The ability to sign firmware for IoT devices has increased from 27% of respondents in 2021 to 33% in 2022 – highlighting the critical need to ensure security and trust in these connected devices.
The question then becomes how PKI will be used to support IoT device credentialing. According to those surveyed, in the next two years, an average of 44% of IoT devices in use will rely primarily on digital certificates for identification and authentication. Just over a third (35%) of respondents believe that as the IoT continues to grow, supporting PKI deployments for IoT device credentialing will be a combination of cloud-based and enterprise-based – again, down from 42% in 2021.
