The report, commissioned by Entrust and researched by the Ponemon Institute, suggests that while adoption has never been higher, a lack of ownership, resourcfes and key skills is one of the greatest issues facing broader adoption of Public Key Infrastructure (PKI) and digital certificates in general.
Driven by organisational changes, enterprise use of Public Key Infrastructure (PKI) and digital certificates has never been higher, while the related skills to manage PKI are in historically short supply, according to research from Ponemon Institute, sponsored by Entrust, a global leader in trusted identity, payments and data protection.
PKI is at the core of nearly every IT infrastructure, enabling security for critical digital initiatives such as cloud, mobile device deployment, identities, and the internet of things (IoT). As such, PKI holds the key to enabling the digital transformation that these technologies underpin, something that has been thrown into sharp focus over the course of the global pandemic and its impact on working practices.
Drivers and challenges of PKI adoption
In Australia, when it comes to the most important trends driving the deployment of applications using PKI, the Internet of Things (IoT) remains the fastest growing trend at 54%, with consumer mobile applications coming in second at 44% and consumer mobile third at 37%.
The top challenge that impedes the deployment and management of PKI is a lack of clear ownership – cited by 71% of respondents globally and 78% of respondents from Australia. Respondents across the world have raised this issue as a top challenge for the past 5 years, indicating a key area of concern for many enterprises.
Insufficient resources and insufficient skills were rated as the second and third challenges at 51% and 46% respectively. Similarly, the top challenges to enabling applications to utilise PKI were the existing PKI being incapable of supporting new applications (55%) and insufficient skills (46%).
The areas expected to experience the most change and uncertainty were newer applications, such the Internet of Things (IoT) – which took the top spot for 41% of those surveyed globally. The second and third most cited areas were external mandates and standards (37%) and changes in PKI technologies (27%).
“Over the years we have been doing this study, it is clear that that the gap between the rising demand for PKI adoption and the challenges hindering it appear to be growing,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “This has the potential to exacerbate the headaches organisations already feel and create gaps in their security postures. When you factor in that environments are more distributed with remote working, cloud and IoT, it’s clear that there’s an immediate need for many organisations to gain additional visibility, automation and centralised control.”
The Rise of Machine Identities
TLS/SSL certificates for public-facing websites and services are the most often cited use case for PKI credentials (81% of respondents). Private networks and VPN applications came in second (67%, up from 60% in 2020) and email security was third (55%, up from 51% in 2020), overtaking last year’s second and third positions of public cloud applications and enterprise user authentication. This change highlights the shifting focus on ensuring remote workers and distributed IT workloads can be kept secure.
The research also revealed that the average number of certificates organisations issue or acquire is still on the rise, up 4.3% from 56,192 in 2020 to 58,639 this year (and up 50% since 2019). While the number of human identities being secured has been relatively flat over the past few years, there are now more machine identities (devices and workflows) than human ones. This growth in machine identities is primarily driven by the growing use of IoT, cloud services and new applications.
Regardless of the reason for the growth, the more certificates an organisation needs to manage, the more critical proper management becomes. With one in five (20%) of respondents stating they use a manual certificate revocation list and nearly a third (32%) admitting they have no certificate revocation technique, these organisations risk being vulnerable to attacks and facing outages to critical systems and the consequent business disruption and cost that comes with that.
“PKI has never been in such high demand – whether from the pressure of securing a remote or hybrid workforce this past year, or the continued growth of IoT and cloud-based services.” said John Metzger, vice president of product marketing, digital security at Entrust. “At the same time, the skills and resources required to deploy and manage PKI continue to be in short supply – an issue exacerbated by lack of clear organisational ownership over PKI deployments. To deal with this complexity, organisations need a strategy first and products second to support this transformation. This means that they need a partner like Entrust who not only has the technological capabilities, but the heritage and expertise to help succeed in this environment.”