Organisations struggle to attain PKI maturity, Entrust study finds

Lack of skills and resources to secure and manage PKI credentials leave organisations racing to reduce risk as the threat landscape continues to grow via cloud and IoT


Public key infrastructure (PKI) remains the cornerstone of nearly every IT security environment, but even as the technology matures, new use cases, and rising compliance mandates are adding new challenges to infosec professionals charged with managing PKI implementations. This is a key theme that comes out of the 2022 Global PKI and IoT Trends Study, conducted by the Ponemon Institute, and sponsored by Entrust, a global leader in trusted payments, identities and digital infrastructure.


The study found that while the top use cases for PKI globally are still of the traditional variety, such as TLS/SSL, securing VPN and private networks, and digital signing, it’s the regulatory landscape and newer use cases – such as cloud-based services and IoT – that are driving the adoption of PKI. As a case in point, IT security teams across the world report rising demand for PKI driven by the regulatory environment – ranked by 31% of respondents from 24% the previous year– and BYOD and internal device management, which more than doubled from 11% in 2021 to 24% in 2022.


And yet, in Australia, organisations continue to struggle with applying the resources needed to effectively manage their PKI implementations, with 84% of respondents citing insufficient resources (84%) and 49% of respondents citing a lack of skills (49%) as the top challenges to enabling applications to use PKI.


Challenges and opportunities

When it comes to existing PKI implementations in Australia, the top challenge is the lack of ability to change legacy apps – cited by 46% this year – as well as lack of ability to support new applications. The fact that organisations might not have the right technology in place to secure these new use cases or might not know if their PKI is capable of it, is concerning though perhaps not surprising, considering only 21% of organisations said they have a PKI specialist on staff.


“The top challenges in deploying and managing PKI have remained fairly consistent over the years of conducting this research,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “But looking at some of the trends over time, it paints a picture of a landscape that continues to recognise the importance of PKI, but constantly evolving use cases and compliance requirements means that organisations find themselves running to stand still. The lack of skilled and experienced staff to help alleviate this pressure is clearly being increasingly felt, as is the lack of clear ownership across stubbornly siloed business structures for many.”


New enterprise applications driving change and uncertainty

As organisations plan the evolution of their PKI, external mandates and standards (33%) and new applications such as IoT devices (32%) continue to drive the most change and uncertainty, but change drivers are diversifying. For example, PKI technologies (28%), enterprise applications (27%) and internal security policies (23%) are also important change drivers.


The role of IoT

With IoT highlighted as one of the top agents for change, it’s not surprising that scalability to millions of managed certificates continues to be the most important PKI capability for IoT employments. While scalability is ranked as the most important capability, at 56%,online revocation ranked second, at 55% – highlighting the critical need to ensure security and trust in these connected devices.


The question then becomes how PKI will be used to support IoT device credentialing. According to those surveyed, in the next two years, an average of 42% of IoT devices in use will rely primarily on digital certificates for identification and authentication. 48% of respondents believe that as the IoT continues to grow, supporting PKI deployments for IoT device credentialing will be primarily cloud-based.


“What we’re seeing is that securing cloud applications and IoT are top of mind for organisations – these are things that have significantly changed the digital security landscape by moving security outside the four walls of an organisations,” said James Cook, Vice President, Digital Security Solutions, Asia Pacific and Japan, Entrust. “But when we see that new applications like IoT are among the top areas expecting the most change and uncertainty, this suggests that while they might be thinking about it, organisations haven’t quite figured that area out just yet. Very much related but arguably more important, another area expecting change and uncertainty is external mandates and standards. Not just IoT, but cybersecurity in general, is being evaluated at all levels across the globe, and those mandates can be difficult to navigate, especially without the right skills and resources internally to do so. This will only continue to become challenging with future threats like post quantum, where the transition will be very involved and take several years.”