nCipher Security Blog

The bedrock of IT security: what’s next for PKI

John Grimm | Vice President Strategy and Business Development More About This Author >

Fall has arrived in the US northeast, and with it comes beautiful foliage, pumpkin spice lattes, apple crisp, cool nights and moderate days – what’s not to love! Another sign of fall is the arrival of the annual Global PKI and IoT Trends Study from the Ponemon Institute – and although hard pressed to match the visceral appeal of the other fall arrivals, it is nonetheless a barometer for the impact of this underappreciated and critically important technology.

Like the foundation of a house or the hull of a ship, PKI technology, processes and personnel are the bedrock of IT security – and their impact continues to expand. As this study hits the streets, I wanted to take a couple minutes and highlight some of the most interesting findings, and how they can help guide your forward PKI strategy.

The headliner of this research is undoubtedly a significant spike in the use of PKI credentials for two specific use cases: public cloud-based applications and enterprise user authentication. In a survey of this size (almost 2000 respondents from 17 countries/regions), it is rare to see year-over-year changes of 10% or higher. These two use cases left even that number way in the dust, with PKI use for public cloud applications growing 27% over 2019, and use for enterprise user authentication growing 19% over 2019. On top of that, consider that the research was performed just before COVID-19 took hold. We all know how secure remote access has never been more important as the WFH era moved to the forefront.

The bedrock of IT security: what’s next for PKI

Another finding of the study that is particularly striking is the challenges that organizations face in enabling their applications to use PKI. I mentioned two top use cases for PKI above, but the study tracks a slew of additional ones. The number one challenge to enabling the PKI to support those applications is that responsible teams lack the knowledge and visibility to the security capabilities of the PKI. Think about this for a minute: enterprises are opening the floodgates to increase their PKI use for their most important applications, while still not fully understanding if the PKI is fit for purpose from a security perspective. Certainly a tenuous position from a risk management standpoint. It’s hard to rework the foundation once you’ve built the house.

But it also appears that organizations are adjusting and adapting their PKI approach. PKI, although an on-premise data center stalwart application, is actually getting a little cloudier. While on-premise, internal certificate authorities (CAs) remain the top deployment model for PKI, particularly among the most security-conscious industries, organizations are increasingly augmenting them with external CA managed services. And when you look at the knowledge/visibility challenge described above, you start to see the reason. Lacking internal expertise, turning to reputable certified external CA services providers is a fast path to PKI security best practices that proven elusive to many an IT security group for years. More robust choices are available than ever before, and the “to do it right, I have to do it myself” adage is becoming a thing of the past.

This study also looks into the IoT, which happens to be the fastest growing trend driving PKI deployment. Although there is evidence suggesting that IoT projects took some hits this year due to disruption from COVID-19, two notable trends emerged. One is that discovery of connected devices has shifted to be the most important IoT security capability in 2020. That’s a good sign of embracing the fundamentals – you can’t secure or manage it if you don’t know it’s there. And time has proven over and over that even the most innocuous connected device like a coffee pot can be your downfall – with the attacker using it simply as a network entry point while going after more lucrative resources. The other more ominous finding is that many simply aren’t prioritizing security mechanisms that address their top threats. Respondents indicate that the top IoT threat is altering the function of a device (for example, by loading malware), but bewilderingly, rank secure delivery of patches and updates to IoT devices – the mechanism that directly addresses that threat – dead last when ranking important IoT security capabilities. Another sign of the still-developing IoT security landscape.

But we saw some good signs too. Organizations are putting high value on Common Criteria and FIPS evaluation for their PKI. Hardware security module (HSM) use remains strong for the most important components of a PKI: the root CA and online issuing CAs. More are using multi-factor authentication for PKI administrators, and the highly vulnerable password-only protected PKI is becoming increasingly scarce. It does look like there are some challenges brewing with certificate revocation, which is notable particularly with the large rise in overall certificate volumes seen in the study (43% higher in 2020 than 2019). There is no doubting that certificate lifecycle management including revocation is, and will be, a critical capability for years to come.

The 2020 Global PKI and IoT Trends Study is full of additional detail, including some revealing splits about encryption trends by country and by industry. To download the study, click here. Questions or comments? You can find me on Twitter @johnrgrimm