New research from nCipher Security, an Entrust Datacard company, showed that IoT is one of the fastest growing trends in technology, despite enterprises leaving themselves vulnerable to dangerous cyberattacks by failing to prioritize PKI security.
The 2019 Global PKI and IoT Trends Study, conducted by research firm the Ponemon Institute and sponsored by nCipher Security, is based on feedback from more than 1,800 IT security practitioners in 14 countries/regions. The study found that IoT is the fastest-growing trend driving public key infrastructure (PKI) application deployment – with 20 percent growth over the past five years.
Respondents cited concerns about several IoT security threats, including altering the function of IoT devices through malware or other attacks (68 percent) and remote control of a device by an unauthorized user (54 percent). However, respondents rated delivering patches and updates to IoT devices, the capability that protects against that top threat, last on a list of the five most important IoT security capabilities.
The study also found that in the next two years an average of 42 percent of IoT devices will rely primarily on digital certificates for identification and authentication. But encryption for IoT devices, and for IoT platforms and IoT data repositories, is at 28 percent and 25 percent respectively, according to nCipher’s 2019 Global Encryption Trends Study.
PKI is at the core of the IT infrastructure for many organizations, enabling security for critical digital initiatives such as cloud, mobile device deployment, and IoT.
Most respondents use PKI extensively in their organizations, for SSL/TLS certificates (79 percent), private networks and VPNs (69 percent), and public cloud-based applications and services (55 percent). Yet more than half (56 percent) believe PKI is incapable of supporting new applications. In addition, many respondents see significant technical and organizational barriers to PKI usage, including an inability to change legacy applications (46 percent), insufficient skills (45 percent) and resources (38 percent).
Nearly a third (30 percent) of organizations – an especially jarring share considering the implications – are not using any certificate revocation techniques. More than two-thirds (68 percent) cite “no clear ownership” as their top PKI challenge.
PKI changes due to external mandates continue to decline, but changes due to new applications continue to increase. Thirty-nine percent of respondents say the biggest change will be external mandates and standards (a significant decline from 56 percent of respondents in 2015) and 40 percent of respondents say new applications such as the Internet of Things will drive change (an increase from 14 percent of respondents in 2015). The influence of PKI technologies and enterprise applications also decreased significantly since 2015.
IoT is becoming a major driver for the use of PKI. There is growing recognition that PKI provides important core authentication technology for the IoT. Since 2015, respondents who say IoT is the most important trend driving the deployment of applications using PKI has increased significantly from 21 percent of respondents to 41 percent in 2019.
In contrast, cloud-based services as an influence in the deployment of applications that make use of PKI decreased from 64 percent of respondents in 2015 to 49 percent of respondents in this year’s research. This should define the challenges facing PKI vendors and administrators alike as they adapt the technology to these new realities.
In the next two years, an average of 42 percent of IoT devices in use will rely primarily on digital certificates for identification and authentication. Forty-four percent of respondents believe that as the IoT continues to grow supporting PKI deployments for IoT device credentialing will be a combination of cloud-based and enterprise-based.
Altering the function of an IoT device is the most signi cant threat to IoT deployments. When rating the top IoT threats, 68 percent of respondents chose altering the function of a device (e.g., by loading malware), followed by controlling the device remotely (54 percent). The threat of use of an IoT device as a network entry point, as well as capturing data from an IoT device, each were rated as top threats by 39 percent of respondents.
Protecting confidentiality and integrity of device data is the most important IoT security capability. Out of five IoT security capabilities, respondents rated protection of the confidentiality and integrity of device data as the most important, followed by device authentication, monitoring device behavior, device discovery, and delivery of patches and updates to devices.
But, some enterprises are applying more rigor to PKI security in certain areas. The share of respondents using “password only” for Certificate Authority administrators has dropped 6 percent from 2018 to 24 percent this year. 42 percent of respondents said that they are using hardware security modules (HSMs) to manage private keys.
The report also found that HSM use as an IoT root of trust jumped significantly over 2018 (from 10 percent to 22 percent). Despite a growing number of options for PKI deployment (cloud, managed and hosted), internal corporate Certificate Authorities (CAs) remain the most popular and have grown 19 percent over the past five years to 63 percent – with 80 percent of financial services organizations favoring this option.
Forty-four percent of respondents believe PKI deployments for IoT devices will consist of a combination of cloud-based and enterprise-based implementations. The most important PKI capabilities for IoT in 2019 are scalability to millions of certificates (46 percent) and online certificate revocation (37 percent).
“The scale of IoT vulnerability is staggering – IDC recently forecasted that there will be 41.6B connected IoT devices by 2025, generating 79.4 zettabytes of data,” said John Grimm, senior director of strategy and business development at nCipher Security. “There is no point in collecting and analyzing IoT-generated data, and making business decisions based upon it, if we cannot trust the security of devices or their data. Building trust starts with prioritizing security practices that counter the top IoT threats, and ensuring authenticity and integrity throughout the IoT ecosystem.”
“PKI use is evolving as organizations address digital transformation across their enterprises. In addition to IoT, more than 40 percent of our respondents also cited cloud and mobile initiatives as driving PKI use,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Clearly, the rapid growth of the IoT is having a huge impact on the use of PKI, as organizations realize that PKI provides core authentication technology for connected devices. For organizations to gain full advantage of their digital initiatives, they must continue to improve the security maturity of their PKIs.”