2024 Global PKI, IoT and Post Quantum Cryptography Study

The Public Key Infrastructure (PKI) is considered essential to keep people, systems and things securely connected. According to this research, in their efforts to achieve PKI maturity organizations need to address the challenges of having clear ownership of the PKI strategy and sufficient skills.

 The 2024 Global PKI, IoT and Post Quantum Cryptography research is part of a larger study — sponsored by Entrust — published in May involving 4,052 respondents in 9 countries. In this report, Ponemon Institute presents the findings based on a survey of 2,176 IT and IT security who are involved in their organizations’ enterprise PKI in the following 9 countries: United States (409 respondents), United Kingdom (289 respondents), Canada (245 respondents), Germany (309 respondents), Saudi (Middle East) (162 respondents), United Arab Emirates (UAE ) (203 respondents), Australia/NZ (156 respondents), Japan (168 respondents) and Singapore (235 respondents).

“With the rise of costly breaches and AI-generated deepfakes, synthetic identity fraud, ransomware gangs, and cyber warfare, the threat landscape is intensifying at an alarming rate,” said Samantha Mabey, Director Solutions Marketing at Entrust. “This means that implementing a Zero Trust security practice is an urgent business imperative – and the security of organizations’ and their customers’ data, networks, and identities depends on it.”

 The following is a summary of the most important takeaways from the research

 The orchestration of the PKI software increased from 42 percent of respondents to 50 percent of respondents. However, 59 percent of respondents say orchestration is very or extremely complex, an increase from 43 percent of respondents.

Responsibility for the PKI strategy is being assigned to IT security and IT leaders. As PKI becomes increasingly critical to an organization’s security posture, the CISO and CIO are most responsible for their organization’s PKI strategy. The IT manager being most responsible for the PKI strategy has declined from 26 percent to 14 percent of respondents.

Fifty-two percent of respondents say they have PKI specialists on staff who are involved in their organizations’ enterprise PKI. Of the 48 percent respondents who say their organizations do not have PKI specialists rely on consultants (45 percent) or service providers (55 percent).

A certificate authority (CA) provides assurance about the parties identified in a PKI certificate. Each CA maintains its own root CA for use only by the CA. The most popular method for deploying enterprise PKI continues to be through an internal corporate certificate authority (CA) or an externally hosted private CA—managed service, according to 60 percent and 47 percent of respondents, respectively.

No clear ownership, insufficient skills and requirements too fragmented or inconsistent are the top three challenges to enabling applications to use PKI. The challenge of no clear ownership continues to be the top challenge to deploying and managing PKI according to 51 percent of respondents. Other challenges are insufficient skills (43 percent of respondents) and requirements are too fragmented or inconsistent (43 percent of respondents).

Challenges that are declining significantly include the lack of resources (from 64 percent of respondents to 41 percent of respondents) and lack of visibility of the applications that will depend on PKI (from 48 percent to 33 percent of respondents).

As organizations strive to achieve greater PKI maturity they anticipate the most change and uncertainty in PKI technologies and with vendors. Forty-three percent of respondents say PKI technologies and 41 percent of respondents say it will be with products and services.

Cloud-based services continue to be the most important trend driving the deployment of applications using PKI. Cloud-based services continue to be the number one trend driving deployment of applications using PKI (46 percent of respondents). However, respondents who say IoT is the most important trend driving the deployment of applications using PKI has declined from 47 percent of respondents to 39 percent of respondents. BYOD and internal mobile device management has increased significantly from 24 percent of respondents to 34 percent of respondents.

More organizations are deploying certificate revocation techniques. In addition to verifying the CA’s signature on a certificate, the application software must also be sure that the certificate is still trustworthy at the time of use. Certificates that are no longer trustworthy must be revoked by the CA. Those organizations that do not deploy a certificate revocation technique has declined significantly from 32 percent to 13 percent.

The certificate revocation technique most often deployed continues to be Online Certificate Status Protocol (OCSP), according to 45 percent of respondents. For the first time, the manual certificate revocation list is the second technique most often deployed.

Smart cards (for CA/root key protection) to manage the private keys for their root/policy/issuing CAs are used by 41 percent of respondents. Thirty-one percent of respondents say removable media for CA/root keys cards are used.

Organizations’ primary root CA strategies are shifting significantly since 2021. A root certificate is a public key certificate that identifies a root certificate authority (CA). Both offline, self-managed and offline, externally hosted increased to 29 percent of respondents. Online, self-managed decreased from 31 percent of respondents to 25 percent of respondents and online, externally hosted decreased from 21 percent to 17 percent of respondents.

Organizations with internal CAs use an average of 6.5 separate CAs, managing an average of 31,299 internal or externally acquired certificates. An average of 9.5 distinct applications, such as email and network authentication, are managed by an organization’s PKI. This indicates that the PKI is at the core of the enterprise IT backbone. Not only the number of applications dependent upon the PKI but the nature of them indicates that PKI is a strategic part of the core IT backbone.

Conflict with other apps using the same PKI is becoming a bigger challenge to enabling applications to use the same PKI. While the number one challenge is not having sufficient skills, it has decreased from 43 percent to 37 percent of respondents.

Common Criteria Evaluation Assurance Level 4+ and Federal Information Processing Standards (FIPS) 140-2 Level 3 continue to be the most important security certifications when deploying PKI infrastructure and PKI-based applications. Fifty-seven percent of respondents say Common Criteria EAL 4+ is the most important security certification when deploying PKI. The evaluation at this level includes a comprehensive security assessment encompassing design testing and code review.

Fifty-five percent say FIPS 140-2 Level 3 is an important certification when deploying PKI. In the US, FIPS 140 is the standard called out by NIST in its definition of a “cryptographic module”, which is mandatory for most US federal government applications and a best practice in all PKI implementations.

SSL certificates for public-facing websites and services using PKI credentials is still the application most often used but has declined since 2022. Sixty-four percent of respondents say the application most often using PKI credentials is SSL certificates for public-facing websites and services. However, mobile device authentication and private cloud-based applications have increased as apps using PKI credentials (60 percent and 56 percent of respondents, respectively).

Scalability to millions of managed certificates continues to be the most important PKI capability for IoT deployments. While scalability is the most important, the support for Elliptic Curve Cryptography (ECC) is the number two most important PKI capability. ECC is an alternative technique to RSA and is considered a powerful cryptography approach. It generates security between key pairs for public key encryption by using the mathematics of elliptic curves.

Today and in the next 12 months, the most important IoT security capabilities are delivering patches and updates to devices and monitoring device behavior. Device authentication will become more important in the next 12 months.

Post Quantum Cryptography

For the first time, this 2024 global study features organizations’ approach to achieving migration to Post Quantum Cryptography (PQC). As defined in the research, quantum computing is a rapidly emerging technology that harnesses the laws of quantum mechanics to solve problems too complex for classical computers.

Sixty-one percent of respondents plan to migrate to PQC within the next five years. The most popular path to PQC is implementation of pure PQC (36 percent of respondents) followed by a hybrid approach combining traditional crypto with PQC (31 percent of respondents) and test PQC with their organization’s system and applications (26 percent of respondents).

Many organizations are not prepared to achieve migration because of the lack of visibility and not having the right technologies. Only 45 percent of respondents say their organizations have full visibility into their cryptographic estate and 50 percent of respondents say they have the right technology to support the larger key lengths and computing power required with PQC.

To prepare for migration, organizations need to know what cryptographic assets and algorithms they have and where they reside. It is important to know data flows and where organizations’ long-life data resides that is sensitive and must remain confidential. To achieve full visibility, organizations need to ensure they have a full and clear inventory of all the cryptographic assets (keys, certificates, secrets and algorithms across the environment) and what is being secured.

Organizations are slow to prepare for the post-quantum threat. The quantum threat, sometimes referred to as “post quantum”, is the inevitability that within the decade a quantum computer will be capable of breaking traditional public key cryptography. Experts surveyed by the Global Risk Institute predict quantum computing will compromise cybersecurity as early as 2027.

Most respondents are not preparing for the post-quantum threat. Twenty-seven percent of respondents say their organizations have not yet considered the impact of the threat, 23 percent are aware of the potential impact but haven’t started to create a strategy and 9 percent are unsure if their organizations are preparing for the post-quantum threat.

To prepare for the post-quantum threat, 44 percent of respondents say their organizations are building a post-quantum cryptography strategy. Although it is recommended as a best practice, only 38 percent of respondents say their organization is taking an inventory of its cryptographic assets and/or ensuring it is crypto agile. Crypto agility is the capacity for an information security system to adopt an alternative to the original encryption method or cryptographic primitive without significant change to system infrastructure.

To protect against the post-quantum threat, organizations need to be able to have an inventory of their cryptographic assets and achieve a fully crypto agile approach to be able to easily transition from one algorithm to another. Improving the ability to have a complete inventory of cryptographic assets (43 percent of respondents) and to achieve crypto agility (40 percent of respondents) are the top two concerns.

Crypto agility is critical to the migration to PQC. Crypto agility is the capacity for an information security system to adopt an alternative to the original encryption method or cryptographic primitive without significant change to system infrastructure. Only 28 percent of respondents say their organizations have a fully implemented crypto agile approach.

To read more key findings and the full report, please visit Entrust.com’s website.

Leave a Reply

Your email address will not be published. Required fields are marked *