Public key infrastructure (PKI) remains the cornerstone of nearly every IT security environment, but, even as the technology matures, new use cases and rising compliance mandates are adding new challenges to infosec professionals charged with managing PKI implementations. This is a key theme that comes out of the 2022 Global PKI and IoT Trends Study, conducted by the Ponemon Institute and sponsored by Entrust, a global leader in trusted payments, identities and digital infrastructure.

The study found that, while the top use cases for PKI are still of the traditional variety, such as TLS/SSL, securing VPN and private networks, and digital signing, it's the regulatory landscape and newer use cases - such as cloud-based services and IoT - that are driving the adoption of PKI. As a case in point, IT security teams report rising demand for PKI driven by the regulatory environment - ranked by 31% of respondents from 24% the previous year- and BYOD and internal device manage-ment, which more than doubled from 11% in 2021 to 24% in 2022.

And yet organisations continue to struggle with applying the resources needed to effectively manage their PKI implementations, with 64% of respondents citing insufficient resources, lack of skills, and no clear ownership as the top three challenges to enabling applications to use PKI - rising from 51% in last year's survey. Highlighting the need for resources, nearly half (48%) identified a 'lack of visibility of the application that will depend on PKI', rising from 34% in 2021. Similarly, another jump came with 35% of respondents identifying requirements being too fragmented or inconsistent, up from 28% in 2021.

CHALLENGES AND OPPORTUNITIES
When it comes to existing PKI implementations, the top challenge continued to be the ability to support new applications - cited by 41% this year - as well as lack of visibility into the security capabilities of existing PKI at 29%. "The fact that organisations might not have the right technology in place to secure these new use cases, or might not know if their PKI is capable of it, is concerning, though perhaps not surprising, considering only 38% of organisations said they have a PKI specialist on staff," states the study.

"The top three challenges in deploying and managing PKI have remained fairly consistent over the years of conducting this research," says Dr Larry Ponemon, chairman and founder of the Ponemon Institute. "But looking at some of the trends over time, it paints a picture of a landscape that continues to recognise the importance of PKI, but constantly evolving use cases and compliance requirements mean that organisations find themselves running to stand still. The lack of skilled and experienced staff to help alleviate this pressure is clearly being increasingly felt, as is the lack of clear ownership across stubbornly siloed business structures for many."

the factors that are DRIVING CHANGE AND UNCERTAINTY As organisations plan the evolution of their PKI, new applications such as IoT devices and external mandates and standards continue to drive the most change and uncertainty, but change drivers are diversifying, according to the report. For example:

• IoT was the top ranked change driver, cited by 33% of respondents. But this total is a drop from 41% in 2021 and 52% in 2020
• External mandates and standards were cited as a top change driver by 30% of respondents, who said external mandates and standards will drive change, down from 37% in 2021 and 49% in 2020.

With IoT highlighted as a primary trend and the top agent for change, it's not surprising that scalability to millions of managed certificates continues to be the most important PKI capability for IoT employments. While scalability is ranked as the most important capability, it has decreased in importance from 53% of respondents in 2018 to 39% of respondents in 2020. The ability to sign firmware for IoT devices has increased from 27% of respondents in 2021 to 33% in 2022 - highlighting the critical need to ensure security and trust in these connected devices.

The question then becomes how PKI will be used to support IoT device credentialing. According to those surveyed, in the next two years an average of 44% of IoT devices in use will rely primarily on digital certificates for identification and authentication. Just over a third (35%) of respondents believe that, as the IoT continues to grow, supporting PKI deployments for IoT device credentialling will be a combination of cloud-based and enterprise-based - again, down from the 42% figure in 2021.

TOPPING THE LIST
"What we're seeing is that securing cloud applications and IoT are top of mind for organisations - these are things that have significantly changed the digital security landscape by moving security outside the four walls of an organisations," says Samantha Mabey, product marketing director of PKI & IoT, at Entrust. "But when we see that new applications like IoT are also the top areas expecting the most change and uncertainty, this suggests that, while they might be thinking about it, organisations haven't quite figured that area out just yet. Very much related, but arguably more important, the number two area expecting change and uncertainty is external mandates and standards. Not just IoT, but cybersecurity in general, is being evaluated at all levels across the globe and those mandates can be difficult to navigate, especially without the right skills and resources internally to do so. This will only continue to become challenging with future threats like post quantum, where the transition will be very involved and take several years." In a separate blog, she also highlights the follow-ing key issues:

• There's still a resources issue. "For all 8 years, the top 3 challenges to deploying and managing have been the same: insufficient resources, insufficient skills, and no clear ownership. Without clear ownership or the internal expertise to manage their PKI, how confident are organisations in their security posture today, and how prepared are they for change in the future?"
• IoT is top of mind - for many reasons. "IoT is the #2 driver for the deployment of PKI, but it's also the #1 area expecting the most change and uncertainty. What this tells us is, while organisations are thinking about this area, they haven't quite figured it out just yet."
• Organisations are moving to the cloud - but is it at the cost of security? "The #1 driver for the deployment of PKI is cloud-based services. But in another area of the study, we see a slight decrease in the use of HSMs to secure keys [a known best practice], alongside a slight increase in the use of software key stores. Could this be because, as organisations are moving to the cloud, they're trusting cloud vendors with their security, rather than trusting their security with security experts?"