Organizations struggle to attain PKI maturity

Public key infrastructure (PKI) remains the cornerstone of nearly every IT security environment in the Middle East, but even as the technology matures, new use cases, and rising compliance mandates are adding new challenges to infosec (information security) professionals charged with managing PKI implementations. This is a key theme that comes out of the 2022 Global PKI and IoT Trends Study, conducted by the Ponemon Institute, and sponsored by Entrust, a global leader in trusted payments, identities and digital infrastructure.

The study found that while the top use cases for PKI are still of the traditional variety, such as TLS/SSL, securing VPN and private networks, and digital signing, it’s the regulatory landscape and newer use cases – such as cloud-based services and IoT – that are driving the adoption of PKI. As a case in point, 34% of respondents in the Middle East expressed a rising demand amongst IT security teams for PKI driven by the regulatory environment – while BYOD (bring your own device), and internal device management was ranked at 17% in 2022.

However, many organizations continue to struggle with applying the resources needed to effectively manage their PKI implementations, with 85% of respondents in the Middle East citing insufficient resources, 51% citing lack of skills, and 61% struggling with no clear ownership as the top three challenges to enabling applications to use PKI. Highlighting the need for resources, nearly half (42%) of the Middle Eastern respondents identified a ‘lack of visibility of the application that will depend on PKI’.

Challenges and opportunities
When it comes to existing PKI implementations, the top challenge continued to be the ability to support new applications as cited by 37% of Middle Eastern respondents this year – as well as lack of visibility into the security capabilities of existing PKI at 25%. The fact that organizations might not have the right technology in place to secure these new use cases or might not know if their PKI is capable of it, is concerning though perhaps not surprising, considering only 31% of Middle East organizations said they have a PKI specialist on staff.

“The top three challenges in deploying and managing PKI have remained fairly consistent over the years of conducting this research,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “But looking at some of the trends over time, it paints a picture of a landscape that continues to recognize the importance of PKI, but constantly evolving use cases and compliance requirements means that organizations find themselves running to stand still. The lack of skilled and experienced staff to help alleviate this pressure is clearly being increasingly felt, as is the lack of clear ownership across stubbornly siloed business structures for many.”

New enterprise applications driving change and uncertainty
As organizations plan the evolution of their PKI, new applications such as IoT devices and external mandates and standards continue to drive the most change and uncertainty, but change drivers are diversifying. For example:

  • IoT was the top ranked change driver, cited by 37% of respondents from the Middle East, rising from being the second change driver at 28% in 2021 in the region.
  • Similarly, external mandates and standards were cited as a top change driver by 27% of Middle Eastern respondents that said external mandates and standards will drive change, but this is down from 30% in 2021.

Enterprise applications are the rising PKI change agent. While ranked fourth amongst Middle Eastern respondents, enterprise applications were cited by 25% of respondents in the 2022 survey.

The role of IoT
With IoT highlighted as a primary trend and the top agent for change, it’s not surprising that ability to sign firmware to IoT has come to be the most important PKI capability for IoT employments. The ability to sign firmware for IoT devices has increased to 49% in 2022 – highlighting the critical need to ensure security and trust in these connected devices.

The question then becomes how PKI will be used to support IoT device credentialing. According to those surveyed, in the next two years, an average of 42% of IoT devices in use across the Middle East will rely primarily on digital certificates for identification and authentication. Just over a third (39%) of respondents believe that as the IoT continues to grow, supporting PKI deployments for IoT device credentialing will be a combination of cloud-based and enterprise-based, with enterprise-based PKI deployments still leading the trend according to 42% of Middle Eastern respondents.

“What we’re seeing is that securing cloud applications and IoT are top of mind for organizations in the Middle East as they continue to expand their digital infrastructure and transform their IT infrastructures” said Hamid Qureshi, Regional Sales Director, Middle East and Africa at Entrust. “Yet, while organizations are approaching the implementation of new cases through IoT among other paths, the lack of clear ownership internally, as well as the unfilled positions of PKI specialists, is putting a hurdle in the deployments of important security strategies. Cybersecurity is still a top threat to organizations and with an increasing use of multi-cloud environments and numerous enterprise-based solutions, the need to advance these protection strategies has to be the biggest priority for businesses in our region.”