An international study of PKI trends is suggesting that respondents were struggling to reduce credential management risks due to various impediments

In a January 2022 survey across 17 countries and 2,505 respondents (certified IT professionals) handling Public Key Infrastructure (PKI), data showed that their organizations were struggling to manage implementations to keep up with the fast pace of change and risk management in the digital security landscape.

The data suggests that while the top PKI use cases for respondents globally were still of the traditional variety (TLS/SSL, securing VPN and private networks, and digital signing), those that were driving adoption were in the regulatory landscape and newer applications such as cloud-based services and IoT.

In South-east Asia, respondents showed that organizations continued to struggle with applying the resources needed to effectively manage PKI implementations. The top two challenges to enabling PKI in applications were: lack of clear ownership (67%) and insufficient skills (60%). Next came “insufficient resources”; and “commercial solutions that were too complicated or too expensive” — both at 53%.

Other findings

The IT security teams surveyed across the world reported rising demand for PKI driven by the regulatory environment — a 7% increase over a previous year’s survey. PKI adoption rates increased by 13% in respondents managing Bring Your Own Device policies and securing internal devices. Also:
    • 30% of South-east Asian respondents cited the “lack of visibility into the security capabilities of existing PKI” as a top challenge, followed by 29% citing the lack of ability to support new applications (29%) and to change existing apps (29%).
    • 44% of respondents indicated they had a PKI specialist on staff.
    • 29% of respondents ranked PKI technologies as a top factor that can drive change and uncertainty. Second-ranked were enterprise applications, cited as another top change driver by 27% of respondents. Finally, 26% ranked “external mandates and standards, as well as new applications such as IoT devices” as the third driver of possible change and uncertainty.
    • 54% of South-east Asia respondents cited “scalability to millions of managed certificates” as the most important PKI capability for IoT employments. In second place was “support for Elliptic Curve Cryptography” cited by 45% of SEA respondents.
    • 37% of South-east Asia respondents indicated their belief that, in the next two years, IoT devices in use will rely primarily on digital certificates for identification and authentication. Also, 40% believed that as IoT adoption continues to grow, supporting PKI deployments for IoT device credentialing will be a combination of cloud-based and enterprise-based processes.
    • Constantly evolving use cases and compliance requirements may cause respondents and their organizations to find themselves “running to stand still”. The lack of skilled and experienced staff to help alleviate this pressure was being increasingly felt, as was the lack of clear ownership across stubbornly siloed business structures for many respondents.

According to James Cook, Vice President (Digital Security Solutions, Asia Pacific and Japan), Entrust, which sponsored the survey: “Securing cloud applications and IoT are top of mind for organizations (in the survey): these are things that have significantly changed the digital security landscape by moving security outside the four walls of an organization. But when we see that new applications like IoT are also among the top areas expecting the most change and uncertainty, (it may mean) organizations haven’t quite figured that area out just yet. Another area expecting change and uncertainty is external mandates and standards.”

Cook noted that cybersecurity in general (not just IoT) was being evaluated (by respondents) at all levels across the globe, and those mandates can be difficult to navigate, especially without the right skills and resources internally. “This will only continue to become challenging with future threats like post-quantum, where the transition will be very involved and take several years,” he said.