global pki and iot trends study - ncipher …...2019 global pki and iot trends study 8 in the next...
TRANSCRIPT
2019GLOBAL PKI AND IoT TRENDS STUDY
PART 1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 PART 2. KEY FINDINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
The influence of the IoT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Trends in PKI maturity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Trends in PKI challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Global analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
PKI trends by industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
PART 3. METHODS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 PART 4. LIMITATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
APPENDIX: DETAILED SURVEY RESULTS . . . . . . . . . . . . . . . . . . . . . . 24
Sponsored by nCipher Security, an Entrust Datacard company
Independently conducted by Ponemon Institute LLC
INTRODUCTION01
42019 GLOBAL PKI AND IoT TRENDS STUDY
PONEMON INSTITUTE IS PLEASED TO PRESENT THE FINDINGS OF THE 2019 GLOBAL PKI AND IoT TRENDS STUDY, SPONSORED BY NCIPHER SECURITY, AN ENTRUST DATACARD COMPANY.According to the findings, the rapid growth in the use of IoT devices1 is having an impact on the use of PKI technologies and there is realization that PKI provides important core authentication technologies for the IoT.
This report summarizes the fifth annual results of a survey completed by 1,884 IT and IT security practitioners in the following 14 countries/regions: Australia, Brazil, France, Germany, Hong Kong and Taiwan, India, Japan, Mexico, the Middle East (Saudi Arabia and the United Arab Emirates), the Russian Federation, South Korea, Southeast Asia (Indonesia, Malaysia, Philippines, Thailand, and Vietnam), the United Kingdom, and the United States.
Figure 1 shows the primary practices organizations take to secure PKI and Certificate Authorities (CAs). Most companies represented in this study are using multifactor authentication for administrators (60 percent of respondents). However, dependency on passwords has declined from 30 percent of respondents to 24 percent of respondents. A related question revealed that the usage of Hardware Security Modules, most prevalent with offline root CAs and issuing CAs, increased slightly to 42 percent of respondents from 39 percent of respondents in 2018.
The report tabulates the responses to the survey and draws some limited conclusions as to how best practices are reflected in observed practices, and the influence of cloud computing, the Internet of Things, and other important industry trends.
This work is part of a larger study published in April 2019 involving 5,856 respondents in 14 countries/regions.2 The purpose of this research is to better understand the use of PKI in organizations. All participants in this research are either involved in the management of their organizations’ enterprise PKI or in developing and/or managing applications that depend upon credentials controlled by their organizations’ PKI.
1 Gartner predicts by 2020 there will be 20.4 billion IoT devices, of which 7.5 billion will be for business purposes and 12.8 will be for consumers.2 See: 2019 Global Encryption Trends Study (sponsored by nCipher), Ponemon Institute, April 2019.
Figure 1. Practices used to secure PKI and Certificate Authorities
FY17 FY18 FY19
59%62%
60%
47%48%
46%
40%40%
42%
28%30%
28%
29%30%
24%
21%23%
22%
Multifactor authentication for administrators
Physical secure location
Formal security practices (documented)
O�ine root CAs
Passwords alone without a second factor
Isolated networks
KEYFINDINGS02
62019 GLOBAL PKI AND IoT TRENDS STUDY
The complete audited findings are presented in the Appendix of this report.
ð The influence of the IoT ð Trends in PKI maturity ð Trends in PKI challenges
The influence of the IoT
PKI changes due to external mandates continue to decline, but changes due to new applications continue to increase. According to Figure 2, 39 percent of respondents say the biggest change will be external mandates and standards (a significant decline from 56 percent of respondents in 2015) and 40 percent of respondents say new applications such as the Internet of Things will drive change (a significant increase from 14 percent of respondents in 2015). The influence of PKI technologies and enterprise applications also decreased significantly since 2015.
IN THIS SECTION OF THE REPORT WE PROVIDE AN ANALYSIS OF THE GLOBAL RESULTS.
FY17 FY18FY15 FY16 FY19
Figure 2. Areas expected to experience the most change and uncertaintyConsolidated view; two responses permitted
New applications (e.g., Internet of Things)
External mandates and standards
PKI technologies
Management expectations
Enterprise applications
Budget and resources
Internal security policies
Vendors (products and services)
Other
14%26%
36%42%
40%
56%48%
47%42%
39%
35%26%26%26%
28%
28%26%
21%20%
21%
30%22%
19%
19%
14%
18%
18%17%
19%19%
22%18%
20%18%18%
15%14%14%
15%16%
2%1%1%1%
0%
7 2019 GLOBAL PKI AND IoT TRENDS STUDY
IoT is becoming a major driver for the use of PKI. There is growing recognition that PKI provides important core authentication technology for the IoT. Since 2015, respondents who say IoT is the most important trend driving the deployment of applications using PKI has increased significantly from 21 percent of respondents to 41 percent in 2019. In contrast, cloud-based services as an influence in the deployment of applications that make use of PKI decreased from 64 percent of respondents in 2015 to 49 percent of respondents in this year’s research (Figure 3). This should define the challenges facing PKI vendors and administrators alike as they adapt the technology to these new realities.
FY17 FY18FY15 FY16 FY19
Figure 3. The most important trends driving the deployment of applications using of PKI Consolidated view; two responses permitted
Cloud-based services
Consumer mobile
Internet of Things (IoT)
Regulatory environment
Consumer-orientedmobile applications
BYOD and internalmobile device management
E-commerce
Cost savings
Risk management
Other
64%61%
54%45%
49%
50%52%
41%45%
44%
21%28%
44%41%
40%
10%7%
23%21%21%
26%27%
19%21%
20%
8%9%
8%9%10%
9%7%
5%7%7%
10%7%
6%5%5%
3%1%
2%2%2%
1%1%1%1%
0%
““ Since 2015, respondents who say IoT is the most important trend driving the deployment of applications using PKI has increased significantly from 21 percent of respondents to 41 percent in 2019.
82019 GLOBAL PKI AND IoT TRENDS STUDY
In the next two years, an average of 42 percent of IoT devices in use will rely primarily on digital certificates for identification and authentication. As shown in Figure 4, 44 percent of respondents believe that as the IoT continues to grow supporting PKI deployments for IoT device credentialing will be a combination of cloud-based and enterprise-based.
Altering the function of an IoT device is the most significant threat to IoT deployments. When rating the top IoT threats, 68 percent of respondents chose altering the function of a device (e.g., by loading malware), followed by controlling the device remotely (54 percent). The threat of use of an IoT device as a network entry point, as well as capturing data from an IoT device, each were rated as top threats by 39 percent of respondents.
Protecting confidentiality and integrity of device data is the most important IoT security capability today. Out of five IoT security capabilities, respondents rated protection of the confidentiality and integrity of device data as the most important, followed by device authentication, monitoring device behavior, device discovery, and delivery of patches and updates to devices.
FY17 FY18 FY19
Figure 4. What models will be used for PKI deployments supporting IoT device credentialing?Consolidated view
Combination of cloud-basedand enterprise-based
Primarily enterprise-based Primarily cloud-based
43% 43% 44%
32% 31% 30%25%
27% 26%
8
9 2019 GLOBAL PKI AND IoT TRENDS STUDY
Trends in PKI maturity
According to Figure 5, the certificate revocation technique most often deployed continues to be online certificate status protocol (OCSP), according to 58 percent of respondents (an increase from 46 percent of respondents since the 2015 study). The next most popular technique is the use of automated certificate revocation list (CRL) (44 percent of respondents).
Similar to last year, 30 percent of respondents say they do not deploy a certificate revocation technique. There are many possible explanations for this high percentage – use of alternate means to remove users/devices, use of short lifespan certificates, closed systems, etc.
FY17 FY18FY15 FY16 FY19
46%52%
54%57%
58%
37%43%
46%47%
44%
37%37%
33%30%30%
33%24%
20%20%
19%
19%20%
19%18%19%
3%3%
2%1%1%
2%2%
1%1%1%
Figure 5. The certificate revocation techniques used in enterprisesConsolidated view; more than one response permitted
Online Certificate Status Protocol (OCSP)
Automated CRL
None
Manual certificate revocation list (CRL)
Validation Authority
Others
Unsure
““ 30 percent of respondents say they do not deploy a certificate revocation technique.
102019 GLOBAL PKI AND IoT TRENDS STUDY
Hardware security modules (HSMs) are the most common method used to manage the private keys for their root/policy/issuing CAs, as shown in Figure 6. Twenty-six percent of respondents say smart cards are used. A related question revealed that almost half of respondents (45 percent) say they have PKI specialists on staff.
Of the 42 percent of organizations in this study that use HSMs to secure PKI, they are used across the entire architecture of the PKI as shown in Figure 7. As an example of best practice, NIST calls to “Ensure that Cryptographic modules for CAs, Key Recovery Servers, and OCSP responders are hardware modules validated as meeting FIPS 140-2 Level 3 or higher” (NIST Special Publication 800-57 Part 3). Yet, only 11 percent of our respondents indicate the presence of HSMs in their OCSP installations. This is a significant gap between best practices and observed practices.
FY17 FY18FY16 FY19
Figure 6. How do you manage the private keys for your root/policy/issuing CAs?
Hardware securitymodules (HSMs)
Smart cards (for CA/root key protection)
Removable mediafor CA/root keys
Other
32%36%
39%42%
28%30%
28%26% 25% 25%
23% 23%
15%
10% 10% 10%
FY17 FY18FY15 FY16 FY19
42%48%
50%50%
48%
46%45%
43%40%
41%
32%37%
38%35%
34%
27%32%
30%30%
29%
19%23%
22%23%
22%
12%10%
12%12%
11%
5%7%
9%8%8%
Figure 7. Where HSMs are deployed to secure PKI Consolidated view; more than one response permitted
O�ine root
Issuing CA
Online root
Policy CA
Registration Authority
OCSP responder
Validation Authority
11 2019 GLOBAL PKI AND IoT TRENDS STUDY
It is often difficult for applications to use PKI. As shown in Figure 8, the most significant challenge organizations will continue to face, with respect to enabling applications to use PKI, is the inability of an existing PKI to support new applications, according to 56 percent of respondents. However, this has declined from 63 percent of respondents in 2015. This finding could be based on respondents’ concerns about a dearth of resources and expertise.
FY17 FY18FY15 FY16 FY19
63%58%
58%56%
52%49%
46%40%
42%43%
42%45%
39%41%41%
40%38%
19%22%
28%33%
36%
38%40%40%
38%35%
29%30%30%
29%35%
45%37%
35%35%35%
30%29%30%
29%28%
21%22%
23%25%25%
13%17%
16%16%16%
6%5%
6%6%7%
1%0%
0%
0%0%
54%57%
56%
Figure 8. The challenges to enable applications to utilize PKIConsolidated view; four responses permitted
Existing PKI is incapable of supporting new applications
No ability to change legacy apps
Insu�cient skills
Insu�cient resources
Lack of visibility of the securitycapabilities of existing PKI
Too much change or uncertainty
Lack of clear understanding of requirements
No pre-existing PKI
Conflict with other apps using the same PKI
Requirements are toofragmented or inconsistent
Specific operational issues (suchas revocation and performance)
are hard to resolve
Lack of advisory support
Other
122019 GLOBAL PKI AND IoT TRENDS STUDY
Other challenges to enabling applications include: no ability to change legacy apps (46 percent of respondents), and insufficient skills and resources (45 percent and 38 percent of respondents, respectively). The challenge of lack of visibility of the security capabilities of existing PKI, increased from 19 percent of respondents in 2015 to 36 percent of respondents in 2019.
Trends in PKI challenges
Organizations with internal CAs use an average of eight separate issuing CAs, managing an average of 38,631 internal or externally acquired certificates. As shown in Figure 9, an average of eight distinct applications, such as email and network authentication, are supported by an organization’s PKI. This indicates that the PKI is at the core of the enterprise IT backbone. Not only the number of applications dependent upon the PKI but the nature of them indicates that the PKI is a strategic part of the core IT backbone.
FY19
Figure 9. How many distinct applications does your PKI manage certificates on behalf of?Consolidated view; extrapolated value is 8.52 distinct applications
1 or 2 3 or 4 5 or 6 7 or 8 9 or 10 11 or 12 13 or 14 15 or more
5%
12%
20% 19%
17%
13%
7%8%
12
13 2019 GLOBAL PKI AND IoT TRENDS STUDY
The main PKI deployment challenge continues to be the lack of clear ownership of the PKI function. As shown in Figure 10, 68 percent of respondents believe there is no one function responsible for managing PKI. This is not in line with best practices, which assume as a baseline a sufficient degree of staffing and competency to define and maintain the process and procedures of which a modern PKI depends.
Other deployment problems include: insufficient resources (49 percent of respondents), insufficient skills (47 percent of respondents) and too much change or uncertainty (38 percent of respondents).
FY17 FY18FY15 FY16 FY19
68%71%
69%70%
68%
46%43%
42%47%
49%
45%46%47%48%
47%
39%39%
41%39%
38%
43%40%
39%35%
37%
31%32%
34%35%36%
40%37%
35%32%
31%
32%31%31%
29%28%
22%24%
26%27%27%
17%18%18%
20%20%
11%10%11%12%11%
8%7%7%
6%6%
0%
1%1%
1%1%
Figure 10. The main challenges deploying and managing PKIConsolidated view; four responses permitted
No clear ownership
Insu�cient resources
Insu�cient skills
Too much change or uncertainty
Necessary performance andreliability is hard to achieve
Lack of clear understandingof the requirements
Lack of visibility of the applicationsthat will depend on PKI
Commercial solutions are toocomplicated or too expensive
Requirements are toofragmented or inconsistent
No suitable products ortechnologies available
Too hard to transition fromcurrent approach to a new system
Lack of advisory services and support
Other
142019 GLOBAL PKI AND IoT TRENDS STUDY
Common Criteria EAL Level 4+ is the most important security certification when deploying PKI infrastructure and PKI-based applications. According to Figure 11, 64 percent say Common Criteria followed by 60 percent who say FIPS 140 is most important when deploying PKI. Twenty-five percent say it is regional standards such as digital signature laws (a decrease from 31 percent in 2015). In the U.S., FIPS 140 is the standard called out by NIST in its definition of a “cryptographic module” which is mandatory for most U.S. federal government applications and a best practice in all PKI implementations.
FY17 FY18FY15 FY16 FY19
61%64%64%
66%64%
67%69%
65%62%
60%
31%24%
22%26%
25%
24%23%
20%25%
23%
17%13%
12%14%
11%
1%2%
1%1%
0%
Figure 11. Security certifications important when deploying PKI infrastructure Consolidated view, more than one response permitted
Common Criteria EAL Level 4+
FIPS 140-2 Level 3
Regional standards suchas digital signature laws
Regional certificationsfor use by government
None of the above (certificationis not an important factor
Other
““ 64 percent say common criteria followed by 60 percent who say FIPS 140 is most important when deploying PKI. Twenty-five percent say it is regional standards such as digital signature laws (a decrease from 31 percent in 2015).
15 2019 GLOBAL PKI AND IoT TRENDS STUDY
Private networks and VPN and cloud-based applications and services increase the use of PKI credentials significantly. According to Figure 12, 79 percent of respondents say the application most often using PKI credentials is SSL certificates for public facing websites and services. However, this finding decreased from 84 percent of respondents in last year’s research. Other applications and services primarily used are private networks and VPN (69 percent of respondents), public cloud-based applications and services (55 percent of respondents), email security (54 percent of respondents) and enterprise user authentication (51 percent of respondents). These are the basic building blocks of the modern enterprise IT system and digital certificates have become much like storage, a commodity component of the system, no longer an exotic add on.
FY17 FY18FY15 FY16 FY19
78%81%
84%84%
79%
69%75%
65%71%
69%50%
62%56%56%
55%
50%54%
51%53%54%
54%50%50%
49%51%
51%58%
52%51%
50%
43%49%
44%44%
46%
35%43%
42%42%
44%
31%34%
31%32%32%
0%0%
4%3%
0%2%
1%2%
Figure 12. What applications use PKI credentials in organizations?Consolidated view; more than one response permitted
SSL certificates for publicfacing websites and services
Private networks and VPN
Public cloud-based applications and services
Email security
Enterprise user authentication
Device authentication
Private cloud-based applications
Document/message signing
Code signing
None of the above
Other
2%
2%
162019 GLOBAL PKI AND IoT TRENDS STUDY
What are the most popular methods for deploying enterprise PKI? The most cited method for deploying enterprise PKI, according to Figure 13, is through an internal corporate certificate authority (CA) or an externally hosted private CA – managed service, according to 63 percent and 43 percent of respondents, respectively.
The percentage of respondents who say their companies use externally hosted private CAs declined since 2015 (48 percent vs. 43 percent). Since 2015, more companies have deployed PKI using a private CA running within a public cloud, an increase from 9 percent to 22 percent of respondents.
FY17 FY18FY15 FY16 FY19
Figure 13. How is PKI deployed?Consolidated view; more than one response permitted
Internal corporate certificate authority (CA)
Externally hosted private CA – managed service
Public CA service
Private CA runningwithin a public cloud
Business partner provided service
Government provided service
Other
44%51%
54%56%
63%
48%41%
38%40%
43%
25%29%
34%33%
31%
9%18%
23%23%
22%
16%15%14%
16%15%
9%12%
11%11%
10%
2%0%
2%2%2%
16
17 2019 GLOBAL PKI AND IoT TRENDS STUDY
Global analysis
Figure 14 shows how PKI is deployed within respondents’ organizations. As can be seen, German, U.S., Japanese and Korean respondents are most likely to choose internal corporate certificate authority. In contrast, Korea, Middle East, and Hong Kong & Taiwan respondents are most likely to choose external hosted private certificate authorities as a managed service.
When asked about the revocation techniques deployed, 30 percent of respondents said none. As shown in Figure 15, of those respondents who say their organizations use a certificate revocation technique, German, Brazilian and Japanese respondents are most likely to use online certificate status protocol (OCSP). Russian Federation, German and U.S. organizations are most likely to use automated CRLs.
As noted above, this implies a true chasm between operational best practices and observed practices. Certificates have a life span. During that life span, circumstances change and certificates outlive their purpose. Without a method of revoking certificates the population of valid, extant certificates simply grows.
We can surmise that there are connections between this observed deviation from best practices and the significant lack of dedicated personnel and skills called out in the study. When something as basic as lack of revocation processes is this common, one has to wonder about the currency of documentation on and processes for managing the average of eight major enterprise applications that are dependent on the PKI.
Internal corporate certificate authority (CA) Externally hosted private CA – managed service
Figure 14. How would you describe how your organization’s enterprise PKI is deployed? Top 2 choices
DE US JP KO AU IN UK ME SA FR MX HKT BZ RF
77%
29%
75%
34%
72%
19%
71%74%
69%
29%
69%
42%
63%
31%
60%
68%
57%60%
56%
25%
56%50%
54%
63%
50%
58%
25%
41%
Online Certificate Status Protocol (OCSP) Automated CRL
Figure 15. Which certificate revocation technique does your organization deploy? Top 2 choices = OCSP and Automated CRL
DE BZ JP US HKT SA FR UK AU ME KO MX IN RF
76%
60%63%
35%
62%
40%
61%57%
60%
29%
60%
33%
59%
52%
59%
47%
58%
37%
56%
36%
55%
38%
51%
41%
49%
37%33%
61%
Country
Germany
United States
Japan
Korea
Australia
India
United Kingdom
Middle East
Southeast Asia
France
Mexico
Hong Kong and Taiwan
Brazil
Russian Federation
Abbreviated
DE
US
JP
KO
AU
IN
UK
ME
SA
FR
MX
HKT
BZ
RF
182019 GLOBAL PKI AND IoT TRENDS STUDY
According to Figure 16, the U.S. and Germany have the most individual CAs deployed within their organizations (9.65 and 9.24, respectively). Brazil and the Russian Federation have the least number of individual CAs (5.93 and 5.19, respectively).
Again, this reinforced the penetration of the PKI into the core IT backbone of the modern organization. And, given the stated lack of skilled personnel and organizational clarity, combined with the lack of consistent revocation practices, one has to draw attention to risks to the health and integrity of these important core enterprise applications.
Figure 17 shows the number of distinct applications (e.g., email, network authentication, etc.) for which a PKI manages certificates. The U.S. at 11.60 has the largest number of distinct applications. Australia (6.76) and Russia (6.18) have the smallest number of distinct applications.
One should note that even in the lowest figures that the average number of applications is just north of 6. Given previous responses, we can extrapolate that these likely include email, SSL certificates, device identification and logon credentials. These are non-trivial applications, the failure of which could pose existential risks to the host organization.
Figure 16. What best describes the number of individual CAs in your organization? Extrapolated average values
US DE UK JP KO SA HKT ME IN AU FR MX BZ RF
9.659.24
8.84 8.638.05
7.55 7.50 7.26 7.126.67 6.53 6.38
5.93
5.19
Figure 17. How many distinct applications does your PKI manage certificates on behalf of? Extrapolated average values
US DE UK JP KO SA HKTMEIN AUFR MX BZ RF
11.60
10.009.55
8.148.38 8.04 8.01 7.767.40 7.21 7.17 6.98 6.76
6.18
19 2019 GLOBAL PKI AND IoT TRENDS STUDY
Figure 18 reports the three most salient challenges in deploying and managing PKI. As can be seen, Middle East, Australia, Korea and Hong Kong & Taiwan respondents are most likely to say no clear ownership as their most significant challenge. Russian respondents are most likely to say insufficient resources. Southeast Asia, Russian and Korea respondents are most likely to cite insufficient skills as a top three challenge.
There is a consistent theme in these responses. We can see the importance of the PKI growing and its integration with core IT applications. Also, PKI’s near term future is being buffeted by trends towards the cloud and mobility. However, globally there is a lack of trained people and tendency towards fuzzy ownership of the PKI. This is a significant departure from known best practices that require direct lines of responsibility for all PKI dependent applications and clear documentation of the dependencies and risk mitigation strategies. One has to wonder about the condition of required PKI documentation and processes given these high rates of skills and personnel shortages.
No clear ownership Insu�cient skills
Figure 18. What are the main challenges in deploying and managing PKI?Top 3 choices
77%51%
57%
45%76%
54%
28%
75%
60%
75%
49%
45%
73%
27%
70%
36%
55%53%
70%
65%
50%31%
63%
63%
65%
59%62%
45%
61%
50%
55%
60%37%
36%
50%
63%
60%
50%55%
68%37%
38%
Insu�cient resources
US
DE
UK
JP
KO
SA
HKT
ME
IN
AU
FR
MX
BZ
RF
202019 GLOBAL PKI AND IoT TRENDS STUDY
As organizations plan the evolution of their PKI, where are the greatest areas of possible change and uncertainty? Figure 19 provides the top three choices. Accordingly, U.S., Japan and France are most likely to find external mandates and standards as the greatest area of change and uncertainty. The U.S. and Russian respondents are most likely to select new applications, and Russian, India and German respondents are most likely to see PKI technologies as the greatest areas for change and uncertainty.
Given the high levels of uncertainty and increasing challenges to the status quo, organizations that are already challenged by a lack of clear authority and a dearth of skills and personnel will be stressed further as they attempt to come into compliance with best practices.
Figure 19. Where are the greatest areas of change and uncertaintyin the evolution of your PKI? Top 3 choices
External mandates and standards New applications PKI technologies
US
JP
FR
AU
BZ
DE
UK
KO
RF
IN
ME
MX
SA
HKT
53%
52%21%
51%45%
11%
50%44%
21%
46%40%
24%
43%45%
21%
40%28%
40%
38%43%
24%
36%
37%29%
34%
46%45%
31%28%
40%
28%36%
33%
27%37%
27%
27%34%
26%
22%35%
29%
21 2019 GLOBAL PKI AND IoT TRENDS STUDY
Figure 20 reports what respondents believe are the most important trends that are driving the deployment of applications that make use of PKI. As can be seen, Russia, India and Middle East are most likely to cite cloud-based services as driving the deployment of applications that make use of PKI.
Brazil, Hong Kong and Taiwan, and Korea respondents are most likely to see consumer-oriented mobile applications as a driver to PKI adoption. The IoT is beginning to have a significant impact, particularly in the U.S., Hong Kong and Taiwan and Japan.
Figure 20. What are the most important trends that are drivingthe deployment of applications that make use of PKI? Top 3 choices
Cloud-based services Consumer mobile Internet of Things
RF
IN
ME
JP
KO
SA
MX
BZ
UK
HKT
US
DE
AU
FR
62%38%
40%
59%36%
29%
56%46%
37%
55%40%
50%
55%53%
36%
54%
48%38%
47%40%
32%
47%57%
36%
47%40%
47%
45%53%
50%
44%38%
50%
43%
51%41%
38%41%41%
36%48%
33%
METHODS03
23 2019 GLOBAL PKI AND IoT TRENDS STUDY
TABLE 1 REPORTS THE CONSOLIDATED SAMPLE RESPONSE FOR 14 SEPARATE COUNTRY/REGION SAMPLES. The sample response for this study was conducted over a 49-day period ending in December 2018. Our consolidated sampling frame of practitioners in all countries consisted of 150,066 individuals who have bona fide credentials in IT or security fields. From this sampling frame, we captured 6,502 returns of which 646 were rejected for reliability issues. From our final consolidated 2019 sample of 5,856, we calculated the PKI subsample to be 1,884.
Figure 21 reports the respondent’s organizational level within participating organizations. By design, 56 percent of respondents are at or above the supervisory levels. Respondents have on average 10 years of security experience with approximately 7 years of experience in their current position.
As shown in Figure 22, 55 percent of respondents identified IT operations as their functional area within the organization, 19 percent of respondents are functioning within security and 12 percent of respondents are functioning within the lines of business.
Table 1. Sample response Frequency
150,066
6,502
646
5,856
1,884
32%
Sampling frame
Total returns
Rejected or screened surveys
Overall sample (encryption trends)
PKI subsample
Ratio subsample to overall sample
42%
33%
2% 3% 3%
17%
Figure 21. Distribution of respondents according to position levelConsolidated view
Senior Executive
Vice President
Director
Manager/Supervisor
Associate/Sta�/Technician
Other
19%
4%
55%
12%
7%4%
Figure 22. Distribution of respondents according to functional areaConsolidated view
IT operations
Security
Lines of business (LOB)
Compliance
Finance
Other
242019 GLOBAL PKI AND IoT TRENDS STUDY
Figure 23 reports the respondents’ organizations primary industry segments. As shown, 15 percent of respondents are located in the financial services industry, which includes banking, investment management, insurance, brokerage, payments and credit cards. Eleven percent are located in manufacturing and industrial sectors, 11 percent are located in services sector and 9 percent are located in the public sector, including central and local government.
According to Figure 24, the majority of respondent (60 percent) are located in larger-sized organizations with a global headcount of more than 1,000 employees.
15%
11%
11%
9%8%
7%
8%
7%
4%
4%
3%3%
4%3%
2%
Figure 23. Distribution of respondents according to primary industry classificationConsolidated view
Financial servicesManufacturing & industrialServicesPublic sectorTechnology & softwareHealth & pharmaceuticalRetailEnergy & utilitiesTransportationConsumer productsEducation & researchHospitalityCommunicationsEntertainment & mediaOther
Figure 24. Distribution of respondents according to organizational headcountCountry samples are consolidated
26%
19%
15%6%3%
32%
Less than 500
500 to 1,000
1,001 to 5,000
5,001 to 25,000
25,001 to 75,000
More than 75,000
LIMITATIONS04
2019 GLOBAL PKI AND IoT TRENDS STUDY
THERE ARE INHERENT LIMITATIONS TO SURVEY RESEARCH THAT NEED TO BE CAREFULLY CONSIDERED BEFORE DRAWING INFERENCES FROM THE PRESENTED FINDINGS. The following items are specific limitations that are germane to most survey-based research studies.
ð Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of IT and IT security practitioners in 14 countries/regions resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the survey.
ð Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which our sampling frames are representative of individuals who are IT or IT security practitioners within global companies represented in this study.
ð Self-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process including sanity checks, there is always the possibility that some respondents did not provide truthful responses.
26
26
27 2019 GLOBAL PKI AND IoT TRENDS STUDY
APPENDIX DETAILED SURVEY RESULTS
282019 GLOBAL PKI AND IoT TRENDS STUDY
THE FOLLOWING TABLES PROVIDE THE FREQUENCY OR PERCENTAGE FREQUENCY OF RESPONSES TO ALL SURVEY QUESTIONS CONTAINED IN THIS STUDY.
Public Key Infrastructure (PKI)
2019 Survey Response FY2018 FY2017 FY2016 FY2015
151,334
5,861
609
5,252
1,688
32.1%
FY2019
150,066
6,502
646
5,856
1,884
32.2%
138,530
5,397
595
4,802
1,510
31.4%
131,453
5,605
596
5,009
1,583
31.6%
130,123
5,297
683
4,714
1,511
32.1%
Sampling frame
Total returns
Rejected or screened surveys
Overall sample (encryption trends)
PKI subsample
Ratio subsample to overall sample
Q18. What best describes your role or involvement in your organization’s enterprise PKI?
I am involved in the management myorganization’s PKI
I am involved in developing and/or managing applications that depend upon credentials controlled by my organization’s PKI
I am not involved in my organization’s PKI or the applications that depend on them (Stop)
My organization does not have an PKI (Stop)
Total
FY2018 FY2017 FY2016 FY2015
60%
40%
0%
0%
100%
FY2019
59%
41%
0%
0%
100%
58%
42%
0%
0%
100%
54%
46%
0%
0%
100%
49%
51%
0%
0%
100%
Q19. How would you describe how your organization’s enterprise PKI is deployed? Please select all that apply.
Internal corporate certificate authority (CA)
Externally hosted private CA – managed service
Public CA service
Private CA running within a public cloud
Business partner provided service
Government provided service
Other (please specify)
None of the above (stop)
Total
FY2018 FY2017 FY2016 FY2015
56%
40%
33%
23%
16%
11%
2%
0%
181%
FY2019
63%
43%
31%
22%
15%
10%
2%
0%
187%
54%
38%
34%
23%
14%
11%
2%
0%
176%
51%
41%
29%
18%
15%
12%
2%
0%
168%
44%
48%
25%
9%
16%
9%
0%
0%
151%
29 2019 GLOBAL PKI AND IoT TRENDS STUDY
Q20. Which certificate revocation technique doesyour organization deploy? Please select all that apply.
Online Certificate Status Protocol (OCSP)
Manual certificate revocation list (CRL)
Automated CRL
Validation Authority
Others (please specify)
None
Unsure
Total
FY2018 FY2017 FY2016 FY2015
57%
20%
47%
18%
1%
30%
1%
174%
FY2019
58%
19%
44%
19%
1%
30%
1%
172%
54%
20%
46%
19%
2%
33%
1%
175%
52%
24%
43%
20%
3%
37%
2%
181%
46%
33%
37%
19%
3%
37%
2%
177%
Q21. How many issuing CAs does your PKI support? Those respondents that use an externalCA service were removed.
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
More than 10
Total
Extrapolated value
FY2018 FY2017 FY2016 FY2015
13%
17%
17%
14%
16%
23%
100%
7.70
FY2019
12%
17%
18%
15%
17%
22%
100%
7.74
16%
18%
18%
14%
14%
22%
100%
7.39
18%
19%
17%
13%
14%
19%
100%
6.76
21%
25%
15%
13%
11%
15%
100%
6.17
Q22. How many certificates does your PKI issue(or have been acquired from an external service)?
Less than 10
10 to100
101 to 1,000
1,001 to 5,000
5,001 to 10,000
10,001 to 50,000
50,001 to 100,000
More than 100,000
Total
Extrapolated value
FY2018 FY2017 FY2016 FY2015
1%
3%
12%
18%
17%
16%
17%
16%
100%
38,631
FY2019
1%
3%
11%
19%
17%
15%
16%
17%
100%
39,197
2%
3%
15%
18%
18%
15%
15%
15%
100%
35,488
1%
4%
16%
19%
16%
12%
17%
14%
100%
35,534
0%
5%
22%
17%
16%
11%
16%
12%
100%
31,409
302019 GLOBAL PKI AND IoT TRENDS STUDY
Q23. How many distinct applications (e.g., email, network authentication, etc.) does your PKI manage certificates on behalf of?
1 or 2
3 or 4
5 or 6
7 or 8
9 or 10
11 or 12*
13 or 14*
15 or more*
Total
Extrapolated value
*A di�erent response scale was used for FY2015, FY2016 and FY2017
FY2018 FY2017 FY2016 FY2015
5%
12%
21%
23%
17%
13%
6%
3%
100%
7.97
FY2019
5%
12%
20%
19%
17%
13%
7%
8%
100%
8.52
4%
14%
24%
23%
17%
12%
6%
100%
8.47
5%
14%
26%
27%
13%
10%
5%
100%
7.87
7%
19%
25%
29%
12%
5%
3%
100%
7.30
Q24. What security controls and best practices do you use to secure the PKI and CA in particular? Please select all that apply.
Physical secure location
Isolated networks
Strict record keeping (e.g., video recording, independent observers, etc.)
Formal security practices (documented)
O�ine root CAs
Quorums and dual controls
Multifactor authentication for administrators
Passwords alone without a second factor
No special security measures
Other (please specify)
Total
FY2018 FY2017 FY2016 FY2015
48%
23%
15%
40%
30%
14%
62%
30%
5%
1%
268%
FY2019
46%
22%
14%
42%
28%
13%
60%
24%
5%
1%
256%
47%
21%
13%
40%
28%
13%
59%
29%
6%
2%
286%
45%
23%
11%
39%
30%
6%
52%
34%
7%
2%
249%
48%
20%
4%
41%
27%
3%
48%
53%
6%
1%
251%
Q25a. Do you have PKI specialists on sta�? FY2018 FY2017 FY2016
48%
23%
16%
14%
100%
FY2019
45%
24%
16%
14%
100%
43%
27%
15%
14%
100%
39%
30%
17%
15%
100%
Yes
No
Rely on consultants
Rely on service provider
Total
31 2019 GLOBAL PKI AND IoT TRENDS STUDY
Q25b. How do you manage the private keys for your root/policy/issuing CAs FY2018 FY2017 FY2016
39%
28%
23%
10%
100%
FY2019
42%
26%
23%
10%
100%
36%
30%
25%
10%
100%
32%
28%
25%
15%
100%
Hardware security modules (HSMs)
Smart cards (for CA/root key protection)
Removable media for CA/root keys
Other
Total
Q26. If you use HSMs to secure PKI, where are they deployed? Please select all that apply.Please select all that apply.
O�ine root
Online root
Issuing CA
Policy CA
Registration Authority
OCSP responder
Validation Authority
Total
FY2018 FY2017 FY2016 FY2015
50%
35%
40%
30%
23%
12%
8%
197%
FY2019
48%
34%
41%
29%
22%
11%
8%
193%
50%
38%
43%
30%
22%
12%
9%
203%
48%
37%
45%
32%
23%
10%
7%
202%
42%
32%
46%
27%
19%
12%
5%
183%
Q27. What are the main challenges in deploying and managing PKI? Please select 4 top choices.
No clear ownership
Insu�cient resources
Insu�cient skills
Lack of clear understanding of the requirements
Too much change or uncertainty
Requirements are too fragmented or inconsistent
No suitable products or technologies available
Necessary performance and reliability is hardto achieve
Commercial solutions are too complicated or too expensive
Lack of visibility of the applications that willdepend on PKI
Lack of advisory services and support
Too hard to transition from current approachto a new system
Other (please specify)
Total
FY2018 FY2017 FY2016 FY2015
70%
47%
48%
35%
39%
27%
20%
35%
29%
32%
6%
12%
1%
400%
FY2019
68%
49%
47%
36%
38%
27%
20%
37%
28%
31%
6%
11%
1%
400%
69%
42%
47%
34%
41%
26%
18%
39%
31%
35%
7%
11%
1%
400%
71%
43%
46%
32%
39%
24%
18%
40%
31%
37%
7%
10%
1%
400%
68%
46%
45%
31%
39%
22%
17%
43%
32%
40%
8%
11%
0%
400%
322019 GLOBAL PKI AND IoT TRENDS STUDY
Q28. As you plan the evolution of your PKI, where are the greatest areas of possible change and uncertainty? Please select 2 top choices.
PKI technologies
Vendors (products and services)
Enterprise applications
Internal security policies
External mandates and standards
Budget and resources
Management expectations
New applications (e.g., Internet of Things)
Other (please specify)
Total
*FY2015 question was framed as "all that apply" rather than top 2 choices
FY2018 FY2017 FY2016 FY2015*
26%
15%
18%
18%
42%
19%
20%
42%
1%
200%
FY2019
28%
16%
19%
18%
39%
19%
21%
40%
1%
200%
26%
14%
19%
20%
47%
17%
21%
36%
1%
200%
26%
14%
22%
18%
48%
18%
26%
26%
2%
200%
35%
15%
30%
22%
56%
14%
28%
14%
0%
214%
Q29. In your opinion, which security certifications are important when deploying PKI infrastructure? Please select all that apply.
Common Criteria EAL Level 4+
FIPS 140-2 Level 3
Regional certifications for use by government
Regional standards such as digital signature laws
Other please specify
None of the above (certification is notan important factor)
Total
FY2018 FY2017 FY2016 FY2015
66%
62%
25%
26%
1%
14%
194%
FY2019
64%
60%
23%
25%
0%
11%
182%
64%
65%
20%
22%
1%
12%
184%
64%
69%
23%
24%
2%
13%
195%
61%
67%
24%
31%
1%
17%
201%
Q30. What applications use PKI credentialsin your organization?
SSL certificates for public facing websites and services
Private networks and VPN
Email security
Enterprise user authentication
Device authentication
Document/message signing
Code signing
Public cloud-based applications and services
Private cloud-based applications
Other (please specify)
None of the above
Total
FY2018 FY2017 FY2016 FY2015
84%
71%
53%
49%
51%
42%
32%
56%
44%
2%
3%
487%
FY2019
79%
69%
54%
51%
50%
44%
32%
55%
46%
2%
2%
486%
84%
65%
51%
50%
52%
42%
31%
56%
44%
1%
4%
479%
81%
75%
54%
50%
58%
43%
34%
62%
49%
2%
0%
508%
78%
69%
50%
54%
51%
35%
31%
50%
43%
0%
0%
461%
33 2019 GLOBAL PKI AND IoT TRENDS STUDY
Q31. In your opinion, what are the most importanttrends that are driving the deployment of applications that make use of PKI? Please select 2 top choices.
Consumer mobile
Cloud-based services
BYOD and internal mobile device management
Internet of Things (IoT)
Regulatory environment
Consumer-oriented mobile applications
E-commerce
Risk management
Cost savings
Other (please specify)
Total
FY2018 FY2017 FY2016 FY2015
45%
45%
9%
44%
21%
21%
7%
2%
5%
1%
200%
FY2019
44%
49%
10%
41%
21%
20%
7%
2%
5%
1%
200%
41%
54%
8%
40%
23%
19%
5%
2%
6%
1%
200%
52%
61%
9%
28%
7%
27%
7%
1%
7%
1%
200%
50%
64%
8%
21%
10%
26%
9%
3%
10%
0%
200%
Q32. What are the challenges to enable applications to utilize PKI? Please select 2 top choices.
No pre-existing PKI
Existing PKI is incapable of supporting new applications
Insu�cient resources
Insu�cient skills
Lack of clear understanding of requirements
Too much change or uncertainty
Requirements are too fragmented or inconsistent
No ability to change legacy apps
Lack of visibility of the security capabilities of existing PKI
Conflict with other apps using the same PKI
Specific operational issues (such as revocation and performance) are hard to resolve
Lack of advisory support
Other (please specify)
Total
FY2018 FY2017 FY2016 FY2015
35%
57%
40%
42%
29%
38%
25%
49%
33%
29%
16%
6%
0%
400%
FY2019
35%
56%
38%
45%
35%
35%
25%
46%
36%
28%
16%
7%
0%
400%
35%
54%
41%
43%
30%
40%
23%
52%
28%
30%
16%
6%
0%
400%
37%
58%
41%
42%
30%
40%
22%
56%
22%
29%
17%
5%
1%
400%
45%
63%
39%
40%
29%
38%
21%
58%
19%
30%
13%
6%
0%
400%
Q33a. Do you believe that the Internet of Things continues to grow,that supporting PKI deployments for IoT device credentialing will be: FY2018 FY2017
27%
31%
43%
100%
FY2019
26%
30%
44%
100%
25%
32%
43%
100%
Primarily cloud-based
Primarily enterprise-based
Combination of cloud-based and enterprise-based
Total
342019 GLOBAL PKI AND IoT TRENDS STUDY
Q33b. What are the most important PKI capabilities for IoT deployments? Please select 2 top choices. FY2018
27%
45%
39%
29%
30%29%
200%
FY2019
32%
46%
37%
26%
30%27%
200%
Support for Elliptic Curve Cryptography (ECC)
Scalability to millions of managed certificates
Online revocation
Ability to sign firmware for IoT devices
FIPS 140-2 Level 3 HSMs (Hardware Security Modules) for Root and Issuing CAs
Cloud deployment model
Total
Q34. What percentage of IoT devices that will likely be used by your organization in the next two years do you believe will rely primarilyon digital certificates for identification/authentication?
FY2018 FY2017
10%
20%
35%
23%
12%
100%
42%
FY2019
10%
20%
35%
24%
11%
100%
42%
11%
19%
36%
22%
13%
100%
43%
Less than 10%
10% to 25%
26% to 50%
51% to 75%
76% to 100%
Total
Extrapolated value
Q35. What are the most significant threats to IoT deployments in your environment? Please select 2 top choices.
FY2019
39%
68%
54%
39%
200%
Using a device as a network entry point
Altering the function of the device (e.g., load malware)
Controlling the device remotely
Capturing data from the device
Total
Q36a. How important are the following IoT security capabilities to your organization today? 5-point scale from 1 = not important to 5 = very important.
FY2019
3.5
3.6
3.6
3.4
3.7
3.6
Device discovery
Device authentication
Monitoring device behavior
Delivery of patches and updates to devices
Protecting confidentiality and integrity of data collected from the device
Average
Q36b. How important are the following IoT security capabilities to your organization in the next 12 months? 5-point scale from 1 = not important to 5 = very important.
FY2019
4.0
4.2
4.1
3.9
4.2
4.1
Device discovery
Device authentication
Monitoring device behavior
Delivery of patches and updates to devices
Protecting confidentiality and integrity of data collected from the device
Average
35 2019 GLOBAL PKI AND IoT TRENDS STUDY
About Ponemon Institute The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.
About nCipher SecuritynCipher Security, an Entrust Datacard company, is a leader in the general-purpose hardware security module (HSM) market, empowering world-leading organizations by delivering trust, integrity and control to their business critical information and applications. Today’s fast-moving digital environment enhances customer satisfaction, gives competitive advantage and improves operational efficiency – it also multiplies the security risks. Our cryptographic solutions secure emerging technologies such as cloud, IoT, blockchain, and digital payments and help meet new compliance mandates. We do this using our same proven technology that global organizations depend on today to protect against threats to their sensitive data, network communications and enterprise infrastructure. We deliver trust for your business critical applications, ensure the integrity of your data and put you in complete control – today, tomorrow, always. www.ncipher.com
www.ncipher.com
Search: nCipherSecurity