Lack of resources and skills continues to challenge PKI deployment

Driven by organizational changes, enterprise use of Public Key Infrastructure (PKI) and digital certificates has never been higher, while the related skills to manage PKI are in historically short supply, according to a research from Ponemon Institute.

The study also revealed that IT professionals continue to see lack of clear ownership, resources and skills as the top challenges in deploying and managing PKI.

PKI is at the core of nearly every IT infrastructure, enabling security for critical digital initiatives such as cloud, mobile device deployment, identities and the internet of things (IoT). As such, PKI holds the key to enabling the digital transformation that these technologies underpin, something that has been thrown into sharp focus over the course of the global pandemic and its impact on working practices.

Drivers and challenges of PKI deployment

When it comes to the most important trends driving the deployment of applications using PKI, cloud-based services remain the highest driver at 51%, IoT remains the second highest growing trend cited by 46% of respondents, and consumer mobile comes in third at 39%.

The top challenge that impedes the deployment and management of PKI is a lack of clear ownership – cited by 67% of respondents. Respondents have raised this issue as a top challenge for the past 5 years, indicating a key area of concern for many enterprises.

Insufficient skills were rated as the second biggest challenge at 56% and lack of visibility of the applications that will depend on KPI was the third greatest challenge at 47%. Similarly, the top challenges to enabling applications to utilise PKI were the existing PKI being incapable of supporting new applications (55%) and insufficient skills (46%).

The areas expected to experience the most change and uncertainty were newer applications, such the IoT – which took the top spot for 41% of those surveyed. The second and third most cited areas were external mandates and standards (37%) and changes in PKI technologies (27%).

“Over the years we have been doing this study, it is clear that the gap between the rising demand for PKI adoption and the challenges hindering it appear to be growing,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

“This has the potential to exacerbate the headaches organizations already feel and create gaps in their security postures. When you factor in that environments are more distributed with remote working, cloud and IoT, it’s clear that there’s an immediate need for many organizations to gain additional visibility, automation and centralised control.”

The rise of machine identities

TLS/SSL certificates for public-facing websites and services are the most often cited use case for PKI credentials (81% of respondents). Private networks and VPN applications came in second (67%, up from 60% in 2020) and email security was third (55%, up from 51% in 2020), overtaking last year’s second and third positions of public cloud applications and enterprise user authentication. This change highlights the shifting focus on ensuring remote workers and distributed IT workloads can be kept secure.

The research also revealed that the average number of certificates organizations issue or acquire is still on the rise, up 4.3% from 56,192 in 2020 to 58,639 this year (and up 50% since 2019). While the number of human identities being secured has been relatively flat over the past few years, there are now more machine identities (devices and workflows) than human ones. This growth in machine identities is primarily driven by the growing use of IoT, cloud services and new applications.

Regardless of the reason for the growth, the more certificates an organization needs to manage, the more critical proper management becomes. With 20% of respondents stating they use a manual certificate revocation list and 32% admitting they have no certificate revocation technique, these organizations risk being vulnerable to attacks and facing outages to critical systems and the consequent business disruption and cost that comes with that.

“PKI has never been in such high demand – whether from the pressure of securing a remote or hybrid workforce this past year, or the continued growth of IoT and cloud-based services.” said John Metzger, VP of product marketing, digital security at Entrust.

“At the same time, the skills and resources required to deploy and manage PKI continue to be in short supply – an issue exacerbated by lack of clear organizational ownership over PKI deployments. To deal with this complexity, organizations need a strategy first and products second to support this transformation.”