2017 PKI GLOBAL TRENDS STUDY - Thales...

1 2017 PKI GLOBAL TRENDS STUDY

2017 PKI GLOBAL TRENDS STUDY

October 2017


Sponsored by Thales eSecurity INDEPENDENTLY CONDUCTEDBY PONEMON INSTITUTE LLC

PART 1. EXECUTIVE SUMMARY 3 PART 2. KEY FINDINGS 5

Trends in PKI maturity 7

Trends in PKI challenges 11

Global analysis 16

PART 3. METHODS 20

PART 4. LIMITATIONS 22

APPENDIX: DETAILED SURVEY RESULTS 22

TABLE OF CONTENTS


PART 1. EXECUTIVE SUMMARYThe rise of the Internet of Things (IoT) in the enterprise and its impact on how organizations design and build their public key infrastructure (PKI) is a key theme in this year’s study. Specifically, IoT is the fastest trend driving the deployment of applications using PKI.

While external mandates and standards and enterprise applications have declined in companies’ concerns about change and uncertainty, in the past three years the focus on how new applications such as IoT will affect PKI uncertainty has increased significantly.

On average, companies today are using their PKI to support over eight different applications. Yet the findings of this study indicate a general lack of clear ownership of PKIs, as well as a lack of resources and skills to properly support them. Current approaches to PKI are fragmented and do not always incorporate best practices, indicating a need for many organizations to apply increased effort to securing their PKI as an important part of creating a foundation of trust.1

Ponemon Institute is pleased to present the findings of the 2017 PKI Global Trends Study, sponsored by Thales eSecurity. This report summarizes the third annual results of a survey completed by 1,510 IT and IT security practitioners in the following 11 countries: the United States, the United Kingdom, Germany, France, Australia, Japan, Brazil, Russian Federation, India, Mexico and Arabia. The report tabulates the responses to the survey and draws some limited conclusions as to how best practices are reflected in observed practices, and the influence of cloud computing, the Internet of Things, and other important industry trends.

This work is part of a larger study published in April 2017 involving 4,802 respondents in 11 countries.2 The purpose of this research is to better understand the use of PKI in organizations. All participants in this research are either involved in the management of their organizations’ enterprise PKI or in developing and/or managing applications that depend upon credentials controlled by their organizations’ PKI.

Figure 1 shows the primary practices organizations take to secure PKI and Certificate Authorities (CAs). The top two are multifactor authentication for administrators and a secure physical location (59 percent and 47 percent of respondents, respectively).

1 Best practices for designing, fielding and maintaining a PKI can be derived from various public documents, for example the Webtrust standards (http://www.webtrust.org/item64428.aspx) and NIST Publication 800-57 Parts 1-3.

2 See: 2017 Global Encryption Trends Study (sponsored by Thales eSecurity), Ponemon Institute, April 2017.

Multi-factor authenticationfor administrators

Physical secure location

Formal security practices(documented)

Passwords alonewithout a second factor

Of�ine root CAs

Isolated networks

Strict record keeping(e.g., video recording,

independent observers, etc.)

Figure 1. Practices used to secure PKI and Certi�cate Authorities

59%

47%

40%

29%

28%

21%

13%

0% 10% 20% 30% 40% 50% 60%

http://www.webtrust.org/item64428.aspx


Other key findings include the following:

PKI changes and uncertainty due to new applications, such as the IoT, increased dramatically since 2015. Respondents who are concerned about the impact of the IoT on PKI increased from 14 percent to 36 percent.

IoT is growing as an important trend driving the deployment of applications using PKI. While the most important trend driving the deployment of applications that make use of PKI continues to be cloud-based services (54 percent of respondents), IoT increased from 21 percent to 40 percent of respondents over the past three years.

In the next two years, an average of 43 percent of IoT devices in use will rely primarily on digital certificates for identification and authentication.

How are private keys for root/policy/issuing CAs managed? Hardware security modules (HSMs) are used by 36% of respondents to manage the private keys for root/policy/issuing CAs.

The challenge of dealing with a lack of visibility of the security capabilities of existing PKI grows. The lack of visibility of the security capabilities of an existing PKI has increased from 19 percent in 2015 to 28 percent of respondents in this year’s research.

The main PKI deployment challenge continues to be the lack of clear ownership of the PKI function. Sixty-nine percent of respondents believe there is no one function responsible for managing PKI, a slight increase from 2015.

FIPS 140 and Common Criteria are the most important security certifications when deploying PKI infrastructure and PKI-based applications. Sixty-five percent say FIPS 140 is most important and this is closely followed by Common Criteria (64 percent of respondents) when deploying PKI.

SSL certificates for public facing websites and services increase the use of PKI credentials significantly. Applications most often using PKI credentials are SSL certificates for public facing websites and services (84 percent of respondents).

“IN THE NEXT TWO YEARS, AN AVERAGE OF 43 PERCENT OF IoT DEVICES IN USE WILL RELY PRIMARILY ON DIGITAL CERTIFICATES FOR IDENTIFICATION AND AUTHENTICATION.”

4


PKI changes and uncertainty due to new applications, such as the IoT, increased dramatically since 2015. According to Figure 2, since 2015 respondents who are concerned about the impact of the IoT on PKI increased from 14 percent to 36 percent. In contrast, external mandates and standards and enterprise applications saw a decrease in concerns about change (from 47 percent and 19 percent in 2015, respectively).

PART 2. KEY FINDINGSIn this section of the report we provide an analysis of the global results. The complete audited findings are presented in the Appendix of this report. The results are grouped into three categories:

• The increasing influence of the IoT in PKI planning

• Trends in PKI maturity

• Trends in PKI challenges

47%

36%26%

14%

26%26%

35%

21%26%

28%

20%

19%22%

30%

17%18%

14%

14%14%15%

1%2%

18%22%

48%56%

0%

FY 2017 FY 2016 FY 2015

Figure 2. Areas expected to experience the most change and uncertaintyConsolidated view; two responses permitted

External Mandates and standards

New applications(e.g., Internet of Things)

PKI technologies

Management expectations

Internal security policies

Enterprise applications

Budget and resources

Vendors (products and services)

Other

0% 10% 20% 30% 40% 50% 60%

The increasing influence of the IoT in PKI planning


54%

41%

40%

23%

19%

8%

6%

5%

2%1%

1%1%

0%

3%

7%9%

7%10%

9%8%

27%26%

7%10%

28%21%

52%

50%

61%

64%

FY 2017 FY 2016 FY 2015

Figure 3. The most important trends driving the deployment of applications using PKI Consolidated view; two responses permitted

Cloud-based services

Consumer mobile

Internet of Things (IoT)

Regulatory environment

Consumer-orientedmobile applications

BYOD and internal mobiledevice management

Cost savings

E-commerce

Risk management

Other

0% 10% 20% 30% 40% 50% 60% 70%

IoT is growing as an important trend driving the deployment of applications using PKI. While the most important trend driving the deployment of applications that make use of PKI continues to be cloud-based services (54 percent of respondents), IoT increased from 21 percent to 40 percent of respondents over the past three years (Figure 3). The regulatory environment also has increased significantly from 7 percent of respondents last year to 23 percent of respondents in this year’s research.

“IoT IS GROWING AS AN IMPORTANT TREND DRIVING THE DEPLOYMENT OF APPLICATIONS USING PKI.”

6


In the next two years, an average of 43 percent of IoT devices in use will rely primarily on digital certificates for identification and authentication. Also, as shown in Figure 4, 43 percent of respondents believe that as the IoT continues to grow, supporting PKI deployments for IoT device credentialing will be a combination of cloud-based and enterprise-based.

Trends in PKI maturityThe use of manual CRLs is decreasing. According to Figure 5, the certificate revocation technique most often deployed continues to be online certificate status protocol (OCSP), according to 54 percent of respondents (a slight increase from 52 percent of respondents in 2016).

Forty-six percent of respondents say their organizations use automated certificate revocation (CRL), an increase from 37 percent in 2015. Along with the increase in automated methods of revocation, the use of of manual certificate revocation continues to decrease (from 33 percent of respondents in 2015 to 20 percent of respondents in this year’s research).

Combination of cloud-based and enterprise-based

Primarily enterprise-based

Primarily cloud-based

43%

32%

25%

0% 10% 20% 30% 40% 50%

Figure 4. How will PKI be deployed for IoT device credentialing as the IoT continues to grow?

54%

46%

33%

20%

19%

19%

2%

2%2%

1%

3%3%

20%

24%33%

37%37%

43%37%

52%46%

FY 2017 FY 2016 FY 2015

Figure 5. The certi�cate revocation techniques used in enterprises Consolidated view; more than one response permitted

Online Certi�cate StatusProtocol (OCSP)

Automated CRL

None

Manual certi�caterevocation list (CRL)

Validation Authority

Others

Unsure

0% 10% 20% 30% 40% 50% 60%


Hardware security modules (HSMs) are increasingly used to manage the private keys for root/policy/issuing CAs, as shown in Figure 6. Thirty percent of respondents say smart cards are used. Forty-three percent of respondents say they have PKI specialists on staff to manage private keys.

Of the 36 percent of organizations in this study that use HSMs to secure PKI, they are used across the entire architecture of the PKI as shown in Figure 7. As an example of best practice, NIST calls to “Ensure that Cryptographic modules for CAs, Key Recovery Servers, and OCSP responders are hardware modules validated as meeting FIPS 140-2 Level 3 or higher” (NIST Special Publication 800-57 Part 3). Yet only 12 percent of our respondents indicate the presence of HSMs in their OCSP installations. This is a significant gap between best practices and observed practices.

36%

28%

15%10%

25%

25%

32%

30%

FY 2017 FY 2016

Figure 6. How do you manage the private keys for your root/policy/issuing CAs

Hardware Security Modules (HSMs)

Smart cards (for CA/root key protection

Removable media for CA/root keys

Other

0% 10% 20% 30% 40%

50%

43%

38%

30%

22%

19%

12%

7%5%

9%

10%12%

23%

32%27%

37%32%

45%

46%

48%42%

FY 2017 FY 2016 FY 2015

Figure 7. Where HSMs are deployed to secure PKIConsolidated view; more than one response permitted

Of�ine root

Issuing CA

Online root

Policy CA

Registration Authority

OCSP responder


0% 10% 20% 30% 40% 50% 60%


Figure 8 shows the percentage of respondents who say their organizations deploy an internal certificate authority or an externally hosted private certificate authority by 12 industry sectors.

As can be clearly seen, there are differences across industry sectors. Financial service, health and pharmaceutical and energy/utilities are most likely to deploy an internal corporate certificate authority. In contrast, consumer products, entertainment and media, communication and retail companies are most likely to deploy an externally hosted private CA.

0% 10% 20% 30% 40% 50% 60% 70%

68%

55%

58%

50%

60%

49%

38%44%

55%

58%45%

45%58%

63%

45%48%

40%

35%

26%

36%

39%

31%

32%

26%

Internal corporate certi�cateauthority (CA)

Externally hosted private CA – managed service

Figure 8. Percentage of companies that deploy internal or external certi�cation authorities by industry sector

Financial services

Industrial/manufacturing

Public sector

Technology & software

Healthcare & pharmaceutical

Services

Retailing

Hospitality & leisure

Communications

Consumer products

Energy & utilities

Entertainment & media


The challenge of dealing with a lack of visibility of the security capabilities of existing PKI grows. As shown in Figure 9, the lack of visibility of the security capabilities of existing PKI has increased from 19 percent in 2015 to 28 percent of respondents in this year’s research. In contrast, it seems respondents are getting better at dealing with PKIs being incapable of supporting new applications (decrease from 63 percent), the inability to change legacy apps (decrease from 58 percent) and no pre-existing PKI (decrease from 45 percent).

54%

52%

43%

41%41%

40%40%

38%

30%30%

29%

30%

30%29%

28%

19%22%

23%22%

21%

16%17%

13%

6%5%

6%

35%37%

45%

39%

42%40%

56%

58%

58%

0%

0%

1%

63%

FY 2017 FY 2016 FY 2015

Figure 9. The challenges to enable applications to use PKI Consolidated view; four responses permitted

Existing PKI is incapable of supporting new application

No ability to change legacy apps

Insufficient skills

Insufficient resources

Too much change or uncertainty

No pre-existing PKI

Lack of clear understanding of requirements

Conflict with other apps using the same PKI

Lack of visibility of the securitycapabilities of existing PKI

Requirements are toofragmented or inconsistent

Specific operational issues (such as revocation and performance) are hard to resolve

Lack of advisory support

Other

0% 10% 20% 30% 40% 50% 60% 70%


Trends in PKI challenges

Organizations with internal CAs use an average of eight separate CAs, managing an average of 35,488 internal or externally acquired certificates. As shown in Figure 10, an average of over eight distinct applications, such as email and network authentication, are managed by an organization’s PKI. This indicates that the PKI is at the core of the enterprise IT backbone. Not only are the number of applications dependent upon the PKI increasing, but the nature of them indicates that the PKI is a strategic part of the core IT backbone.

“NOT ONLY ARE THE NUMBER OF APPLICATIONS DEPENDENT UPON THE PKI INCREASING, BUT THE NATURE OF THEM INDICATES THAT THE PKI IS A STRATEGIC PART OF THE CORE IT BACKBONE.”

11

1 or 2 3 or 4 5 or 6 7 or 8 9 or 10 10 or 20 More than 200%

5%

10%

4%5%

7%

14%

19%

24%

26%25%

23%

27%

29%

17%

13%12% 12%

10%

5%6%

5%3%

15%

20%

25%

30%

Figure 10. How many distinct applications does your PKI manage certi�cates on behalf of?

Consolidated view; extrapolated value is 8.47 distinct applications

FY 2017 FY 2016 FY 2015

14%


The main PKI deployment challenge continues to be the lack of clear ownership of the PKI function. As shown in Figure 11, 69 percent of respondents believe there is no one function responsible for managing PKI, a slight increase from 2015. This is not in line with best practices, which assume as a baseline a sufficient degree of staffing and competency to define and maintain the process and procedures on which a modern PKI depends.

Other deployment problems include: insufficient skills (47 percent of respondents), insufficient resources (42 percent of respondents), too much change or uncertainty (41 percent of respondents) and necessary performance and reliability is hard to achieve (39 percent of respondents).

69%

47%

42%

41%

39%40%

43%

34%32%

31%31%31%32%

26%

22%24%

18%18%

17%

11%

11%10%

7%7%

8%

35%37%

40%

39%39%

43%46%

46%45%

71%

0%

1%1%

68%

FY 2017 FY 2016 FY 2015

Figure 11. The main challenges deploying and managing PKI Consolidated view; four responses permitted

No clear ownership

Insuf�cient skills

Insuf�cient resources


Necessary performance andreliability is hard to achieve

Lack of visibility of the applicationsthat will depend on PKI

Lack of clear understandingof the requirements

Commercial solutions are toocomplicated or too expensive

Requirements are toofragmented or inconsistent

No suitable products or technologies available

Too hard to transition fromcurrent approach to a new system

Lack of advisory services and support

Other

0% 10% 20% 30% 40% 50% 60% 70% 80%


Figure 12 shows the percentage of respondents who say their organizations have PKI specialists on staff. As can be seen, there are significant differences across industry sectors. Specifically, companies in financial services, energy/utilities and health and pharmaceutical are most likely to employ PKI specialists as a fully dedicated role. In contrast, hospitality, consumer products, entertainment and media, communication and retail companies are less likely to employ PKI specialists as a fully dedicated role within the company. Following are the abbreviations used in all industry breakout questions.

FIPS 140 and common criteria are the most important security certification when deploying PKI infrastructure and PKI-based applications. According to Figure 13, 65 percent say FIPS 140 is most important and this is closely followed by Common Criteria (64 percent of respondents) when deploying PKI. Twenty-two percent say it is regional standards such as digital signature laws (a decrease from 31 percent in 2015). In the US, FIPS 140 is the standard called out by NIST in its definition of a “cryptographic module” which is mandatory for most US federal government applications and a best practice in all PKI implementations.

65%

36%

45%

53% 53%

42%

36%

24%

46%

29%

55%

31%

FS IM PS TS HP SV RT HL CM CP EU EM

Figure 12. Percentage of companies that have a PKI specialist on staffResponse = Yes; mean = 43%

0%

10%

20%

30%

40%

50%

60%

70%

0% 10% 20% 30% 40% 50% 60% 70%


65%

64%64%

61%

22%

31%

20%23%24%

12%13%

17%

1%2%

1%

24%

69%67%

FY 2017 FY 2016 FY 2015

Figure 13. Security certi�cations important when deploying PKI infrastructure Consolidated view, more than one response permitted

FIPS 140-2 Level 3

Common Criteria EAL Level 4+

Regional standards such as digital signature laws

Regional certi�cations foruse by government

None of the above (certi�cation is not an important factor)

Other please specify

Industry sectors

Financial services

Industrial/manufacturing

Public sector

Technology & software

Healthcare & pharmaceutical

Services

Retailing

Hospitality & leisure

Communications

Consumer products

Energy & utilities

Entertainment & media

Abbreviated

FS

IM

PS

TS

HP

SV

RT

HL

CM

CP

EU

EM


SSL certificates for public facing websites and services increase the use of PKI credentials significantly. According to Figure 14, applications most often using PKI credentials are: SSL certificates for public facing websites and services (84 percent of respondents). Most PKI use by applications has remained relative stable over the three years of the study, however private networks and VPN showed a marked 10 percent decrease from 2016 to 2017. Document/messaging signing applications have increased significantly from 35 percent in 2015 to 42 percent in 2017.

78%

69%

50%

51%58%

50%54%

51%

43%49%

44%

35%

42%43%

31%

31%34%

54%50%50%

52%

62%56%

75%

65%

81%84%

Figure 14. What applications use PKI credentials?Consolidated view; more than one response permitted

SSL certi�cates for publicfacing websites and services

Private networks and VPN

Public cloud-basedapplications and services

Device authentication

Email security

Enterprise user authentication

Private cloud-based applications

Document/message signing

Code signing

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

FY 2017 FY 2016 FY 2015


54%

38%

34%

23%

14%

16%

11%

2%2%

0%

12%9%

15%

18%9%

29%25%

41%48%

51%44%

FY 2017 FY 2016 FY 2015

Figure 15. How is PKI deployed? Consolidated view; more than one response permitted

Internal corporatecerti�cate authority (CA)

Externally hosted privateCA – managed service

Public CA service

Private CA runningwithin a public cloud

Business partnerprovided service

Governmentprovided service

Other

0% 10% 20% 30% 40% 50% 60%

What are the most popular methods for deploying enterprise PKI? Fifty-four percent of respondents say their organizations favor an internal corporate certificate authority (CA), according to Figure 15.

Externally hosted private CA—managed service has decreased from 48 percent of respondents in 2015 to 38 percent of respondents in this year’s study. Companies using a private CA running within a public cloud has increased significantly from 9 percent of respondents in 2015 to 23 percent of respondents in 2017.

“FIFTY-FOUR PERCENT OF RESPONDENTS SAY THEIR ORGANIZATIONS

FAVOR AN INTERNAL CORPORATE CERTIFICATE AUTHORITY (CA).”


Global analysis

Figure 16 shows how PKI is deployed within respondents’ organizations. As can be seen, 7 of the 11 countries in the survey are more likely to choose internal corporate certificate authority. In contrast, Brazilian, Mexican, Arabian and Russian Federation respondents are more likely to choose external hosted private certificate authorities as a managed service.

0% 10% 20% 30% 40% 50% 60% 70%

70%

66%

65%

60%

53%

50%

47%52%

47%

44%

34%

43%51%

30%40%

64%

33%

39%

38%

29%

29%

20%

Internal corporate certi�cateauthority (CA)


Figure 16. How would you describe how your organization’s enterprise PKI is deployed?

Top 2 choices

Japan

Germany

Australia

United States

India

France

Brazil

Arabia

United Kingdom

Mexico

Russian Federation

Figure 17 shows the percentage of respondents who say their organization does not deploy a certification revocation technique or process. As can be seen, there are marked differences across industry sectors. Specifically, industrial/manufacturing, public sector and financial service companies are most likely to report their organizations deploy a certification revocation technique. In contrast, services, retail and healthcare/pharma companies are most likely to report their organizations do not deploy a certification revocation technique.

40%

29%27%

29%

36% 37%34% 34% 34%

32% 33%


Figure 17. Percentage of companies by industry thatdo not deploy a certi�cate revocation technique

Response = none; mean value = 33%

27%

0%

10%

20%

30%

40%


Figure 18 shows the number of distinct applications (e.g., email, network authentication, etc.) for which PKI manages certificates. The US at 12.32 distinct applications has the largest number of distinct applications. Mexico (6.19) and Russia Federation (5.40) have the smallest number of distinct applications, respectively.

One should note that even in the lowest figures that the average number of applications is just north of 5. Given previous responses, we can extrapolate that these likely include email, SSL certificates, device identification and logon credentials. These are non-trivial applications, the failure of which could pose existential risks to the host organization.

12.32

10.36

9.04

8.43

8.108.108.10

7.69

6.896.89

6.96

6.746.74

6.406.40

8.318.31

9.569.56

10.8710.87

5.785.78

6.85

6.436.12

5.885.88

6.19

5.105.10

5.40

FY 2017 FY 2016 FY 2015

Figure 18. How many distinct applications doesyour PKI manage certi�cates on behalf of?

Extrapolated value

United States

Germany

India

United Kingdom

Japan

France

Brazil

Australia

Arabia*

Mexico

Russian Federation

0 3.00 6.00 9.00 12.00 15.00

*Arabia was not surveyed in FY 2015


Figure 19 reports the three most salient challenges in deploying and managing PKI. As can be seen, Arabia, Germany, Australia, Japan and Mexico respondents are most likely to say no clear ownership as their most significant challenge. Russian Federation respondents are most likely to say insufficient resources. Arabia and Mexican respondents are most likely to say insufficient skills as a top three challenge.

There is a consistent theme in these responses. We can see the importance of the PKI growing and its integration with core IT applications. Also, PKI’s near term future is being buffeted by trends towards the cloud and the IoT. However, globally there is a lack of trained people and tendency towards fuzzy ownership of the PKI. This is a significant departure from known best practices that require direct lines of responsibility for all PKI dependent applications and clear documentation of the dependencies and risk mitigation strategies. One has to wonder about the condition of required PKI documentation and processes given these high rates of skills and personnel shortages.

80%

79%29%

28%

75%36%

70%22%

38%

70%

69%45%

52%

67%30%

55%

67%46%

51%

65%78%

55%

63%33%

41%

59%47%

44%

63%58%

37%

50%62%

0% 10% 20% 30% 40% 50% 60% 70% 80%

No clear ownership Insuf�cient resources Insuf�cient skills

Figure 19. What are the main challenges in deploying and managing PKI?Top 3 choices

Arabia

Germany

Australia

Japan

Mexico

United States

United Kingdom

India

Russian Federation

France

Brazil


62%

61%43%

39%

59%35%

59%

51%31%

58%

57%39%

34%

56%42%

41%

50%37%

44%

50%

49%32%

50%41%42%

43%47%

42%

49%40%

50%

40%33%

0% 10% 20% 30% 40% 50% 60% 70%

Cloud-based services Consumer mobile Internet of Things (IoT)

Figure 20. What are the most important trends driving thedeployment of applications that make use of PKI?

Top 3 choices

India

Russian Federation

Australia

Mexico

Arabia

Japan

United Kingdom

United States

France

Brazil

Germany

Figure 20 reports what respondents believe are the most important trends that are driving the deployment of applications that make use of PKI. As can be seen, the majority of all respondents, with the exception of German respondents, found that cloud-based services are the most important trend driving application use of PKI technologies. Mexico and Arabia respondents are most likely to see consumer-oriented mobile applications as a driver to PKI adoption. The IoT is beginning to have a significant impact, particularly in the Australia and France.


Our consolidated sampling frame of practitioners in all countries consisted of 138,530 individuals who have bona fide credentials in IT or security fields. From this sampling frame, we captured 5,397 returns of which 595 were rejected for reliability issues. From our final consolidated 2017 sample of 4,802, we calculated the PKI subsample to be 1,510.

Figure 21 summarizes the approximate position levels of respondents in our study. As can be seen, more than half of respondents (54 percent) are at or above the supervisory level.

As shown in Figure 22, 59 percent of respondents identified IT operations as their functional area within the organization and 18 percent of respondents are functioning within security.

PART 3. METHODSTable 1 reports the consolidated sample response for 11 separate country samples. The sample response for this study conducted over a 49-day period ending in February 2017.

Table 1. Sample response

Sampling FY 2017ame

Total returns

Rejected or screened surveys

Overall sample (encryption trends)

PKI subsample

Ratio subsample to overall sample

Frequency

138,530

5,397

595

4,802

1,510

31.4%

44%

32%

3% 2% 2%

18% Senior Executive

Vice President

Director

Manager/Supervisor

Associate/Staff/Technician

Other

Figure 21. Distribution of respondents according to position levelCountry samples are consolidated

18%

3%

59%

8%

8%3%

IT operations

Security

Lines of business (LOB)

Compliance

Finance

Other

Figure 22. Distribution of respondents according to functional area Country samples are consolidated


Figure 23 reports the respondents’ organizations primary industry segments. As shown, 16 percent of respondents are located in the financial services industry, which includes banking, investment management, insurance, brokerage, payments and credit cards. Eleven percent are located in manufacturing and industrial companies. Another 11 percent are located in service companies.

According to Figure 24, the majority of respondents (65 percent) are located in larger-sized organizations with a global headcount of more than 1,000 employees.

16%

11%

11%

10%9%

8%

8%

7%

4%

3%

3%3%

3%2%

Financial servicesManufacturing & industrialServicesPublic sectorTechnology & softwareHealth & pharmaceuticalRetailEnergy & utilitiesConsumer productsHospitalityEducation & researchTransportationCommunicationsEntertainment & mediaOther

4%

Figure 23. Distribution of respondents according to primary industry classi�cationCountry samples are consolidated

22%22%

14%8%5%

30%

Less than 500

500 to 1,000

1,001 to 5,000

5,001 to 25,000

25,001 to 75,000

More than 75,000

Figure 24. Distribution of respondents according to organizational headcount Country samples are consolidated


PART 4. LIMITATIONSThere are inherent limitations to survey research that need to be carefully considered before drawing inferences from the presented findings. The following items are specific limitations that are germane to most survey-based research studies.

• Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of IT and IT security practitioners in 11 countries resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the survey.

• Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which our sampling frames are representative of individuals who are IT or IT security practitioners within global companies represented in this study.

• Self-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process including sanity checks, there is always the possibility that some respondents did not provide truthful responses.

APPENDIX: DETAILED SURVEY RESULTSThe following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured over a 49-day period ending February 2017.

2017 Consolidated Survey Response

Sampling frame (11 countries)

Total returns

Rejected surveys

Overall sample (encryption trends)

PKI subsample

Ratio subsample to overall sample

PKI subsample weights

Total

138,530

5,397

595

4,802

1,510

31.4%

100%


Public Key Infrastructure (PKI)

Q1. What best describes your role or involvement in your organization’s enterprise PKI?

I am involved in the management my organization’s PKI

I am involved in developing and/or managing applications thatdepend upon credentials controlled by my organization’s PKI

I am not involved in my organization’s PKI or the applications thatdepend on them (Stop)

My organization does not have an PKI (Stop)

Total

FY 2017

58%

42%

0%

0%

100%

Q2. How would you describe how your organization’s enterprise PKIis deployed? Please select all that apply.

Internal corporate certi�cate authority (CA)


Public CA service

Private CA running within a public cloud

Business partner provided service

Government provided service

Other (please specify)

None of the above (stop)

Total

FY 2017

54%

38%

34%

23%

14%

11%

2%

0%

176%

Q3. Which certificate revocation technique does your organization deploy? Please select all that apply.

Online Certi�cate Status Protocol (OCSP)

Manual certi�cate revocation list (CRL)

Automated CRL


Others (please specify)

None

Unsure

Total

FY 2017

54%

20%

46%

19%

2%

33%

1%

175%


Q4. How many issuing CAs does your PKI support? Those respondents that use an external CA service were removed.

1 or 2

3 or 4

5 or 6

7 or 8

9 or 10

More than 10

Total

Extrapolated value

FY 2017

16%

18%

18%

14%

14%

22%

100%

7.39

Q5. How many certificates does your PKI issue (or have been acquired from an external service)?

Less than 10

10 to100

101 to 1,000

1,001 to 5,000

5,001 to 10,000

10,001 to 50,000

50,001 to 100,000

More than 100,000

Total

Extrapolated value

FY 2017

2%

3%

15%

18%

18%

15%

15%

15%

100%

35,488


Q6. How many distinct applications (e.g., email, network authentication, etc.) does your PKI manage certificates on behalf of?

1 or 2

3 or 4

5 or 6

7 or 8

9 or 10

10 or 20

More than 20

Total

Extrapolated value

FY 2017

4%

14%

24%

23%

17%

12%

6%

100%

8.47

Q7. What security controls and best practices do you use to secure the PKI and CA in particular? Please select all that apply.

Physical secure location

Isolated networks

Strict record keeping (e.g., video recording, independent observers, etc.)

Formal security practices (documented)

Of�ine root CAs

Quorums and dual controls

Multifactor authentication for administrators

Passwords alone without a second factor

No special security measures


Total

FY 2017

47%

21%

13%

40%

28%

13%

59%

29%

6%

2%

258%


Q8b. How do you manage the private keys for your root/policy/issuing CAs?

Hardware security modules (HSMs)

Smart cards (for CA/root key protection)

Removable media for CA/root keys

Other

Total

FY 2017

36%

30%

25%

10%

100%

Q9. If you use HSMs to secure PKI, where are they deployed?Please select all that apply.

Of�ine root

Online root

Issuing CA

Policy CA

Registration Authority

OCSP responder


Total

FY 2017

50%

38%

43%

30%

22%

12%

9%

203%

Q8a. Do you have PKI specialists on staff?

Yes

No

Rely on consultants

Rely on service provider

Total

FY 2017

43%

27%

15%

14%

100%


Q10. What are the main challenges in deploying and managing PKI? Please select 4 top choices.

No clear ownership

Insuf�cient resources

Insuf�cient skills

Lack of clear understanding of the requirements


Requirements are too fragmented or inconsistent

No suitable products or technologies available

Necessary performance and reliability is hard to achieve

Commercial solutions are too complicated or too expensive

Lack of visibility of the applications that will depend on PKI

Lack of advisory services and support

Too hard to transition from current approach to a new system


Total

FY 2017

69%

42%

47%

34%

41%

26%

18%

39%

31%

35%

7%

11%

1%

400%

Q11. As you plan the evolution of your PKI, where are the greatest areas of possible change and uncertainty? Please select 2 top choices.

PKI technologies

Vendors (products and services)

Enterprise applications

Internal security policies

External mandates and standards

Budget and resources

Management expectations

New applications (e.g., Internet of Things)


Total

FY 2017

26%

14%

19%

20%

47%

17%

21%

36%

1%

200%


Q12. In your opinion, which security certifications are important when deploying PKI infrastructure?

Common Criteria EAL Level 4+

FIPS 140-2 Level 3

Regional certi�cations for use by government

Regional standards such as digital signature laws

Other please specify

None of the above (certi�cation is not an important factor)

Total

FY 2017

64%

65%

20%

22%

1%

12%

184%

Q13. What applications use PKI credentials in your organization?

SSL certi�cates for public facing websites and services

Private networks and VPN

Email security

Enterprise user authentication

Device authentication

Document/message signing

Code signing

Public cloud-based applications and services

Private cloud-based applications


None of the above

Total

FY 2017

84%

65%

51%

50%

52%

42%

31%

56%

44%

1%

4%

479%


Q14. In your opinion, what are the most important trends that are driving the deployment of applications that make use of PKI? Please select 2 top choices.

Consumer mobile

Cloud-based services

BYOD and internal mobile device management

Internet of Things (IoT)

Regulatory environment

Consumer-oriented mobile applications

E-commerce

Risk management

Cost savings


Total

FY 2017

41%

54%

8%

40%

23%

19%

5%

2%

6%

1%

200%

Q15. What are the challenges to enable applications to utilize PKI?Please select 4 top choices.

No pre-existing PKI

Existing PKI is incapable of supporting new applications

Insufficient resources

Insufficient skills

Lack of clear understanding of requirements


Requirements are too fragmented or inconsistent

No ability to change legacy apps

Lack of visibility of the security capabilities of existing PKI

Conflict with other apps using the same PKI

Specific operational issues (such as revocation and performance) arehard to resolve

Lack of advisory support


Total

FY 2017

35%

54%

41%

43%

30%

40%

23%

52%

28%

30%

16%

6%

0%

400%


Q16. Do you believe that the Internet of Things continues to grow, that supporting PKI deployments for IoT device credentialing will be:

Primarily cloud-based

Primarily enterprise-based

Combination of cloud-based and enterprise-based

Total

FY 2017

25%

32%

43%

100%

Q17. What percentage of IoT devices that will likely be used by your organization in the next two years do you believe will rely primarily on digital certificates for identification/authentication?

Less than 10%

10% to 25%

26% to 50%

51% to 75%

76% to 100%

Total

Extrapolated value

FY 2017

11%

19%

36%

22%

13%

100%

43%

About Ponemon Institute

The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About Thales eSecurity

Thales eSecurity is the leader in advanced data security solutions and services that deliver trust wherever information is created, shared or stored. We ensure that the data belonging to companies and government entities is both secure and trusted in any environment – on-premise, in the cloud, in data centers or big data environments – without sacrificing business agility. Security doesn’t just reduce risk, it’s an enabler of the digital initiatives that now permeate our daily lives – digital money, e-identities, healthcare, connected cars and, with the internet of things (IoT), even household devices. Thales provides everything an organization needs to protect and manage its data, identities and intellectual property, and meet regulatory compliance – through encryption, advanced key management, tokenization, privileged-user control and high-assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organization’s digital transformation. Thales eSecurity is part of Thales Group.

About Thales

Thales is a global technology leader for the Aerospace, Transport, Defence and Security markets. With 64,000 employees in 56 countries, Thales reported sales of €14.9 billion in 2016. With over 25,000 engineers and researchers, Thales has a unique capability to design and deploy equipment, systems and services to meet the most complex security requirements. Its exceptional international footprint allows it to work closely with its customer all over the world.

2017 PKI GLOBAL TRENDS STUDY - Thales...

Documents

Transcript of 2017 PKI GLOBAL TRENDS STUDY - Thales...