GLOBAL PKI AND IoT TRENDS STUDY - nCipher …...2019 GLOBAL PKI AND IoT TRENDS STUDY 8 In the next...

2019GLOBAL PKI AND IoT TRENDS STUDY

PART 1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 PART 2. KEY FINDINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

The influence of the IoT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Trends in PKI maturity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Trends in PKI challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Global analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

PKI trends by industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

PART 3. METHODS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 PART 4. LIMITATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

APPENDIX: DETAILED SURVEY RESULTS . . . . . . . . . . . . . . . . . . . . . . 24

Sponsored by nCipher Security, an Entrust Datacard company

Independently conducted by Ponemon Institute LLC

INTRODUCTION01

42019 GLOBAL PKI AND IoT TRENDS STUDY

PONEMON INSTITUTE IS PLEASED TO PRESENT THE FINDINGS OF THE 2019 GLOBAL PKI AND IoT TRENDS STUDY, SPONSORED BY NCIPHER SECURITY, AN ENTRUST DATACARD COMPANY.According to the findings, the rapid growth in the use of IoT devices1 is having an impact on the use of PKI technologies and there is realization that PKI provides important core authentication technologies for the IoT.

This report summarizes the fifth annual results of a survey completed by 1,884 IT and IT security practitioners in the following 14 countries/regions: Australia, Brazil, France, Germany, Hong Kong and Taiwan, India, Japan, Mexico, the Middle East (Saudi Arabia and the United Arab Emirates), the Russian Federation, South Korea, Southeast Asia (Indonesia, Malaysia, Philippines, Thailand, and Vietnam), the United Kingdom, and the United States.

Figure 1 shows the primary practices organizations take to secure PKI and Certificate Authorities (CAs). Most companies represented in this study are using multifactor authentication for administrators (60 percent of respondents). However, dependency on passwords has declined from 30 percent of respondents to 24 percent of respondents. A related question revealed that the usage of Hardware Security Modules, most prevalent with offline root CAs and issuing CAs, increased slightly to 42 percent of respondents from 39 percent of respondents in 2018.

The report tabulates the responses to the survey and draws some limited conclusions as to how best practices are reflected in observed practices, and the influence of cloud computing, the Internet of Things, and other important industry trends.

This work is part of a larger study published in April 2019 involving 5,856 respondents in 14 countries/regions.2 The purpose of this research is to better understand the use of PKI in organizations. All participants in this research are either involved in the management of their organizations’ enterprise PKI or in developing and/or managing applications that depend upon credentials controlled by their organizations’ PKI.

1 Gartner predicts by 2020 there will be 20.4 billion IoT devices, of which 7.5 billion will be for business purposes and 12.8 will be for consumers.2 See: 2019 Global Encryption Trends Study (sponsored by nCipher), Ponemon Institute, April 2019.

Figure 1. Practices used to secure PKI and Certificate Authorities

FY17 FY18 FY19

59%62%

60%

47%48%

46%

40%40%

42%

28%30%

28%

29%30%

24%

21%23%

22%

Multifactor authentication for administrators

Physical secure location

Formal security practices (documented)

O�ine root CAs

Passwords alone without a second factor

Isolated networks

KEYFINDINGS02


The complete audited findings are presented in the Appendix of this report.

ð The influence of the IoT ð Trends in PKI maturity ð Trends in PKI challenges

The influence of the IoT

PKI changes due to external mandates continue to decline, but changes due to new applications continue to increase. According to Figure 2, 39 percent of respondents say the biggest change will be external mandates and standards (a significant decline from 56 percent of respondents in 2015) and 40 percent of respondents say new applications such as the Internet of Things will drive change (a significant increase from 14 percent of respondents in 2015). The influence of PKI technologies and enterprise applications also decreased significantly since 2015.

IN THIS SECTION OF THE REPORT WE PROVIDE AN ANALYSIS OF THE GLOBAL RESULTS.

FY17 FY18FY15 FY16 FY19

Figure 2. Areas expected to experience the most change and uncertaintyConsolidated view; two responses permitted

New applications (e.g., Internet of Things)

External mandates and standards

PKI technologies

Management expectations

Enterprise applications

Budget and resources

Internal security policies

Vendors (products and services)

Other

14%26%

36%42%

40%

56%48%

47%42%

39%

35%26%26%26%

28%

28%26%

21%20%

21%

30%22%

19%

19%

14%

18%

18%17%

19%19%

22%18%

20%18%18%

15%14%14%

15%16%

2%1%1%1%

0%

7 2019 GLOBAL PKI AND IoT TRENDS STUDY

IoT is becoming a major driver for the use of PKI. There is growing recognition that PKI provides important core authentication technology for the IoT. Since 2015, respondents who say IoT is the most important trend driving the deployment of applications using PKI has increased significantly from 21 percent of respondents to 41 percent in 2019. In contrast, cloud-based services as an influence in the deployment of applications that make use of PKI decreased from 64 percent of respondents in 2015 to 49 percent of respondents in this year’s research (Figure 3). This should define the challenges facing PKI vendors and administrators alike as they adapt the technology to these new realities.


Figure 3. The most important trends driving the deployment of applications using of PKI Consolidated view; two responses permitted

Cloud-based services

Consumer mobile

Internet of Things (IoT)

Regulatory environment

Consumer-orientedmobile applications

BYOD and internalmobile device management

E-commerce

Cost savings

Risk management

Other

64%61%

54%45%

49%

50%52%

41%45%

44%

21%28%

44%41%

40%

10%7%

23%21%21%

26%27%

19%21%

20%

8%9%

8%9%10%

9%7%

5%7%7%

10%7%

6%5%5%

3%1%

2%2%2%

1%1%1%1%

0%

““ Since 2015, respondents who say IoT is the most important trend driving the deployment of applications using PKI has increased significantly from 21 percent of respondents to 41 percent in 2019.


In the next two years, an average of 42 percent of IoT devices in use will rely primarily on digital certificates for identification and authentication. As shown in Figure 4, 44 percent of respondents believe that as the IoT continues to grow supporting PKI deployments for IoT device credentialing will be a combination of cloud-based and enterprise-based.

Altering the function of an IoT device is the most significant threat to IoT deployments. When rating the top IoT threats, 68 percent of respondents chose altering the function of a device (e.g., by loading malware), followed by controlling the device remotely (54 percent). The threat of use of an IoT device as a network entry point, as well as capturing data from an IoT device, each were rated as top threats by 39 percent of respondents.

Protecting confidentiality and integrity of device data is the most important IoT security capability today. Out of five IoT security capabilities, respondents rated protection of the confidentiality and integrity of device data as the most important, followed by device authentication, monitoring device behavior, device discovery, and delivery of patches and updates to devices.

FY17 FY18 FY19

Figure 4. What models will be used for PKI deployments supporting IoT device credentialing?Consolidated view

Combination of cloud-basedand enterprise-based

Primarily enterprise-based Primarily cloud-based

43% 43% 44%

32% 31% 30%25%

27% 26%

8


Trends in PKI maturity

According to Figure 5, the certificate revocation technique most often deployed continues to be online certificate status protocol (OCSP), according to 58 percent of respondents (an increase from 46 percent of respondents since the 2015 study). The next most popular technique is the use of automated certificate revocation list (CRL) (44 percent of respondents).

Similar to last year, 30 percent of respondents say they do not deploy a certificate revocation technique. There are many possible explanations for this high percentage – use of alternate means to remove users/devices, use of short lifespan certificates, closed systems, etc.


46%52%

54%57%

58%

37%43%

46%47%

44%

37%37%

33%30%30%

33%24%

20%20%

19%

19%20%

19%18%19%

3%3%

2%1%1%

2%2%

1%1%1%

Figure 5. The certificate revocation techniques used in enterprisesConsolidated view; more than one response permitted

Online Certificate Status Protocol (OCSP)

Automated CRL

None

Manual certificate revocation list (CRL)

Validation Authority

Others

Unsure

““ 30 percent of respondents say they do not deploy a certificate revocation technique.


Hardware security modules (HSMs) are the most common method used to manage the private keys for their root/policy/issuing CAs, as shown in Figure 6. Twenty-six percent of respondents say smart cards are used. A related question revealed that almost half of respondents (45 percent) say they have PKI specialists on staff.

Of the 42 percent of organizations in this study that use HSMs to secure PKI, they are used across the entire architecture of the PKI as shown in Figure 7. As an example of best practice, NIST calls to “Ensure that Cryptographic modules for CAs, Key Recovery Servers, and OCSP responders are hardware modules validated as meeting FIPS 140-2 Level 3 or higher” (NIST Special Publication 800-57 Part 3). Yet, only 11 percent of our respondents indicate the presence of HSMs in their OCSP installations. This is a significant gap between best practices and observed practices.

FY17 FY18FY16 FY19

Figure 6. How do you manage the private keys for your root/policy/issuing CAs?

Hardware securitymodules (HSMs)

Smart cards (for CA/root key protection)

Removable mediafor CA/root keys

Other

32%36%

39%42%

28%30%

28%26% 25% 25%

23% 23%

15%

10% 10% 10%


42%48%

50%50%

48%

46%45%

43%40%

41%

32%37%

38%35%

34%

27%32%

30%30%

29%

19%23%

22%23%

22%

12%10%

12%12%

11%

5%7%

9%8%8%

Figure 7. Where HSMs are deployed to secure PKI Consolidated view; more than one response permitted

O�ine root

Issuing CA

Online root

Policy CA

Registration Authority

OCSP responder



It is often difficult for applications to use PKI. As shown in Figure 8, the most significant challenge organizations will continue to face, with respect to enabling applications to use PKI, is the inability of an existing PKI to support new applications, according to 56 percent of respondents. However, this has declined from 63 percent of respondents in 2015. This finding could be based on respondents’ concerns about a dearth of resources and expertise.


63%58%

58%56%

52%49%

46%40%

42%43%

42%45%

39%41%41%

40%38%

19%22%

28%33%

36%

38%40%40%

38%35%

29%30%30%

29%35%

45%37%

35%35%35%

30%29%30%

29%28%

21%22%

23%25%25%

13%17%

16%16%16%

6%5%

6%6%7%

1%0%

0%

0%0%

54%57%

56%

Figure 8. The challenges to enable applications to utilize PKIConsolidated view; four responses permitted

Existing PKI is incapable of supporting new applications

No ability to change legacy apps

Insu�cient skills

Insu�cient resources

Lack of visibility of the securitycapabilities of existing PKI

Too much change or uncertainty

Lack of clear understanding of requirements

No pre-existing PKI

Conflict with other apps using the same PKI

Requirements are toofragmented or inconsistent

Specific operational issues (suchas revocation and performance)

are hard to resolve

Lack of advisory support

Other


Other challenges to enabling applications include: no ability to change legacy apps (46 percent of respondents), and insufficient skills and resources (45 percent and 38 percent of respondents, respectively). The challenge of lack of visibility of the security capabilities of existing PKI, increased from 19 percent of respondents in 2015 to 36 percent of respondents in 2019.

Trends in PKI challenges

Organizations with internal CAs use an average of eight separate issuing CAs, managing an average of 38,631 internal or externally acquired certificates. As shown in Figure 9, an average of eight distinct applications, such as email and network authentication, are supported by an organization’s PKI. This indicates that the PKI is at the core of the enterprise IT backbone. Not only the number of applications dependent upon the PKI but the nature of them indicates that the PKI is a strategic part of the core IT backbone.

FY19

Figure 9. How many distinct applications does your PKI manage certificates on behalf of?Consolidated view; extrapolated value is 8.52 distinct applications

1 or 2 3 or 4 5 or 6 7 or 8 9 or 10 11 or 12 13 or 14 15 or more

5%

12%

20% 19%

17%

13%

7%8%

12


The main PKI deployment challenge continues to be the lack of clear ownership of the PKI function. As shown in Figure 10, 68 percent of respondents believe there is no one function responsible for managing PKI. This is not in line with best practices, which assume as a baseline a sufficient degree of staffing and competency to define and maintain the process and procedures of which a modern PKI depends.

Other deployment problems include: insufficient resources (49 percent of respondents), insufficient skills (47 percent of respondents) and too much change or uncertainty (38 percent of respondents).


68%71%

69%70%

68%

46%43%

42%47%

49%

45%46%47%48%

47%

39%39%

41%39%

38%

43%40%

39%35%

37%

31%32%

34%35%36%

40%37%

35%32%

31%

32%31%31%

29%28%

22%24%

26%27%27%

17%18%18%

20%20%

11%10%11%12%11%

8%7%7%

6%6%

0%

1%1%

1%1%

Figure 10. The main challenges deploying and managing PKIConsolidated view; four responses permitted

No clear ownership


Insu�cient skills


Necessary performance andreliability is hard to achieve

Lack of clear understandingof the requirements

Lack of visibility of the applicationsthat will depend on PKI

Commercial solutions are toocomplicated or too expensive

Requirements are toofragmented or inconsistent

No suitable products ortechnologies available

Too hard to transition fromcurrent approach to a new system

Lack of advisory services and support

Other


Common Criteria EAL Level 4+ is the most important security certification when deploying PKI infrastructure and PKI-based applications. According to Figure 11, 64 percent say Common Criteria followed by 60 percent who say FIPS 140 is most important when deploying PKI. Twenty-five percent say it is regional standards such as digital signature laws (a decrease from 31 percent in 2015). In the U.S., FIPS 140 is the standard called out by NIST in its definition of a “cryptographic module” which is mandatory for most U.S. federal government applications and a best practice in all PKI implementations.


61%64%64%

66%64%

67%69%

65%62%

60%

31%24%

22%26%

25%

24%23%

20%25%

23%

17%13%

12%14%

11%

1%2%

1%1%

0%

Figure 11. Security certifications important when deploying PKI infrastructure Consolidated view, more than one response permitted

Common Criteria EAL Level 4+

FIPS 140-2 Level 3

Regional standards suchas digital signature laws

Regional certificationsfor use by government

None of the above (certificationis not an important factor

Other

““ 64 percent say common criteria followed by 60 percent who say FIPS 140 is most important when deploying PKI. Twenty-five percent say it is regional standards such as digital signature laws (a decrease from 31 percent in 2015).


Private networks and VPN and cloud-based applications and services increase the use of PKI credentials significantly. According to Figure 12, 79 percent of respondents say the application most often using PKI credentials is SSL certificates for public facing websites and services. However, this finding decreased from 84 percent of respondents in last year’s research. Other applications and services primarily used are private networks and VPN (69 percent of respondents), public cloud-based applications and services (55 percent of respondents), email security (54 percent of respondents) and enterprise user authentication (51 percent of respondents). These are the basic building blocks of the modern enterprise IT system and digital certificates have become much like storage, a commodity component of the system, no longer an exotic add on.


78%81%

84%84%

79%

69%75%

65%71%

69%50%

62%56%56%

55%

50%54%

51%53%54%

54%50%50%

49%51%

51%58%

52%51%

50%

43%49%

44%44%

46%

35%43%

42%42%

44%

31%34%

31%32%32%

0%0%

4%3%

0%2%

1%2%

Figure 12. What applications use PKI credentials in organizations?Consolidated view; more than one response permitted

SSL certificates for publicfacing websites and services

Private networks and VPN

Public cloud-based applications and services

Email security

Enterprise user authentication

Device authentication

Private cloud-based applications

Document/message signing

Code signing

None of the above

Other

2%

2%


What are the most popular methods for deploying enterprise PKI? The most cited method for deploying enterprise PKI, according to Figure 13, is through an internal corporate certificate authority (CA) or an externally hosted private CA – managed service, according to 63 percent and 43 percent of respondents, respectively.

The percentage of respondents who say their companies use externally hosted private CAs declined since 2015 (48 percent vs. 43 percent). Since 2015, more companies have deployed PKI using a private CA running within a public cloud, an increase from 9 percent to 22 percent of respondents.


Figure 13. How is PKI deployed?Consolidated view; more than one response permitted

Internal corporate certificate authority (CA)

Externally hosted private CA – managed service

Public CA service

Private CA runningwithin a public cloud

Business partner provided service

Government provided service

Other

44%51%

54%56%

63%

48%41%

38%40%

43%

25%29%

34%33%

31%

9%18%

23%23%

22%

16%15%14%

16%15%

9%12%

11%11%

10%

2%0%

2%2%2%

16


Global analysis

Figure 14 shows how PKI is deployed within respondents’ organizations. As can be seen, German, U.S., Japanese and Korean respondents are most likely to choose internal corporate certificate authority. In contrast, Korea, Middle East, and Hong Kong & Taiwan respondents are most likely to choose external hosted private certificate authorities as a managed service.

When asked about the revocation techniques deployed, 30 percent of respondents said none. As shown in Figure 15, of those respondents who say their organizations use a certificate revocation technique, German, Brazilian and Japanese respondents are most likely to use online certificate status protocol (OCSP). Russian Federation, German and U.S. organizations are most likely to use automated CRLs.

As noted above, this implies a true chasm between operational best practices and observed practices. Certificates have a life span. During that life span, circumstances change and certificates outlive their purpose. Without a method of revoking certificates the population of valid, extant certificates simply grows.

We can surmise that there are connections between this observed deviation from best practices and the significant lack of dedicated personnel and skills called out in the study. When something as basic as lack of revocation processes is this common, one has to wonder about the currency of documentation on and processes for managing the average of eight major enterprise applications that are dependent on the PKI.

Internal corporate certificate authority (CA) Externally hosted private CA – managed service

Figure 14. How would you describe how your organization’s enterprise PKI is deployed? Top 2 choices

DE US JP KO AU IN UK ME SA FR MX HKT BZ RF

77%

29%

75%

34%

72%

19%

71%74%

69%

29%

69%

42%

63%

31%

60%

68%

57%60%

56%

25%

56%50%

54%

63%

50%

58%

25%

41%

Online Certificate Status Protocol (OCSP) Automated CRL

Figure 15. Which certificate revocation technique does your organization deploy? Top 2 choices = OCSP and Automated CRL

DE BZ JP US HKT SA FR UK AU ME KO MX IN RF

76%

60%63%

35%

62%

40%

61%57%

60%

29%

60%

33%

59%

52%

59%

47%

58%

37%

56%

36%

55%

38%

51%

41%

49%

37%33%

61%

Country

Germany

United States

Japan

Korea

Australia

India

United Kingdom

Middle East

Southeast Asia

France

Mexico

Hong Kong and Taiwan

Brazil

Russian Federation

Abbreviated

DE

US

JP

KO

AU

IN

UK

ME

SA

FR

MX

HKT

BZ

RF


According to Figure 16, the U.S. and Germany have the most individual CAs deployed within their organizations (9.65 and 9.24, respectively). Brazil and the Russian Federation have the least number of individual CAs (5.93 and 5.19, respectively).

Again, this reinforced the penetration of the PKI into the core IT backbone of the modern organization. And, given the stated lack of skilled personnel and organizational clarity, combined with the lack of consistent revocation practices, one has to draw attention to risks to the health and integrity of these important core enterprise applications.

Figure 17 shows the number of distinct applications (e.g., email, network authentication, etc.) for which a PKI manages certificates. The U.S. at 11.60 has the largest number of distinct applications. Australia (6.76) and Russia (6.18) have the smallest number of distinct applications.

One should note that even in the lowest figures that the average number of applications is just north of 6. Given previous responses, we can extrapolate that these likely include email, SSL certificates, device identification and logon credentials. These are non-trivial applications, the failure of which could pose existential risks to the host organization.

Figure 16. What best describes the number of individual CAs in your organization? Extrapolated average values

US DE UK JP KO SA HKT ME IN AU FR MX BZ RF

9.659.24

8.84 8.638.05

7.55 7.50 7.26 7.126.67 6.53 6.38

5.93

5.19

Figure 17. How many distinct applications does your PKI manage certificates on behalf of? Extrapolated average values

US DE UK JP KO SA HKTMEIN AUFR MX BZ RF

11.60

10.009.55

8.148.38 8.04 8.01 7.767.40 7.21 7.17 6.98 6.76

6.18


Figure 18 reports the three most salient challenges in deploying and managing PKI. As can be seen, Middle East, Australia, Korea and Hong Kong & Taiwan respondents are most likely to say no clear ownership as their most significant challenge. Russian respondents are most likely to say insufficient resources. Southeast Asia, Russian and Korea respondents are most likely to cite insufficient skills as a top three challenge.

There is a consistent theme in these responses. We can see the importance of the PKI growing and its integration with core IT applications. Also, PKI’s near term future is being buffeted by trends towards the cloud and mobility. However, globally there is a lack of trained people and tendency towards fuzzy ownership of the PKI. This is a significant departure from known best practices that require direct lines of responsibility for all PKI dependent applications and clear documentation of the dependencies and risk mitigation strategies. One has to wonder about the condition of required PKI documentation and processes given these high rates of skills and personnel shortages.

No clear ownership Insu�cient skills

Figure 18. What are the main challenges in deploying and managing PKI?Top 3 choices

77%51%

57%

45%76%

54%

28%

75%

60%

75%

49%

45%

73%

27%

70%

36%

55%53%

70%

65%

50%31%

63%

63%

65%

59%62%

45%

61%

50%

55%

60%37%

36%

50%

63%

60%

50%55%

68%37%

38%


US

DE

UK

JP

KO

SA

HKT

ME

IN

AU

FR

MX

BZ

RF


As organizations plan the evolution of their PKI, where are the greatest areas of possible change and uncertainty? Figure 19 provides the top three choices. Accordingly, U.S., Japan and France are most likely to find external mandates and standards as the greatest area of change and uncertainty. The U.S. and Russian respondents are most likely to select new applications, and Russian, India and German respondents are most likely to see PKI technologies as the greatest areas for change and uncertainty.

Given the high levels of uncertainty and increasing challenges to the status quo, organizations that are already challenged by a lack of clear authority and a dearth of skills and personnel will be stressed further as they attempt to come into compliance with best practices.

Figure 19. Where are the greatest areas of change and uncertaintyin the evolution of your PKI? Top 3 choices

External mandates and standards New applications PKI technologies

US

JP

FR

AU

BZ

DE

UK

KO

RF

IN

ME

MX

SA

HKT

53%

52%21%

51%45%

11%

50%44%

21%

46%40%

24%

43%45%

21%

40%28%

40%

38%43%

24%

36%

37%29%

34%

46%45%

31%28%

40%

28%36%

33%

27%37%

27%

27%34%

26%

22%35%

29%


Figure 20 reports what respondents believe are the most important trends that are driving the deployment of applications that make use of PKI. As can be seen, Russia, India and Middle East are most likely to cite cloud-based services as driving the deployment of applications that make use of PKI.

Brazil, Hong Kong and Taiwan, and Korea respondents are most likely to see consumer-oriented mobile applications as a driver to PKI adoption. The IoT is beginning to have a significant impact, particularly in the U.S., Hong Kong and Taiwan and Japan.

Figure 20. What are the most important trends that are drivingthe deployment of applications that make use of PKI? Top 3 choices

Cloud-based services Consumer mobile Internet of Things

RF

IN

ME

JP

KO

SA

MX

BZ

UK

HKT

US

DE

AU

FR

62%38%

40%

59%36%

29%

56%46%

37%

55%40%

50%

55%53%

36%

54%

48%38%

47%40%

32%

47%57%

36%

47%40%

47%

45%53%

50%

44%38%

50%

43%

51%41%

38%41%41%

36%48%

33%

METHODS03


TABLE 1 REPORTS THE CONSOLIDATED SAMPLE RESPONSE FOR 14 SEPARATE COUNTRY/REGION SAMPLES. The sample response for this study was conducted over a 49-day period ending in December 2018. Our consolidated sampling frame of practitioners in all countries consisted of 150,066 individuals who have bona fide credentials in IT or security fields. From this sampling frame, we captured 6,502 returns of which 646 were rejected for reliability issues. From our final consolidated 2019 sample of 5,856, we calculated the PKI subsample to be 1,884.

Figure 21 reports the respondent’s organizational level within participating organizations. By design, 56 percent of respondents are at or above the supervisory levels. Respondents have on average 10 years of security experience with approximately 7 years of experience in their current position.

As shown in Figure 22, 55 percent of respondents identified IT operations as their functional area within the organization, 19 percent of respondents are functioning within security and 12 percent of respondents are functioning within the lines of business.

Table 1. Sample response Frequency

150,066

6,502

646

5,856

1,884

32%

Sampling frame

Total returns

Rejected or screened surveys

Overall sample (encryption trends)

PKI subsample

Ratio subsample to overall sample

42%

33%

2% 3% 3%

17%

Figure 21. Distribution of respondents according to position levelConsolidated view

Senior Executive

Vice President

Director

Manager/Supervisor

Associate/Sta�/Technician

Other

19%

4%

55%

12%

7%4%

Figure 22. Distribution of respondents according to functional areaConsolidated view

IT operations

Security

Lines of business (LOB)

Compliance

Finance

Other


Figure 23 reports the respondents’ organizations primary industry segments. As shown, 15 percent of respondents are located in the financial services industry, which includes banking, investment management, insurance, brokerage, payments and credit cards. Eleven percent are located in manufacturing and industrial sectors, 11 percent are located in services sector and 9 percent are located in the public sector, including central and local government.

According to Figure 24, the majority of respondent (60 percent) are located in larger-sized organizations with a global headcount of more than 1,000 employees.

15%

11%

11%

9%8%

7%

8%

7%

4%

4%

3%3%

4%3%

2%

Figure 23. Distribution of respondents according to primary industry classificationConsolidated view

Financial servicesManufacturing & industrialServicesPublic sectorTechnology & softwareHealth & pharmaceuticalRetailEnergy & utilitiesTransportationConsumer productsEducation & researchHospitalityCommunicationsEntertainment & mediaOther

Figure 24. Distribution of respondents according to organizational headcountCountry samples are consolidated

26%

19%

15%6%3%

32%

Less than 500

500 to 1,000

1,001 to 5,000

5,001 to 25,000

25,001 to 75,000

More than 75,000

LIMITATIONS04


THERE ARE INHERENT LIMITATIONS TO SURVEY RESEARCH THAT NEED TO BE CAREFULLY CONSIDERED BEFORE DRAWING INFERENCES FROM THE PRESENTED FINDINGS. The following items are specific limitations that are germane to most survey-based research studies.

ð Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of IT and IT security practitioners in 14 countries/regions resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the survey.

ð Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which our sampling frames are representative of individuals who are IT or IT security practitioners within global companies represented in this study.

ð Self-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process including sanity checks, there is always the possibility that some respondents did not provide truthful responses.

26

26


APPENDIX DETAILED SURVEY RESULTS


THE FOLLOWING TABLES PROVIDE THE FREQUENCY OR PERCENTAGE FREQUENCY OF RESPONSES TO ALL SURVEY QUESTIONS CONTAINED IN THIS STUDY.

Public Key Infrastructure (PKI)

2019 Survey Response FY2018 FY2017 FY2016 FY2015

151,334

5,861

609

5,252

1,688

32.1%

FY2019

150,066

6,502

646

5,856

1,884

32.2%

138,530

5,397

595

4,802

1,510

31.4%

131,453

5,605

596

5,009

1,583

31.6%

130,123

5,297

683

4,714

1,511

32.1%

Sampling frame

Total returns

Rejected or screened surveys

Overall sample (encryption trends)

PKI subsample

Ratio subsample to overall sample

Q18. What best describes your role or involvement in your organization’s enterprise PKI?

I am involved in the management myorganization’s PKI

I am involved in developing and/or managing applications that depend upon credentials controlled by my organization’s PKI

I am not involved in my organization’s PKI or the applications that depend on them (Stop)

My organization does not have an PKI (Stop)

Total

FY2018 FY2017 FY2016 FY2015

60%

40%

0%

0%

100%

FY2019

59%

41%

0%

0%

100%

58%

42%

0%

0%

100%

54%

46%

0%

0%

100%

49%

51%

0%

0%

100%

Q19. How would you describe how your organization’s enterprise PKI is deployed? Please select all that apply.

Internal corporate certificate authority (CA)

Externally hosted private CA – managed service

Public CA service

Private CA running within a public cloud

Business partner provided service

Government provided service

Other (please specify)

None of the above (stop)

Total

FY2018 FY2017 FY2016 FY2015

56%

40%

33%

23%

16%

11%

2%

0%

181%

FY2019

63%

43%

31%

22%

15%

10%

2%

0%

187%

54%

38%

34%

23%

14%

11%

2%

0%

176%

51%

41%

29%

18%

15%

12%

2%

0%

168%

44%

48%

25%

9%

16%

9%

0%

0%

151%


Q20. Which certificate revocation technique doesyour organization deploy? Please select all that apply.

Online Certificate Status Protocol (OCSP)

Manual certificate revocation list (CRL)

Automated CRL


Others (please specify)

None

Unsure

Total

FY2018 FY2017 FY2016 FY2015

57%

20%

47%

18%

1%

30%

1%

174%

FY2019

58%

19%

44%

19%

1%

30%

1%

172%

54%

20%

46%

19%

2%

33%

1%

175%

52%

24%

43%

20%

3%

37%

2%

181%

46%

33%

37%

19%

3%

37%

2%

177%

Q21. How many issuing CAs does your PKI support? Those respondents that use an externalCA service were removed.

1 or 2

3 or 4

5 or 6

7 or 8

9 or 10

More than 10

Total

Extrapolated value

FY2018 FY2017 FY2016 FY2015

13%

17%

17%

14%

16%

23%

100%

7.70

FY2019

12%

17%

18%

15%

17%

22%

100%

7.74

16%

18%

18%

14%

14%

22%

100%

7.39

18%

19%

17%

13%

14%

19%

100%

6.76

21%

25%

15%

13%

11%

15%

100%

6.17

Q22. How many certificates does your PKI issue(or have been acquired from an external service)?

Less than 10

10 to100

101 to 1,000

1,001 to 5,000

5,001 to 10,000

10,001 to 50,000

50,001 to 100,000

More than 100,000

Total

Extrapolated value

FY2018 FY2017 FY2016 FY2015

1%

3%

12%

18%

17%

16%

17%

16%

100%

38,631

FY2019

1%

3%

11%

19%

17%

15%

16%

17%

100%

39,197

2%

3%

15%

18%

18%

15%

15%

15%

100%

35,488

1%

4%

16%

19%

16%

12%

17%

14%

100%

35,534

0%

5%

22%

17%

16%

11%

16%

12%

100%

31,409


Q23. How many distinct applications (e.g., email, network authentication, etc.) does your PKI manage certificates on behalf of?

1 or 2

3 or 4

5 or 6

7 or 8

9 or 10

11 or 12*

13 or 14*

15 or more*

Total

Extrapolated value

*A di�erent response scale was used for FY2015, FY2016 and FY2017

FY2018 FY2017 FY2016 FY2015

5%

12%

21%

23%

17%

13%

6%

3%

100%

7.97

FY2019

5%

12%

20%

19%

17%

13%

7%

8%

100%

8.52

4%

14%

24%

23%

17%

12%

6%

100%

8.47

5%

14%

26%

27%

13%

10%

5%

100%

7.87

7%

19%

25%

29%

12%

5%

3%

100%

7.30

Q24. What security controls and best practices do you use to secure the PKI and CA in particular? Please select all that apply.

Physical secure location

Isolated networks

Strict record keeping (e.g., video recording, independent observers, etc.)

Formal security practices (documented)

O�ine root CAs

Quorums and dual controls

Multifactor authentication for administrators

Passwords alone without a second factor

No special security measures


Total

FY2018 FY2017 FY2016 FY2015

48%

23%

15%

40%

30%

14%

62%

30%

5%

1%

268%

FY2019

46%

22%

14%

42%

28%

13%

60%

24%

5%

1%

256%

47%

21%

13%

40%

28%

13%

59%

29%

6%

2%

286%

45%

23%

11%

39%

30%

6%

52%

34%

7%

2%

249%

48%

20%

4%

41%

27%

3%

48%

53%

6%

1%

251%

Q25a. Do you have PKI specialists on sta�? FY2018 FY2017 FY2016

48%

23%

16%

14%

100%

FY2019

45%

24%

16%

14%

100%

43%

27%

15%

14%

100%

39%

30%

17%

15%

100%

Yes

No

Rely on consultants

Rely on service provider

Total


Q25b. How do you manage the private keys for your root/policy/issuing CAs FY2018 FY2017 FY2016

39%

28%

23%

10%

100%

FY2019

42%

26%

23%

10%

100%

36%

30%

25%

10%

100%

32%

28%

25%

15%

100%

Hardware security modules (HSMs)

Smart cards (for CA/root key protection)

Removable media for CA/root keys

Other

Total

Q26. If you use HSMs to secure PKI, where are they deployed? Please select all that apply.Please select all that apply.

O�ine root

Online root

Issuing CA

Policy CA

Registration Authority

OCSP responder


Total

FY2018 FY2017 FY2016 FY2015

50%

35%

40%

30%

23%

12%

8%

197%

FY2019

48%

34%

41%

29%

22%

11%

8%

193%

50%

38%

43%

30%

22%

12%

9%

203%

48%

37%

45%

32%

23%

10%

7%

202%

42%

32%

46%

27%

19%

12%

5%

183%

Q27. What are the main challenges in deploying and managing PKI? Please select 4 top choices.

No clear ownership


Insu�cient skills

Lack of clear understanding of the requirements


Requirements are too fragmented or inconsistent

No suitable products or technologies available

Necessary performance and reliability is hardto achieve

Commercial solutions are too complicated or too expensive

Lack of visibility of the applications that willdepend on PKI

Lack of advisory services and support

Too hard to transition from current approachto a new system


Total

FY2018 FY2017 FY2016 FY2015

70%

47%

48%

35%

39%

27%

20%

35%

29%

32%

6%

12%

1%

400%

FY2019

68%

49%

47%

36%

38%

27%

20%

37%

28%

31%

6%

11%

1%

400%

69%

42%

47%

34%

41%

26%

18%

39%

31%

35%

7%

11%

1%

400%

71%

43%

46%

32%

39%

24%

18%

40%

31%

37%

7%

10%

1%

400%

68%

46%

45%

31%

39%

22%

17%

43%

32%

40%

8%

11%

0%

400%


Q28. As you plan the evolution of your PKI, where are the greatest areas of possible change and uncertainty? Please select 2 top choices.

PKI technologies

Vendors (products and services)

Enterprise applications

Internal security policies

External mandates and standards

Budget and resources

Management expectations

New applications (e.g., Internet of Things)


Total

*FY2015 question was framed as "all that apply" rather than top 2 choices

FY2018 FY2017 FY2016 FY2015*

26%

15%

18%

18%

42%

19%

20%

42%

1%

200%

FY2019

28%

16%

19%

18%

39%

19%

21%

40%

1%

200%

26%

14%

19%

20%

47%

17%

21%

36%

1%

200%

26%

14%

22%

18%

48%

18%

26%

26%

2%

200%

35%

15%

30%

22%

56%

14%

28%

14%

0%

214%

Q29. In your opinion, which security certifications are important when deploying PKI infrastructure? Please select all that apply.

Common Criteria EAL Level 4+

FIPS 140-2 Level 3

Regional certifications for use by government

Regional standards such as digital signature laws

Other please specify

None of the above (certification is notan important factor)

Total

FY2018 FY2017 FY2016 FY2015

66%

62%

25%

26%

1%

14%

194%

FY2019

64%

60%

23%

25%

0%

11%

182%

64%

65%

20%

22%

1%

12%

184%

64%

69%

23%

24%

2%

13%

195%

61%

67%

24%

31%

1%

17%

201%

Q30. What applications use PKI credentialsin your organization?

SSL certificates for public facing websites and services

Private networks and VPN

Email security

Enterprise user authentication


Document/message signing

Code signing

Public cloud-based applications and services

Private cloud-based applications


None of the above

Total

FY2018 FY2017 FY2016 FY2015

84%

71%

53%

49%

51%

42%

32%

56%

44%

2%

3%

487%

FY2019

79%

69%

54%

51%

50%

44%

32%

55%

46%

2%

2%

486%

84%

65%

51%

50%

52%

42%

31%

56%

44%

1%

4%

479%

81%

75%

54%

50%

58%

43%

34%

62%

49%

2%

0%

508%

78%

69%

50%

54%

51%

35%

31%

50%

43%

0%

0%

461%


Q31. In your opinion, what are the most importanttrends that are driving the deployment of applications that make use of PKI? Please select 2 top choices.

Consumer mobile

Cloud-based services

BYOD and internal mobile device management

Internet of Things (IoT)

Regulatory environment

Consumer-oriented mobile applications

E-commerce

Risk management

Cost savings


Total

FY2018 FY2017 FY2016 FY2015

45%

45%

9%

44%

21%

21%

7%

2%

5%

1%

200%

FY2019

44%

49%

10%

41%

21%

20%

7%

2%

5%

1%

200%

41%

54%

8%

40%

23%

19%

5%

2%

6%

1%

200%

52%

61%

9%

28%

7%

27%

7%

1%

7%

1%

200%

50%

64%

8%

21%

10%

26%

9%

3%

10%

0%

200%

Q32. What are the challenges to enable applications to utilize PKI? Please select 2 top choices.

No pre-existing PKI

Existing PKI is incapable of supporting new applications


Insu�cient skills

Lack of clear understanding of requirements


Requirements are too fragmented or inconsistent

No ability to change legacy apps

Lack of visibility of the security capabilities of existing PKI

Conflict with other apps using the same PKI

Specific operational issues (such as revocation and performance) are hard to resolve

Lack of advisory support


Total

FY2018 FY2017 FY2016 FY2015

35%

57%

40%

42%

29%

38%

25%

49%

33%

29%

16%

6%

0%

400%

FY2019

35%

56%

38%

45%

35%

35%

25%

46%

36%

28%

16%

7%

0%

400%

35%

54%

41%

43%

30%

40%

23%

52%

28%

30%

16%

6%

0%

400%

37%

58%

41%

42%

30%

40%

22%

56%

22%

29%

17%

5%

1%

400%

45%

63%

39%

40%

29%

38%

21%

58%

19%

30%

13%

6%

0%

400%

Q33a. Do you believe that the Internet of Things continues to grow,that supporting PKI deployments for IoT device credentialing will be: FY2018 FY2017

27%

31%

43%

100%

FY2019

26%

30%

44%

100%

25%

32%

43%

100%

Primarily cloud-based

Primarily enterprise-based

Combination of cloud-based and enterprise-based

Total


Q33b. What are the most important PKI capabilities for IoT deployments? Please select 2 top choices. FY2018

27%

45%

39%

29%

30%29%

200%

FY2019

32%

46%

37%

26%

30%27%

200%

Support for Elliptic Curve Cryptography (ECC)

Scalability to millions of managed certificates

Online revocation

Ability to sign firmware for IoT devices

FIPS 140-2 Level 3 HSMs (Hardware Security Modules) for Root and Issuing CAs

Cloud deployment model

Total

Q34. What percentage of IoT devices that will likely be used by your organization in the next two years do you believe will rely primarilyon digital certificates for identification/authentication?

FY2018 FY2017

10%

20%

35%

23%

12%

100%

42%

FY2019

10%

20%

35%

24%

11%

100%

42%

11%

19%

36%

22%

13%

100%

43%

Less than 10%

10% to 25%

26% to 50%

51% to 75%

76% to 100%

Total

Extrapolated value

Q35. What are the most significant threats to IoT deployments in your environment? Please select 2 top choices.

FY2019

39%

68%

54%

39%

200%

Using a device as a network entry point

Altering the function of the device (e.g., load malware)

Controlling the device remotely

Capturing data from the device

Total

Q36a. How important are the following IoT security capabilities to your organization today? 5-point scale from 1 = not important to 5 = very important.

FY2019

3.5

3.6

3.6

3.4

3.7

3.6

Device discovery


Monitoring device behavior

Delivery of patches and updates to devices

Protecting confidentiality and integrity of data collected from the device

Average

Q36b. How important are the following IoT security capabilities to your organization in the next 12 months? 5-point scale from 1 = not important to 5 = very important.

FY2019

4.0

4.2

4.1

3.9

4.2

4.1

Device discovery


Monitoring device behavior

Delivery of patches and updates to devices

Protecting confidentiality and integrity of data collected from the device

Average


About Ponemon Institute The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About nCipher SecuritynCipher Security, an Entrust Datacard company, is a leader in the general-purpose hardware security module (HSM) market, empowering world-leading organizations by delivering trust, integrity and control to their business critical information and applications. Today’s fast-moving digital environment enhances customer satisfaction, gives competitive advantage and improves operational efficiency – it also multiplies the security risks. Our cryptographic solutions secure emerging technologies such as cloud, IoT, blockchain, and digital payments and help meet new compliance mandates. We do this using our same proven technology that global organizations depend on today to protect against threats to their sensitive data, network communications and enterprise infrastructure. We deliver trust for your business critical applications, ensure the integrity of your data and put you in complete control – today, tomorrow, always. www.ncipher.com

http://www.ncipher.com

www.ncipher.com

Search: nCipherSecurity

GLOBAL PKI AND IoT TRENDS STUDY - nCipher …...2019 GLOBAL PKI AND IoT TRENDS STUDY 8 In the next...

Documents

Transcript of GLOBAL PKI AND IoT TRENDS STUDY - nCipher …...2019 GLOBAL PKI AND IoT TRENDS STUDY 8 In the next...