IoT and PKI, a necessary but still insufficient partnership

Sheila Zabeu -

November 25, 2022

The Internet of Things drives Public Key Infrastructure (or PKI) initiatives. While the prominent use cases for PKI are still focused on cross-site encrypted communication protocols such as TLS/SSL, securing VPNs and private networks, and digital signature, the IoT, alongside the current regulatory landscape, is posing new challenges to cybersecurity. and thus opening up new opportunities for the application of PKI technologies.

According to the 2022 Global PKI and IoT Trend Study, conducted by the Ponemon Institute with the sponsorship of Entrust, there is growing recognition that PKI is a vital technology to help authenticate IoT devices. The portion interviewed by the study that stated that IoT is the most important trend driving the deployment of PKI applications has remained unchanged (in the range of 47%) since 2020.

Over the next two years, on average, 44% of IoT devices in use will rely on digital certificates for identification and authentication, according to the study. Riding on this wave, 35% of respondents believe that as IoT deployments advance, it will be necessary to combine PKI solutions for cloud and enterprise IoT device accreditation. However, this idea has slowed down from the 42% share of respondents in 2021.

Source: Ponemon Institute

The ability to grow to serve millions of managed certificates remains the most critical PKI resource for IoT deployments, although it has lost importance compared to previous years – cited by 53% of respondents in 2018 and by 39% in 2020. On the other hand, the ability to sign IoT device firmware has increased from 27% of respondents in 2021 to 33% in 2022.

Source: Ponemon Institute

Challenges for adopting PKI

According to the study, the IoT, but cybersecurity in general is being evaluated at various levels, including outside the four walls of organizations. And that can be a complex requirement, especially without the right skills and resources. And that should become an even more challenging challenge with future threats in a post-quantum world.

It was no wonder that insufficient resources, lack of skills and lack of clear definitions of responsibility were the three main challenges for adopting PKI technologies highlighted in the study. The first item, insufficient resources, showed an increase in citations in the last edition, from 51% of respondents in 2021 to 64% in 2022. The other two challenges were cited in 52% of the responses.

Another highlight of the survey was the lack of visibility of applications that will rely on PKI solutions. This difficulty was mentioned by 34% of respondents in 2021 and gained more attention in this year’s survey in 48% of responses. Likewise, another challenge that has seen a jump (from 28% in 2021 to 35% in 2022) has to do with requirements for deploying and managing PKI technologies – which are proving to be very fragmented or inconsistent.

Source: Ponemon Institute

Regarding existing PKI implementations, the top challenge remains the ability to support new applications – cited by 41% this year – and the lack of visibility into security features at 29%. According to the study, not having the right technology to protect new PKI use cases or not even knowing whether the PKI is capable of defending itself is worrying, although not surprising, given that only 38% of organizations have a PKI expert among your teams.

The top three challenges to deploying and managing PKI have remained consistent across the editions of this survey. Looking at some of the trends over time, we can see a landscape that continues to recognize the importance of PKI, but use cases and their ever-evolving compliance causes companies to run but remain stuck. The absence of qualified and experienced personnel is being felt more and more, as is the lack of clear definitions of responsibilities in isolated business structures in many cases”, explains Larry Ponemon, President and Founder of the Ponemon Institute.

This Ponemon Institute study was based on surveys of more than 2,500 IT and cybersecurity professionals in the following countries and regions: Germany, Australia, Brazil, Korea, Spain, United States, France, Netherlands, Hong Kong, Japan, Mexico, Middle East, UK, Southeast Asia and Sweden.