IoT is one of the fastest growing trends in technology today, yet enterprises are leaving themselves vulnerable to dangerous cyberattacks by failing to prioritize PKI security, according to new research from nCipher Security, an Entrust Datacard company.
The 2019 Global PKI and IoT Trends Study, conducted by research firm the Ponemon Institute and sponsored by nCipher Security, is based on feedback from more than 1,800 IT security practitioners in 14 countries/regions, including the UAE and Saudi Arabia in the Middle East.
According to the study, 56% of IT security professionals in the Middle East cited that cloud-based services are most likely to be driving the deployment of applications that make use of public key infrastructure (PKI), followed by 46% stating mobile devices and 37% citing IoT as the driving force. Globally, however, the Internet of Things (IoT) was found to be the fastest-growing trend driving PKI application deployment – with 20% growth over the past five years.
Respondents cited concerns about several IoT security threats, including altering the function of IoT devices through malware or other attacks (62%) and remote control of a device by an unauthorized user (60%). A positive indicator however, is that Middle East respondents rated delivering patches and updates to IoT devices, the capability that protects against that top threat, as one of the four most important IoT security capabilities today. Protecting the confidentiality and integrity of data pulled from the device was listed as the most important IoT security capability for the UAE and KSA.
“The scale of IoT vulnerability is staggering – IDC recently forecasted that there will be 41.6B connected IoT devices by 2025, generating 79.4 zettabytes of data,” said John Grimm, senior director of strategy and business development at nCipher Security. “There is no point in collecting and analyzing IoT-generated data, and making business decisions based upon it, if we cannot trust the security of devices or their data. Building trust starts with prioritizing security practices that counter the top IoT threats, and ensuring authenticity and integrity throughout the IoT ecosystem.”
PKI plays a strategic role, but organizations are continuing to face challenges leaving them vulnerable
PKI is at the core of the IT infrastructure for many organizations in the UAE and KSA, enabling security for critical digital initiatives such as cloud, mobile device deployment, and IoT. However, an overwhelming majority cite continued barriers, to enable applications to use PKI. These include the incapability of existing PKI to support new applications (66%), insufficient skills (43%) and no ability to change legacy apps (39%).
Enterprise PKI security best practices a mixed bag
Nearly a third (30%) of organizations globally – an especially jarring share considering the implications – are not using any certificate revocation techniques. Here in the Middle East, more than three quarters (77%) of respondents cite “no clear ownership” as their top PKI challenge, followed by insufficient resources (57%) and insufficient skills (51%).
But, some enterprises are applying more rigor to PKI security in certain areas. The share of respondents in the UAE and KSA using “password only” for Certificate Authority administrators has seen a significant drop from 55% in 2018 to 28% this year. The use of offline root Certificate Authority (CAs) has also increased (from 20% to 24%).
Philip Schreiber, Regional Director, Middle East, Africa and South Asia at nCipher Security, adds: “A key takeaway from the findings of the report for the region is the need to invest not only in mobilizing resources but also in honing talents to drive the ongoing focus on digital transformation, given that the region is now attracting local datacenter infrastructure. With the governments emphasizing on building a digital backbone that drives all operations – from governance to business best practices – ensuring the highest standards of cybersecurity is a strategic imperative that organizations must seriously pursue.”
Other global findings that point to the future of PKI and IoT:
HSM use as an IoT root of trust jumped significantly over 2018 (10% jump to 22%).
Despite a growing number of options for PKI deployment (cloud, managed and hosted), internal corporate Certificate Authorities (CAs) remain the most popular and have grown 19% over the past five years to 63% – with 80% of financial services organizations favoring this option.
Forty-four percent of respondents believe PKI deployments for IoT devices will consist of a combination of cloud-based and enterprise-based implementations.
The most important PKI capabilities for IoT in 2019 are scalability to millions of certificates (46%) and online certificate revocation (37%).
“PKI use is evolving as organizations address digital transformation across their enterprises. In addition to IoT, more than 40% of our respondents also cited cloud and mobile initiatives as driving PKI use,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Clearly, the rapid growth of the IoT is having a huge impact on the use of PKI, as organizations realize that PKI provides core authentication technology for connected devices. For organizations to gain full advantage of their digital initiatives, they must continue to improve the security maturity of their PKIs.”
Download your copy of the new 2019 Global PKI and IoT Trends Study.