IoT is one of the fastest growing trends in technology today, yet enterprises are leaving themselves vulnerable to dangerous cyberattacks by failing to prioritise PKI security, according to new research from nCipher Security, an Entrust Datacard company.
The 2019 Global PKI and IoT Trends Study, conducted by research firm the Ponemon Institute and sponsored by nCipher Security, is based on feedback from more than 1,800 IT security practitioners in 14 countries/regions. The study found that IoT is the fastest-growing trend driving public key infrastructure (PKI) application deployment – with 20% growth over the past five years.
Respondents cited concerns about several IoT security threats, including altering the function of IoT devices through malware or other attacks (68%) and remote control of a device by an unauthorised user (54%). However, respondents rated delivering patches and updates to IoT devices, the capability that protects against that top threat, last on a list of the five most important IoT security capabilities.
New report from Ponemon Institute reveals IoT as fastest-growing driver for PKI, but lack of security best practices is leaving them unprepared
The study also found that in the next two years an average of 42% of IoT devices will rely primarily on digital certificates for identification and authentication. But encryption for IoT devices, and for IoT platforms and IoT data repositories, is at just 28% and 25% respectively, according to nCipher’s 2019 Global Encryption Trends Study.
“The scale of IoT vulnerability is staggering – IDC recently forecasted that there will be 41.6B connected IoT devices by 2025, generating 79.4 zettabytes of data,” said John Grimm, senior director of strategy and business development at nCipher Security. “There is no point in collecting and analysing IoT-generated data, and making business decisions based upon it, if we cannot trust the security of devices or their data. Building trust starts with prioritising security practices that counter the top IoT threats, and ensuring authenticity and integrity throughout the IoT ecosystem.”
PKI plays a strategic role, but organisations are leaving themselves vulnerable and unprepared
PKI is at the core of the IT infrastructure for many organisations, enabling security for critical digital initiatives such as cloud, mobile device deployment, and IoT.
“There is no point in collecting and analysing IoT-generated data, and making business decisions based upon it, if we cannot trust the security of devices or their data.”
Most respondents use PKI extensively in their organisations, for SSL/TLS certificates (79%), private networks and VPNs (69%), and public cloud-based applications and services (55%). Yet more than half (56%) believe PKI is incapable of supporting new applications. In addition, many respondents see significant technical and organisational barriers to PKI usage, including an inability to change legacy applications (46%), insufficient skills (45%) and resources (38%).
Enterprise PKI security best practices a mixed bag
Nearly a third (30%) of organisations – an especially jarring share considering the implications – are not using any certificate revocation techniques. More than two-thirds (68%) cite “no clear ownership” as their top PKI challenge.
But, some enterprises are applying more rigour to PKI security in certain areas. The share of respondents using “password only” for Certificate Authority administrators has dropped 6% from 2018 to 24% this year. And 42% of respondents said that they are using hardware security modules (HSMs) to manage private keys.