Organisations are moving to harvest increasing amounts of business critical data from connected devices, but they often do not have the public key infrastructure (PKI) required to do it safely and securely, says a new industry report.
Chief among the challenges facing organisations in the deployment of PKI is lack of clear ownership of the function, insufficient skills in the organisation and insufficient resources.
That’s according to the Ponemon Institute which surveyed 1,688 respondents in information technology and security in 12 countries. The results are contained in the fourth edition of the annual Global PKI Trends Study, published by Thales today.
The survey found encouraging signs of progress in implementing PKI but also a number of ongoing security concerns.
It found that 62 percent of systems used multi-factor authentication for administrators, up from 59 percent last year, but an astounding 30 percent only use a password, without second factor authentication, to secure PKI and certification authorities while five percent said they use no special security measures.
The internet of things (IoT) is becoming the key driver for the adoption of PKI as organisations seek to leverage and control the devices on their networks.
The percentage of respondents who said that IoT was the most important driver of PKI adoption has increased from 21 to 44 percent between 2015 and 2018. This will soon overtake cloud-based services as an influencer, having dropped from 54 to 45 percent in the same period.
In the next two years, 42 percent of IoT devices will identify and authenticate themselves using digital certificates, the report said.
According to John Grimm, senior director of IoT strategy at Thales and author of the Ponemon PKI report, the challenge for organisations is to implement PKI at scale to enable systems to see new devices on the network, identify them and update them.
Some 39 percent of respondents said they use a hardware security module (HSM) to manage private keys for root certificate authorities (CAs), but 28 percent use smart cards, 23 percent use removable media and, interestingly for the first time this year, 10 percent said they use a software key store.
The authors expressed concern that of the 39 percent using HSMs, only 12 percent use HSMs in their OCSP responders, a situation that the authors said represented "a significant gap between best practices and observed practices".
Some 70 percent of respondents said there is no clear ownership of PKI management in their organisation, making it the top concern among respondents. This was followed by insufficient skills (48 percent), insufficient resources (47 percent) and excessive change or uncertainty (39 percent).
Manufacturers of IoT devices and their customers are increasingly looking to use elliptic curve cryptography (ECC) to produce public keys because it is computationally less intensive than computing RSA keys and the resulting key is smaller – a 256-bit ECC public key is more secure than an RSA public key that is 10 times its length – making them more suited for the smaller, less powerful chips typically found in IoT devices.
Grimm told SC Magazine UK that the automobile industry is one manufacturing sector that is looking at ECC because of the sheer number of devices found in modern, connected cars.
However, in many organisations PKI IoT implementations are still being trialled in many organisations. The next challenge, he said, as these organisations go into production is how to store and secure the vast amounts of data that it will generate.
"Another aspect that people aren’t thinking about is how do I take things out of service at end of life," said Clive Watts, product manager at Secure Thingz.
The favourite technique for certificate revocation is increasingly online certificate status protocol (OCSP), with 57 percent of respondents using it, up from 46 percent in 2015. Alarmingly, 30 percent of respondents said they do not use a certificate revocation technique which, the report authors speculate, could be because they uses alternate means to remove them, use short lifespan certificates or have closed systems.
"People may find that products have a five-year life after which the manufacturer no longer supports them. If they remain in service they represent a risk, especially if you are no longer able to update them, so taking things out of service is a looming topic for the next couple of years," Watts said.
"The industry is making progress in revocation – which has been the biggest problem in certificate management – but it will still have to scale to be usable," he said.