IoT is one of the fastest growing trends in technology today, yet enterprises are leaving themselves vulnerable to dangerous cyberattacks by failing to prioritize PKI (public key infrastructure) security, according to new research from nCipher Security, an Entrust Datacard company.
The 2019 Global PKI and IoT Trends Study, conducted by research firm the Ponemon Institute and sponsored by nCipher Security, is based on feedback from more than 1,800 IT security practitioners in 14 countries/regions, including the UAE and Saudi Arabia in the Middle East.
According to the study, 56 per cent of IT security professionals in the Middle East cited that cloud-based services are most likely to be driving the deployment of applications that make use of public key infrastructure (PKI), followed by 46 per cent stating mobile devices and 37 per cent citing IoT as the driving force.
Globally, however, the Internet of Things (IoT) was found to be the fastest-growing trend driving PKI application deployment – with 20 per cent growth over the past five years.
Respondents cited concerns about several IoT security threats, including altering the function of IoT devices through malware or other attacks (62 per cent) and remote control of a device by an unauthorized user (60 per cent).
A positive indicator however, is that Middle East respondents rated delivering patches and updates to IoT devices, the capability that protects against that top threat, as one of the four most important IoT security capabilities today. Protecting the confidentiality and integrity of data pulled from the device was listed as the most important IoT security capability for the UAE and Saudi Arabia.
“The scale of IoT vulnerability is staggering – IDC recently forecasted that there will be 41.6B connected IoT devices by 2025, generating 79.4 zettabytes of data,” said John Grimm, senior director of strategy and business development at nCipher Security.
“There is no point in collecting and analyzing IoT-generated data, and making business decisions based upon it, if we cannot trust the security of devices or their data. Building trust starts with prioritizing security practices that counter the top IoT threats, and ensuring authenticity and integrity throughout the IoT ecosystem.”
PKI plays a strategic role, but organizations are continuing to face challenges leaving them vulnerable
PKI is at the core of the IT infrastructure for many organizations in the UAE and Saudi Arabia, enabling security for critical digital initiatives such as cloud, mobile device deployment, and IoT. However, an overwhelming majority cite continued barriers, to enable applications to use PKI. These include the incapability of existing PKI to support new applications (66 per cent), insufficient skills (43 per cent) and no ability to change legacy apps (39 per cent).
Enterprise PKI security best practices a mixed bag
Nearly a third (30 per cent) of organizations globally – an especially jarring share considering the implications – are not using any certificate revocation techniques. Here in the Middle East, more than three quarters (77 per cent) of respondents cite “no clear ownership” as their top PKI challenge, followed by insufficient resources (57 per cent) and insufficient skills (51 per cent).
But, some enterprises are applying more rigor to PKI security in certain areas. The share of respondents in the UAE and Saudi Arabia using “password only” for Certificate Authority administrators has seen a significant drop from 55 per cent in 2018 to 28 per cent this year. The use of offline root Certificate Authority (CAs) has also increased (from 20 per cent to 24 per cent).
Philip Schreiber, regional director, Middle East, Africa and South Asia at nCipher Security, said: “A key takeaway from the findings of the report for the region is the need to invest not only in mobilizing resources but also in honing talents to drive the ongoing focus on digital transformation, given that the region is now attracting local datacenter infrastructure.
“With the governments emphasizing on building a digital backbone that drives all operations – from governance to business best practices – ensuring the highest standards of cybersecurity is a strategic imperative that organizations must seriously pursue.”
Other global findings that point to the future of PKI and IoT:
- HSM use as an IoT root of trust jumped significantly over 2018 (10 per cent jump to 22 per cent).
- Despite a growing number of options for PKI deployment (cloud, managed and hosted), internal corporate Certificate Authorities (CAs) remain the most popular and have grown 19 per cent over the past five years to 63 per cent – with 80 per cent of financial services organizations favouring this option.
- Forty-four percent of respondents believe PKI deployments for IoT devices will consist of a combination of cloud-based and enterprise-based implementations.
- The most important PKI capabilities for IoT in 2019 are scalability to millions of certificates (46 per cent) and online certificate revocation (37 per cent).
“PKI use is evolving as organizations address digital transformation across their enterprises. In addition to IoT, more than 40 per cent of our respondents also cited cloud and mobile initiatives as driving PKI use,” said Dr Larry Ponemon, chairman and founder of the Ponemon Institute.
“Clearly, the rapid growth of the IoT is having a huge impact on the use of PKI, as organizations realize that PKI provides core authentication technology for connected devices. For organizations to gain full advantage of their digital initiatives, they must continue to improve the security maturity of their PKIs.”
TradeArabia News Service