Risk Assessments/Management, Data Security, Encryption, Security Architecture, Endpoint/Device Security, IoT, Network Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Pair of surveys underscore importance of secure PKI in government, IoT

Both the federal government and Internet of Things manufacturers are facing key challenges and opportunities in regards to implementing secure Public Key Infrastructure practices for digital certificate management and encryption, according to a pair of newly published research reports.

The first report, from machine identity protection company Venafi, reveals data compiled from a survey of 100 federal government IT security professionals who were asked about their organizations' preparedness to comply with the 2017 Binding Operational Directive (BOD) 18-01. This Department of Homeland Security-issued directive requires all U.S. federal agency websites to fortify their email and web security by improving the handling of machine identities through the use of Transport Layer Security (TLS) keys and PKI certificates.

According to the survey, 54 percent of respondents said they were confident their networks do not contain certificates from any unauthorized certificate authorities (CAs) -- and yet only 46 percent of the study participants said they have the controls in place needed to detect this problem.

Moreover, only 30 percent of respondents said that they have a complete certificate inventory, meaning the other 70 percent lack the visibility necessary to know for certain if certain certificates are from unauthorized sources. Also, only 29 percent believe their inventories include the location of every installed certificate, while only 37 percent believe their inventories include certificate ownership information. Location information is important for upgrade efforts in large organizations where certificates may be installed in multiple devices, while ownership information is vital to conduct timely updates, Venafi explains.

"Unfortunately, even the world's most sophisticated security teams rarely have the visibility, intelligence or automation necessary to effectively scale the use of their machine identities," said Kevin Bocek, chief cyber security strategist at Venafi, in a company blog post detailing the report. "For example, only 69 percent of all federal sites enable HTTPS, despite BOD 18-01 requiring 100 percent HTTPS usage."

Meanwhile, the Ponemon Institute and Thales collaborated on a just released 2018 Global PKI Trends study that reveals survey data collected from 1,688 IT and IT security practitioners in 12 countries. 

According to the survey, IoT is shaping up to be a major disruptor influencing PKI. In fact, 42 percent of respondents said that IoT is the most significant factor driving PKI change, tied for the highest overall percentage alongside external mandates and standards (participants were allowed to pick up to two responses). In last year's survey, only 36 percent cited IoT as a major PKI change agent.

Similarly, respondents who believe IoT is the most important trend driving the deployment of applications
using PKI has increased significantly from 21 percent to 44 percent since 2015, the report states.

The study also found that 42 percent of IoT devices will use digital certificates for authentication within the next two years.

"Huge amounts of data are generated by and collected from a rapidly growing number of IoT devices, with the cloud playing a pivotal role in IoT solutions of the future. But there's no point in collecting and analyzing that data, and making business decisions based upon it if you're not able to trust the devices or their data," said John Grimm, senior director security strategy at Thales eSecurity, in a press release. For safe, secure IoT deployments organizations need to embrace time-tested security techniques, like PKI, to ensure the integrity and security of their IoT systems."

"In previous years, we highlighted PKI as an established technology positioned to tackle the authentication needs and challenges to support the rise of cloud applications. Now, the C-suite is challenging its teams to leverage IoT to improve and drive business," added Dr. Larry Ponemon, chairman and founder of The Ponemon Institute, in the same release. "With this comes the increased risk of more endpoints to protect, and the need to understand the role of PKI as a critical enabler. At the same time, this underscores the need for further advancement in skilling and resourcing related to PKI and the overall ownership within the organization."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.