Professional Documents
Culture Documents
2022 Global PKI and IoT Trends Study
2022 Global PKI and IoT Trends Study
in your security
comes from awareness.
Global analysis............................................................................................................ 23
PART 3. METHODS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
PART 4. LIMITATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2022 Global PKI and IoT Trends Study Independently conducted by Ponemon Institute LLC and sponsored by Entrust
PART 1
Introduction
Ponemon Institute is pleased to present the findings of the
2022 Global PKI and IoT Trends Study, sponsored by Entrust.
According to the findings, while PKI is considered In this report, Ponemon Institute presents the
a strategic part of the core IT backbone, the findings based on a survey of 2,505 IT and IT
challenges in achieving PKI maturity continue security professionals who are involved in their
to be insufficient resources and the shortage of organizations’ enterprise PKI in 17 countries
skilled IT and IT security practitioners. Another including Australia, Brazil, France, Germany,
growing challenge is the lack of visibility of the Hong Kong, Japan, Korea, Mexico, Middle East,
applications that will depend upon PKI. Netherlands, Southeast Asia, Spain, Sweden,
the United Kingdom, and the United States.
The PKI research is part of a larger study
published earlier this year involving 6,264
respondents in 17 countries.1
1
See: 2022 Global Encryption Trends & Key Management Study (sponsored by Entrust), Ponemon Institute, April 2022.
62%
FY18
60%
Multifactor authentication 57% FY19
for administrators 57%
52% FY20
FY21
48%
46% FY22
Physical secure location 49%
45%
45%
40%
42%
Formal security practices 42%
(documented) 41%
40%
30%
24%
Passwords alone without
23%
a second factor
22%
24%
23%
22%
Isolated networks 22%
22%
20%
Key Findings
In this section of the report, we provide an analysis of the global
PKI results over a five-year period from 2018 to 2022. The complete
audited findings are presented in the Appendix of this report.
Trends in managing IoT
As organizations plan the evolution of their PKI, 41 percent in 2021) and 30 percent of respondents
new applications such as IoT devices and external (a decrease from 37 percent in 2021) say external
mandates and standards continue to drive the mandates and standards will drive change.
most change and uncertainty. According to Enterprise applications as a change agent for
Figure 2, 33 percent of respondents say new PKI have increased from 17 percent of respondents
applications such as the IoT (a decrease from to 23 percent of respondents.
Figure 2. As organizations plan the evolution of their PKI, what areas are expected to experience
the most change and uncertainty? (Consolidated view — two responses permitted)
42% FY18
40%
New applications
52% FY19
(e.g., Internet of Things) 41%
33% FY20
42%
39% FY21
External mandates and standards 49%
37%
FY22
30%
26%
28%
PKI technologies 21%
27%
29%
20%
21%
Management expectations 21%
22%
27%
18%
19%
Enterprise applications 11%
17%
23%
18%
18%
Internal security policies 12%
20%
22%
19%
19%
Budget and resources 21%
19%
20%
15%
16%
Vendors (products and services) 10%
16%
15%
Figure 3. The most important trends driving the deployment of applications using PKI
(Consolidated view — two responses permitted)
45% FY18
49%
Cloud-based services 44% FY19
44%
49%
FY20
44%
41%
FY21
Internet of Things (IoT) 47%
47%
47% FY22
45%
44%
Consumer mobile 40%
40%
41%
21%
21%
Regulatory environment 24%
24%
31%
9%
10%
BYOD and internal mobile
11%
device management 11%
24%
7%
7%
E-commerce 6%
6%
9%
Figure 4. As IoT continues to grow, what PKI deployments will support IoT device credentialing?
43% FY18
44%
Combination of cloud-based FY19
45%
and enterprise-based 42%
35% FY20
31%
30% FY21
Primarily enterprise-based 29%
30% FY22
34%
27%
26%
Primarily cloud-based 26%
28%
31%
Figure 5. What are the most important PKI capabilities for IoT deployments?
(Two responses permitted)
53% FY18
46%
Scalability to millions 45%
of managed certificates FY19
43%
39%
FY20
32%
32%
Support for elliptic curve 31%
FY21
cryptography (ECC) 33%
35% FY22
46%
37%
Online revocation 37%
37%
34%
34%
26%
Ability to sign firmware 28%
for loT devices 27%
33%
35%
FIPS 140-2 Level 3 HSMs 30%
(hardware security modules) 30%
for root and issuing CAs 29%
31%
27%
Cloud deployment model 28%
32%
28%
57% FY18
58%
Online Certificate
53% FY19
Status Protocol 57%
55% FY20
47%
44% FY21
Automated CRL 47%
42% FY22
42%
30%
30%
None 32%
32%
32%
20%
19%
Manual certificate
20%
revocation list 20%
23%
18%
19%
Validation authority 20%
18%
21%
Figure 7. How do you manage the private keys for your root/policy/issuing CAs?
39% FY18
42%
Hardware security
39% FY19
modules (HSMs) 40%
37% FY20
23%
23% FY21
Removable media for
23%
CA/root keys FY22
24%
26%
28%
26%
Smart cards (for CA/root
28%
key protection) 26%
24%
10%
10%
Software key store 10%
10%
13%
FY21
32%
Online, self-managed FY22
31%
25%
Offline, self-managed 25%
24%
Offline, externally hosted 23%
19%
Online, externally hosted 21%
40% FY18
41%
Issuing CA 42% FY19
39%
33% FY20
35%
34% FY21
Online root 36%
34%
FY22
33%
50%
48%
Offline root 47%
49%
27%
30%
29%
Policy CA 30%
28%
26%
23%
22%
Registration authority 22%
20%
21%
12%
11%
OCSP responder 12%
11%
11%
8%
8%
Validation authority 8%
8%
8%
47%
47%
FY18
FY18
49%
49%
Insufficient
Insufficient resources
resources 51%
51% FY19
51% FY19
51%
64%
64% FY20
FY20
48%
48%
47%
47% FY21
Insufficient
Insufficient skills
skills
52%
52%
FY21
46%
46%
52% FY22
52% FY22
70%
70%
68%
68%
No clear ownership 63%
No clear ownership 63%
71%
71%
52%
52%
32%
32%
31%
Lack of visibility of the application 31%
Lack of visibility of depend
that will the application
on PKI
28%
28%
that will depend on PKI 34%
34% 48%
48%
35%
35%
36%
Lack of clear understanding 36%
36%
Lack of of
clear
theunderstanding
requirements 36%
37%
of the requirements 37%
36%
36%
27%
27%
27%
Requirements are too 27% 32%
Requirements
fragmented are too
or inconsistent 28% 32%
fragmented or inconsistent 28% 35%
35%
35%
35%
37%
Necessary performance and 37%
36%
Necessary
reliability isperformance and
hard to achieve 32% 36%
reliability is hard to achieve 32%
35%
29% 35%
29%
28%
Commercial solutions are too 24% 28%
Commercial or
complicated solutions are too
too expensive 24%
27%
complicated or too expensive 27% 34%
20% 34%
20%
20%
No suitable products or 15%20%
No suitable products
technologies or
available 15%21%
technologies available 21%
20%
12% 20%
11%
12%
Too hard to transition from current 14%
11%
Too hardapproach
to transition
to a from current
new system 12%14%
approach to a new system 12% 18%
6% 18%
6%
6%
Lack of advisory services
3% 6%
and support
Lack of advisory services
3%7%
and support 6%
7%
6%
Figure 11. How many distinct applications does your PKI manage certificates on behalf of?
(Consolidated view — extrapolated value is 8.4 distinct applications)
1 or 2 5%
3 or 4 12%
5 or 6 19%
7 or 8 18%
9 or 10 18%
11 or 12 13%
13 or 14 6%
15 or more 9%
42%
42% FY18
FY18
45%
45%
Insufficient
Insufficient skills
skills 34%
34%
FY19
46%
46% FY19
43%
43%
57%
57%
FY20
FY20
Existing 56%
Existing PKI
PKI is
is incapable
incapable 51%
56%
of supporting
supporting new
new applications
applications
51%
55%
FY21
FY21
55%
41%
41%
FY22
FY22
38%
38%
35%
35%
Too
Too much
much change
change or
or uncertainty
uncertainty 31%
31%
36%
36%
41%
41%
49%
49%
46%
46%
No
No ability
ability to
to change
change legacy
legacy apps
apps 51%
51%
43%
43%
40%
40%
40%
40%
38%
38%
Insufficient
Insufficient resources
resources
35%
35%
38%
38%
40%
40%
29%
29%
35%
Lack
Lack of
of clear
clear understanding
understanding 35%
48%
of 48%
of requirements
requirements 35%
35%
35%
35%
35%
35%
35%
35%
No pre-existing PKI 25%
No pre-existing PKI 25% 36%
33% 36%
33%
25%
25%
25%
Requirements are too 25%
Requirements are too 26%
fragmented or inconsistent 23% 26%
fragmented or inconsistent 23% 33%
33%
33%
33%
36%
Lack of visibility of the security 36%
Lackcapabilities
of visibility of
of existing
the security
PKI
52%
52%
33%
capabilities of existing PKI 29% 33%
29%
29%
29%
28%
Conflict with other apps 28%
28%
Conflict with
using theother
sameapps
PKI 28%
28%
using the same PKI 28%
27%
27%
16%
Specific operational issues 16%
16%
Specific operational
(such as revocationissues
and 12% 16%
(suchare
performance) as hard
revocation and
to resolve 12% 19%
performance) are hard to resolve 19%
21%
21%
6%
7%
6%
Lack of advisory support 5%7%
Lack of advisory support 5%8%
8% 16%
16%
66% FY18
64%
Common Criteria EAL Level 4+ 67% FY19
63%
59% FY20
62%
60% FY21
FIPS 140-2 Level 3 60%
62%
FY22
58%
26%
25%
Regional standards such as
26%
digital signature laws 25%
25%
25%
23%
Regional certificates for 22%
use by government 23%
22%
14%
11%
None of the above
10%
(certification is not an important factor) 11%
10%
84% FY18
79%
SSL certificates for public-facing
84% FY19
websites and services 81%
74% FY20
71%
69% FY21
Private networks and VPN 60%
67% FY22
65%
53%
54%
Email security 51%
55%
55%
49%
51%
Enterprise user authentication 70%
53%
52%
51%
50%
Device authentication 49%
50%
52 %
56%
55%
Public cloud-based
82%
applications and services 52%
48%
44%
46%
Private cloud-based applications 35%
47%
47%
42%
44%
Document/message signing 45%
47%
45%
32%
32%
Code signing 32%
33%
35%
Figure 15. How is PKI deployed? (Consolidated view — more than one response permitted)
56% FY18
63%
Internal corporate
60% FY19
certificate authority 62%
60% FY20
40%
43% FY21
Externally hosted private 43%
CA — managed service 44% FY22
42%
33%
31%
Public CA service 32%
31%
28%
23%
22%
Private CA running within 22%
a public cloud 23%
26%
16%
15%
Business partner provided service 15%
15%
18%
11%
10%
Government provided service 11%
9%
11%
Figure 16. If you use PKI credential for enterprise user authentication or device authentications,
what are your most important authentication requirements? (Two responses permitted)
FY21
Enables single sign-on 53%
FY22
to all apps and platforms 48%
39%
Works with any device
42%
Provides policy-driven
30%
access controls 35%
(for user and device)
Figure 17. What use cases would benefit most from an integrated
authentication and PKI solution? (Two responses permitted)
FY21
Onboarding and 33%
FY22
offboarding resources 44%
30%
Email and file encryption
44%
37%
Digital document signing 39%
52%
Securing work devices
36%
62%
DE 30%
53%
AU 26%
53%
NL 53%
53%
ME 46%
49%
HK 32%
46%
TW 62%
46%
BZ 16%
42%
MX 34%
21%
RF 38%
48%
NL 39%
47%
MX 52%
46%
BZ 41%
45%
SP 41%
39%
HK 47%
30%
RF 54%
Figure 20. What best describes the number of issuing CAs in your organization?
(Extrapolated average values)
US 8.9
FR 7.9
AU 7.6
DE 7.2
UK 7.1
SA 7.1
JP 6.8
KO 6.6
TW 6.4
ME 6.4
HK 6.3
SW 6.3
NL 6.3
BZ 5.9
MX 5.7
RF 5.6
SP 5.6
Figure 21. How many distinct applications does your PKI manage certificates on behalf of?
(Extrapolated average values)
US 11.2
UK 10.0
FR 9.7
DE 9.6
BZ 8.3
AU 8.2
NL 8.0
ME 7.8
JP 7.8
SP 7.7
HK 7.7
SW 7.5
MX 7.2
KO 7.2
SA 7.1
TW 6.9
RF 6.5
66%
MX 50%
46%
64%
DE 28%
36%
64%
UK 51%
48%
55%
KO 69%
47%
53%
SA 60%
67%
52%
US 61%
61%
51%
NL 42%
56%
49%
HK 51%
48%
48%
SW 54%
54%
34%
TW 46%
63%
Figure 23. Where are the greatest areas of change and uncertainty in the evolution of your PKI?
(Top 2 choices)
33%
DE 40%
36%
HK 40%
27%
ME 37%
31%
SW 36%
35%
BZ 34%
33%
AU 32%
28%
KO 32%
41%
FR 31%
22%
MX 27%
35%
NL 26%
26%
SA 26%
28%
JP 23%
29%
SP 22%
35%
UK 18%
Figure 24. What are the most important trends that are driving the deployment of applications
that make use of PKI? (Top 3 choices)
56%
TW 60%
31%
54%
SP 50%
44%
54%
US 36%
34%
53%
AU 33%
30%
51%
SA 35%
55%
51%
UK 57%
32%
49%
KO 57%
46%
48%
NL 39%
48%
48%
SW 42%
42%
46%
RF 49%
42%
44%
BZ 65%
32%
44%
ME 53%
46%
40%
MX 47%
53%
40%
DE 56%
30%
28%
JP 49%
45%
Methods
2022 Global PKI and IoT Trends Study 30
Table 1 reports the consolidated sample response fide credentials in IT or security fields. From this
for 17 separate country samples. Data collection sampling frame, we captured 7,056 returns of
was conducted in January 2022. Our consolidated which 792 were rejected for reliability issues. From
sampling frame of practitioners in all countries our final consolidated 2022 sample of 6,264, we
consisted of 162,436 individuals who have bona calculated the PKI subsample to be 2,505.
1% 6%
3%
Senior Executive
Director
Manager/Supervisor
Associate/Staff/Technician
Other
33%
1%
8%
IT operations
11%
Security
Finance
Other
21%
Figure 27 reports the industry classification of and credit cards. Eight percent of respondents
respondents’ organizations. Twelve percent of are located in retailing and seven percent of
respondents are located in the financial services respondents are in each of the following: health
industry, which includes banking, investment and pharmaceuticals, public sector, services,
management, insurance, brokerage, payments, and technology and software.
6%
7%
27%
More than 75,000
25,001 to 75,000
19%
5,001 to 25,000
1,001 to 5,000
500 to 1,000
17%
Less than 500
24%
Limitations
2022 Global PKI and IoT Trends Study 34
There are inherent limitations to survey research that need to be carefully considered
before drawing inferences from the presented findings. The following items are specific
limitations that are germane to most survey-based research studies.
Entrust, nShield, and the hexagon logo are trademarks, registered trademarks, and/or service marks of Entrust Corporation
in the U.S. and/or other countries. All other brand or product names are the property of their respective owners.