True confidence

in your security
comes from awareness.

2022 GLOBAL PKI AND

IoT TRENDS STUDY
Find out how organizations are using PKI
and if they’re prepared for what’s possible.
 TABLE OF CONTENTS
PART 1. INTRODUCTION.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

PART 2. KEY FINDINGS.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Trends in managing IoT........................................................................................... 7

Challenges in achieving PKI maturity.............................................................11

Global analysis............................................................................................................ 23

PART 3. METHODS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

PART 4. LIMITATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

2022 Global PKI and IoT Trends Study Independently conducted by Ponemon Institute LLC and sponsored by Entrust
PART 1

Introduction
Ponemon Institute is pleased to present the findings of the
2022 Global PKI and IoT Trends Study, sponsored by Entrust.

According to the findings, while PKI is considered
a strategic part of the core IT backbone, the
challenges in achieving PKI maturity continue
to be insufficient resources and the shortage of
skilled IT and IT security practitioners. Another
growing challenge is the lack of visibility of the
applications that will depend upon PKI.
The PKI research is part of a larger study
published earlier this year involving 6,264
respondents in 17 countries.1
In this report, Ponemon Institute presents the
findings based on a survey of 2,505 IT and IT
security professionals who are involved in their
organizations’ enterprise PKI in 17 countries
including Australia, Brazil, France, Germany,
Hong Kong, Japan, Korea, Mexico, Middle East,
Netherlands, Southeast Asia, Spain, Sweden,
the United Kingdom, and the United States.

1
See: 2022 Global Encryption Trends & Key Management Study (sponsored by Entrust), Ponemon Institute, April 2022.

2022 Global PKI and IoT Trends Study 4

Figure 1 shows the primary practices organizations
take to secure PKI and certificate authorities
(CAs). Most companies represented in this
study are using multifactor authentication for
administrators (52 percent of respondents). Only
24 percent of respondents say their organizations
are dependent upon passwords. Physical security
and documented formal security practices have
stayed the same at 45 percent and 40 percent
of respondents, respectively.
Usage of hardware security modules, most
prevalent with offline root CAs and issuing
CAs, stayed virtually the same at 37 percent of
respondents in 2022 and they remain the most
prevalent method of PKI private key protection.
All participants in this research are either involved
in the management of their organizations’
enterprise PKI or in developing and/or managing
applications that depend upon credentials
controlled by their organizations’ PKI. The IT
manager, IT security manager, and CIO are most
responsible for their organizations’ PKI strategy.

Figure 1. Practices used to secure PKI and certificate authorities

62%
FY18
60%
Multifactor authentication 57% FY19
for administrators 57%
52% FY20

FY21
48%
46% FY22
Physical secure location 49%
45%
45%

40%
42%
Formal security practices 42%
(documented) 41%
40%

30%
24%
Passwords alone without
23%
a second factor
22%
24%

23%
22%
Isolated networks 22%
22%
20%

5 2022 Global PKI and IoT Trends Study

PART 2

Key Findings
In this section of the report, we provide an analysis of the global
PKI results over a five-year period from 2018 to 2022. The complete
audited findings are presented in the Appendix of this report.
Trends in managing IoT
As organizations plan the evolution of their PKI, 41 percent in 2021) and 30 percent of respondents
new applications such as IoT devices and external (a decrease from 37 percent in 2021) say external
mandates and standards continue to drive the mandates and standards will drive change.
most change and uncertainty. According to Enterprise applications as a change agent for
Figure 2, 33 percent of respondents say new PKI have increased from 17 percent of respondents
applications such as the IoT (a decrease from to 23 percent of respondents.

Figure 2. As organizations plan the evolution of their PKI, what areas are expected to experience
the most change and uncertainty? (Consolidated view — two responses permitted)

42% FY18
40%
New applications
52% FY19
(e.g., Internet of Things) 41%
33% FY20
42%
39% FY21
External mandates and standards 49%
37%
FY22
30%
26%
28%
PKI technologies 21%
27%
29%

20%
21%
Management expectations 21%
22%
27%
18%
19%
Enterprise applications 11%
17%
23%
18%
18%
Internal security policies 12%
20%
22%
19%
19%
Budget and resources 21%
19%
20%
15%
16%
Vendors (products and services) 10%
16%
15%

7 2022 Global PKI and IoT Trends Study

Cloud-based services and IoT continue to be the
most important trends driving the deployment
of applications using PKI. There is growing
recognition that PKI provides important core
authentication technology in the IoT. As shown in
Figure 3, cloud-based services is the number one
trend driving deployment of applications using
PKI (49 percent of respondents). Respondents
who say IoT is the most important trend driving
the deployment of applications using PKI has
remained virtually unchanged (47 percent of
respondents) since 2020.

Figure 3. The most important trends driving the deployment of applications using PKI
(Consolidated view — two responses permitted)

45% FY18
49%
Cloud-based services 44% FY19
44%
49%
FY20
44%
41%
FY21
Internet of Things (IoT) 47%
47%
47% FY22
45%
44%
Consumer mobile 40%
40%
41%
21%
21%
Regulatory environment 24%
24%
31%
9%
10%
BYOD and internal mobile
11%
device management 11%
24%
7%
7%
E-commerce 6%
6%
9%

2022 Global PKI and IoT Trends Study 8

In the next two years, an average of 44 percent
of IoT devices in use will rely primarily on digital
certificates for identification and authentication.
As shown in Figure 4, 35 percent of respondents
believe that as the IoT continues to grow
supporting PKI deployments for IoT device
credentialing will be a combination of cloud-based
and enterprise-based. However, this has decreased
from 42 percent of respondents in 2021.

Figure 4. As IoT continues to grow, what PKI deployments will support IoT device credentialing?

43% FY18
44%
Combination of cloud-based FY19
45%
and enterprise-based 42%
35% FY20
31%
30% FY21
Primarily enterprise-based 29%
30% FY22
34%

27%
26%
Primarily cloud-based 26%
28%
31%

9 2022 Global PKI and IoT Trends Study

Scalability to millions of managed certificates
continues to be the most important PKI capability
for IoT employments. Figure 5 lists the most
important PKI capabilities for IoT deployments.
While scalability is the most important, it has
decreased in importance from 53 percent of
respondents in 2018 to 39 percent of respondents
in 2022. The ability to sign firmware for IoT devices
has increased from 27 percent of respondents
in 2021 to 33 percent of respondents in 2022.

Figure 5. What are the most important PKI capabilities for IoT deployments?
(Two responses permitted)

53% FY18
46%
Scalability to millions 45%
of managed certificates FY19
43%
39%
FY20
32%
32%
Support for elliptic curve 31%
FY21
cryptography (ECC) 33%
35% FY22
46%
37%
Online revocation 37%
37%
34%
34%
26%
Ability to sign firmware 28%
for loT devices 27%
33%
35%
FIPS 140-2 Level 3 HSMs 30%
(hardware security modules) 30%
for root and issuing CAs 29%
31%

27%
Cloud deployment model 28%
32%
28%

2022 Global PKI and IoT Trends Study 10

Challenges in achieving PKI maturity
According to Figure 6, the certificate revocation
technique most often deployed continues to
be online certificate status protocol (OCSP),
according to 55 percent of respondents. The next
most popular technique is the use of automated
certificate revocation list (CRL), according to
42 percent of respondents, a decrease from
47 percent of respondents in 2020.
Similar to last year, 32 percent of respondents
say they do not deploy a certificate revocation
technique. There are many possible explanations
for this high percentage — use of alternate means
to remove users/devices, use of short lifespan
certificates, closed systems, etc.

Figure 6. The certificate revocation techniques used in enterprises

(Consolidated view — more than one response permitted)

57% FY18
58%
Online Certificate
53% FY19
Status Protocol 57%
55% FY20
47%
44% FY21
Automated CRL 47%
42% FY22
42%

30%
30%
None 32%
32%
32%

20%
19%
Manual certificate
20%
revocation list 20%
23%

18%
19%
Validation authority 20%
18%
21%

11 2022 Global PKI and IoT Trends Study

Hardware security modules (HSMs) continue to percent of respondents say removable media
be most often used to manage the private keys for CA/root keys and 24 percent of respondents
for their root/policy/issuing CAs (37 percent say smart cards are used.
of respondents), as shown in Figure 7. Twenty-six

Figure 7. How do you manage the private keys for your root/policy/issuing CAs?

39% FY18
42%
Hardware security
39% FY19
modules (HSMs) 40%
37% FY20
23%
23% FY21
Removable media for
23%
CA/root keys FY22
24%
26%

28%
26%
Smart cards (for CA/root
28%
key protection) 26%
24%

10%
10%
Software key store 10%
10%
13%

12 2022 Global PKI and IoT Trends Study

Most organizations’ primary root CA strategy is CA strategies used by organizations. Thirty-one
online, self-managed. A root certificate is a public percent of respondents say it is online, self-
key certificate that identifies a root certificate managed followed by offline, self-managed at
authority (CA). Figure 8 lists the primary root 25 percent of respondents.

Figure 8. What is your organization’s primary root CA strategy?

(Only one choice permitted)

FY21
32%
Online, self-managed FY22
31%

25%
Offline, self-managed 25%

24%
Offline, externally hosted 23%

19%
Online, externally hosted 21%

2022 Global PKI and IoT Trends Study 13

Of the 37 percent of organizations in this study
that use HSMs to secure PKI, they are used across
the entire architecture of the PKI as shown in
Figure 9. HSMs deployed in offline roots has
declined from 49 percent of respondents in 2021
to 27 percent of respondents in 2022.
As an example of best practice, NIST calls to
“Ensure that Cryptographic modules for CAs,
Key Recovery Servers, and OCSP responders are
hardware modules validated as meeting FIPS 140-2
Level 3 or higher” (NIST Special Publication 800-57
Part 3). Yet only 11 percent of our respondents
indicate the presence of HSMs in their OCSP
installations. This is a significant gap between
best practices and observed practices.

Figure 9. Where HSMs are deployed to secure PKI

(Consolidated view — more than one response permitted)

40% FY18
41%
Issuing CA 42% FY19
39%
33% FY20
35%
34% FY21
Online root 36%
34%
FY22
33%
50%
48%
Offline root 47%
49%
27%

30%
29%
Policy CA 30%
28%
26%

23%
22%
Registration authority 22%
20%
21%

12%
11%
OCSP responder 12%
11%
11%
8%
8%
Validation authority 8%
8%
8%

14 2022 Global PKI and IoT Trends Study

Insufficient resources, lack of skills, and no clear
ownership are the top three challenges to enabling
applications to use PKI. As shown in Figure 10,
the challenge of not having sufficient resources
has increased significantly from 51 percent of
respondents in 2021 to 64 percent of respondents
in 2022. Other challenges are insufficient skills
(52 percent) and no clear ownership (52 percent
of respondents). The lack of visibility of the
applications that will depend upon PKI increased
from 34 percent of respondents in 2021 to 48
percent of respondents in this year’s research.

Figure 10. The

Figure 10. The challenges
challenges in
in deploying
deployingand
andmanaging
managingPKI
PKI(Consolidated
(Consolidatedview
view——four
fourresponses
responsespermitted)
permitted)

47%
47%
FY18
FY18
49%
49%
Insufficient
Insufficient resources
resources 51%
51% FY19
51% FY19
51%
64%
64% FY20
FY20
48%
48%
47%
47% FY21
Insufficient
Insufficient skills
skills
52%
52%
FY21
46%
46%
52% FY22
52% FY22
70%
70%
68%
68%
No clear ownership 63%
No clear ownership 63%
71%
71%
52%
52%
32%
32%
31%
Lack of visibility of the application 31%
Lack of visibility of depend
that will the application
on PKI
28%
28%
that will depend on PKI 34%
34% 48%
48%
35%
35%
36%
Lack of clear understanding 36%
36%
Lack of of
clear
theunderstanding
requirements 36%
37%
of the requirements 37%
36%
36%
27%
27%
27%
Requirements are too 27% 32%
Requirements
fragmented are too
or inconsistent 28% 32%
fragmented or inconsistent 28% 35%
35%
35%
35%
37%
Necessary performance and 37%
36%
Necessary
reliability isperformance and
hard to achieve 32% 36%
reliability is hard to achieve 32%
35%
29% 35%
29%
28%
Commercial solutions are too 24% 28%
Commercial or
complicated solutions are too
too expensive 24%
27%
complicated or too expensive 27% 34%
20% 34%
20%
20%
No suitable products or 15%20%
No suitable products
technologies or
available 15%21%
technologies available 21%
20%
12% 20%
11%
12%
Too hard to transition from current 14%
11%
Too hardapproach
to transition
to a from current
new system 12%14%
approach to a new system 12% 18%
6% 18%
6%
6%
Lack of advisory services
3% 6%
and support
Lack of advisory services
3%7%
and support 6%
7%
6%

2022 Global PKI and IoT Trends Study 15

Organizations with internal CAs use an average
of 6.8 separate CAs, managing an average
of 52,022 internal or externally acquired
certificates. As shown in Figure 11, an average
of 8.4 distinct applications, such as email and
network authentication, are managed by an
organization’s PKI. This indicates that the PKI
is at the core of the enterprise IT backbone. Not
only the number of applications dependent upon
the PKI but the nature of them indicates that
PKI is a strategic part of the core IT backbone.

Figure 11. How many distinct applications does your PKI manage certificates on behalf of?
(Consolidated view — extrapolated value is 8.4 distinct applications)

1 or 2 5%

3 or 4 12%

5 or 6 19%

7 or 8 18%

9 or 10 18%

11 or 12 13%

13 or 14 6%

15 or more 9%

2022 Global PKI and IoT Trends Study 16

The challenge of PKI supporting new applications
has declined significantly since 2021. As shown in
Figure 12, the previous number one challenge has
been that existing PKI is incapable of supporting
new applications. However, that concern has
decreased significantly from 55 percent of
respondents in 2021 to 41 percent of respondents
in 2022. The lack of visibility of the security
capabilities of existing PKI also has decreased
significantly from 52 percent of respondents in
2020 to 29 percent of respondents in 2022.

Figure 12. What

What are
are the
the challenges
challenges to
toenable
enableapplications
applicationsto
toutilize
utilizePKI?
PKI?
(Consolidated
(Consolidated view
view —— four
four responses
responsespermitted)
permitted)

42%
42% FY18
FY18
45%
45%
Insufficient
Insufficient skills
skills 34%
34%
FY19
46%
46% FY19
43%
43%
57%
57%
FY20
FY20
Existing 56%
Existing PKI
PKI is
is incapable
incapable 51%
56%
of supporting
supporting new
new applications
applications
51%
55%
FY21
FY21
55%
41%
41%
FY22
FY22
38%
38%
35%
35%
Too
Too much
much change
change or
or uncertainty
uncertainty 31%
31%
36%
36%
41%
41%
49%
49%
46%
46%
No
No ability
ability to
to change
change legacy
legacy apps
apps 51%
51%
43%
43%
40%
40%
40%
40%
38%
38%
Insufficient
Insufficient resources
resources
35%
35%
38%
38%
40%
40%
29%
29%
35%
Lack
Lack of
of clear
clear understanding
understanding 35%
48%
of 48%
of requirements
requirements 35%
35%
35%
35%
35%
35%
35%
35%
No pre-existing PKI 25%
No pre-existing PKI 25% 36%
33% 36%
33%
25%
25%
25%
Requirements are too 25%
Requirements are too 26%
fragmented or inconsistent 23% 26%
fragmented or inconsistent 23% 33%
33%
33%
33%
36%
Lack of visibility of the security 36%
Lackcapabilities
of visibility of
of existing
the security
PKI
52%
52%
33%
capabilities of existing PKI 29% 33%
29%
29%
29%
28%
Conflict with other apps 28%
28%
Conflict with
using theother
sameapps
PKI 28%
28%
using the same PKI 28%
27%
27%
16%
Specific operational issues 16%
16%
Specific operational
(such as revocationissues
and 12% 16%
(suchare
performance) as hard
revocation and
to resolve 12% 19%
performance) are hard to resolve 19%
21%
21%
6%
7%
6%
Lack of advisory support 5%7%
Lack of advisory support 5%8%
8% 16%
16%

17 2022 Global PKI and IoT Trends Study

Common Criteria EAL Level 4+ and FIPS 140-
2 Level 3 continue to be the most important
security certifications when deploying PKI
infrastructure and PKI-based applications.
According to Figure 13, 59 percent say Common
Criteria followed by 58 percent who say FIPS 140
are the most important certificate certifications
when deploying PKI. In the U.S., FIPS 140 is the
standard called out by NIST in its definition of a
“cryptographic module,” which is mandatory for
most U.S. federal government applications and a
best practice in all PKI implementations. Twenty-
five percent of respondents say regional standards
such as digital signature laws are important.

Figure 13. Security certifications important when deploying PKI infrastructure

(Consolidated view — more than one response permitted)

66% FY18
64%
Common Criteria EAL Level 4+ 67% FY19
63%
59% FY20
62%
60% FY21
FIPS 140-2 Level 3 60%
62%
FY22
58%
26%
25%
Regional standards such as
26%
digital signature laws 25%
25%

25%
23%
Regional certificates for 22%
use by government 23%
22%
14%
11%
None of the above
10%
(certification is not an important factor) 11%
10%

2022 Global PKI and IoT Trends Study 18

SSL certificates for public-facing websites and
services are most often using PKI credentials.
According to Figure 14, 74 percent of respondents
say the application most often using PKI
credentials is SSL certificates for public-facing
websites and services. However, enterprise user
authentication has decreased significantly from
70 percent of respondents in 2020 to 52 percent
of respondents in 2022, and the use of public
cloud-based applications and services has
decreased significantly from 82 percent in 2020
to 48 percent of respondents in 2022.

Figure 14. What applications use PKI credentials in organizations?

(Consolidated view — more than one response permitted)

84% FY18
79%
SSL certificates for public-facing
84% FY19
websites and services 81%
74% FY20
71%
69% FY21
Private networks and VPN 60%
67% FY22
65%
53%
54%
Email security 51%
55%
55%
49%
51%
Enterprise user authentication 70%
53%
52%
51%
50%
Device authentication 49%
50%
52 %
56%
55%
Public cloud-based
82%
applications and services 52%
48%
44%
46%
Private cloud-based applications 35%
47%
47%
42%
44%
Document/message signing 45%
47%
45%
32%
32%
Code signing 32%
33%
35%

19 2022 Global PKI and IoT Trends Study

What are the most popular methods for certificate authority (CA) or an externally hosted
deploying enterprise PKI? The most cited private CA — managed service, according to
method for deploying enterprise PKI, according 60 percent and 42 percent of respondents,
to Figure 15, is through an internal corporate respectively.

Figure 15. How is PKI deployed? (Consolidated view — more than one response permitted)

56% FY18
63%
Internal corporate
60% FY19
certificate authority 62%
60% FY20
40%
43% FY21
Externally hosted private 43%
CA — managed service 44% FY22
42%

33%
31%
Public CA service 32%
31%
28%

23%
22%
Private CA running within 22%
a public cloud 23%
26%

16%
15%
Business partner provided service 15%
15%
18%

11%
10%
Government provided service 11%
9%
11%

2022 Global PKI and IoT Trends Study 20

Organizations prefer the single sign-on to all
apps and platforms if they use the PKI credential
for enterprise user authentication or device
authentications. As shown in Figure 16,
48 percent of respondents say the single sign-on
to all apps and platforms is the most important
authentication requirement. This is followed by the
option that it works with any device (42 percent
of respondents).

Figure 16. If you use PKI credential for enterprise user authentication or device authentications,
what are your most important authentication requirements? (Two responses permitted)

FY21
Enables single sign-on 53%
FY22
to all apps and platforms 48%

39%
Works with any device
42%

Offers adaptive risk- 37%

based authentication 38%
and access

Complies with regulations 41%

and industry standards 37%

Provides policy-driven
30%
access controls 35%
(for user and device)

21 2022 Global PKI and IoT Trends Study

Figure 17 lists the use cases that would benefit
from an integrated authentication and PKI
solution. Onboarding and offboarding resources
and email and file encryption have increased
significantly since last year to 44 percent of
respondents. Securing personal devices for
workforce collaboration as a beneficial use case
has decreased from 49 percent of respondents
to 37 percent of respondents.

Figure 17. What use cases would benefit most from an integrated
authentication and PKI solution? (Two responses permitted)

FY21
Onboarding and 33%
FY22
offboarding resources 44%

30%
Email and file encryption
44%

37%
Digital document signing 39%

Securing personal devices

49%
(BYOD) for workforce
37%
collaboration

52%
Securing work devices
36%

2022 Global PKI and IoT Trends Study 22

Global analysis
In this section, we provide the most salient Figure 18. How would you describe how your
differences among the 17 countries represented organization’s enterprise PKI is deployed?
in this study: Australia (AU), Brazil (BZ), France (Top 2 choices)
(FR), Germany (DE), Hong Kong (HK), Japan
Internal corporate certificate authority
(JP), Korea (KO), Mexico (MX), Middle East
(ME) Netherlands (NL), Russia (RF), Spain (SP), Externally hosted private CA —
managed service
Southeast Asia (SA), Sweden (SW), Taiwan (TW),
United Kingdom (UK), and United States (US).
80%
US 35%
Figure 18 shows how PKI is deployed within
respondents’ organizations. As shown, the U.S. SA
75%
66%
(80 percent of respondents), Southeast Asia
(75 percent of respondents), Sweden (73 percent 73%
SW 70%
of respondents), and France (70 percent of
70%
respondents are most likely to choose internal FR 23%
corporate certificate authority.
67%
KO
In contrast, Korea (82 percent of respondents), 82%

Sweden (70 percent of respondents), Southeast 65%

UK 43%
Asia (66 percent of respondents), and Taiwan
(62 percent of respondents) are most likely SP
64%
51%
to choose external hosted private certificate
authorities as a managed service. 63%
JP 25%

62%
DE 30%

53%
AU 26%

53%
NL 53%

53%
ME 46%

49%
HK 32%

46%
TW 62%

46%
BZ 16%

42%
MX 34%

21%
RF 38%

23 2022 Global PKI and IoT Trends Study

When asked about the revocation techniques
deployed, 32 percent of respondents globally say
Figure 19. Which certificate revocation
none. As shown in Figure 19, of those respondents
technique does your organization deploy?
who say their organizations use a certificate (Top 2 choices = OCSP and Automated CRL)
revocation technique, Germany (76 percent),
UK (73 percent), Sweden (68 percent), and Online Certificate Status Protocol
Australia (66 percent) are most likely to use Automated CRL
online certificate status protocols (OCSP). France
(67 percent), Germany (65 percent), Russia
76%
(54 percent), and Mexico (52 percent) respondents DE 65%
are most likely to use automated CRLs. 73%
UK 29%
As noted above, this implies a true chasm between
68%
operational best practices and observed practices. SW 17%
Certificates have a life span. During that life span
66%
circumstances change and certificates outlive AU 32%
their purpose. Without a method of revoking
63%
certificates, the population of valid, extant ME 48%
certificates simply grows.
61%
JP 30%
We can surmise that there are connections
between this observed deviation from best FR
57%
67%
practices and the significant lack of dedicated
55%
personnel and skills called out in the study. SA 32%
When something as basic as lack of revocation
54%
processes is this common, one wonders about KO 46%
the currency of documentation on and processes
54%
for managing the average of seven major US 31%
enterprise applications that are dependent 52%
on the PKI. TW 49%

48%
NL 39%

47%
MX 52%

46%
BZ 41%

45%
SP 41%

39%
HK 47%

30%
RF 54%

2022 Global PKI and IoT Trends Study 24

According to Figure 20, the U.S. and France have
the most individual CAs deployed within their
organizations (8.9 and 7.9, respectively). Russia
and Spain have the least number of individual
CAs (both 5.6).
Again, this reinforced the penetration of the
PKI into the core IT backbone of the modern
organization. And, given the stated lack of
skilled personnel and organizational clarity,
combined with the lack of consistent revocation
practices, one has to draw attention to risks
to the health and integrity of these CAs and
the important core enterprise applications
that use their certificates.

Figure 20. What best describes the number of issuing CAs in your organization?
(Extrapolated average values)

US 8.9

FR 7.9

AU 7.6

DE 7.2

UK 7.1

SA 7.1

JP 6.8

KO 6.6

TW 6.4

ME 6.4

HK 6.3

SW 6.3

NL 6.3

BZ 5.9

MX 5.7

RF 5.6

SP 5.6

25 2022 Global PKI and IoT Trends Study

Figure 21 is the number of distinct applications
(e.g., email, network authentication, etc.) for which
PKI manages certificates. The U.S. at 11.2 has the
largest number of distinct applications. Taiwan
(6.9) and Russia (6.5) have the smallest number
of distinct applications, respectively.
One should note that even in the lowest figures
that the average number of applications is just
north of 6. Given previous responses, we can
extrapolate that these likely include email, SSL
certificates, device identification, and logon
credentials. These are non-trivial applications,
the failure of which could pose existential risks
to the host organization.

Figure 21. How many distinct applications does your PKI manage certificates on behalf of?
(Extrapolated average values)

US 11.2

UK 10.0

FR 9.7

DE 9.6

BZ 8.3

AU 8.2

NL 8.0

ME 7.8

JP 7.8

SP 7.7

HK 7.7

SW 7.5

MX 7.2

KO 7.2

SA 7.1

TW 6.9

RF 6.5

2022 Global PKI and IoT Trends Study 26

Figure 22 reports the three most salient
challenges in deploying and managing PKI.
Figure 22. What are the main challenges
As shown, Southeast Asia, Taiwan, the Middle
in deploying and managing PKI?
East, and the U.S. are most likely to cite no clear (Top 3 choices)
ownership as their most significant challenge.
The Middle East, Australia, Spain, and France Insufficient resources
are more likely to say insufficient resources is a Insufficient skills
challenge and Korea, Spain, and the U.S. say they
No clear ownership
are challenged by insufficient skills.
There is a consistent theme in these responses. 85%
We can see the importance of the PKI growing ME 51%
61%
and its integration with core IT applications. Also, 84%
PKI’s near-term future is being buffeted by trends AU 49%
40%
toward the cloud, mobility, and IoT. However,
81%
globally there is a lack of trained people and SP 61%
49%
tendency toward fuzzy ownership of the PKI.
80%
This is a significant departure from known best FR 39%
60%
practices that require direct lines of responsibility
75%
for all PKI-dependent applications and clear JP 46%
documentation of the dependencies and risk 46%

mitigation strategies. One wonders about the 72%

BZ 58%
condition of required PKI documentation and 57%

processes given these high rates of skills and 66%

RF 51%
personnel shortages. 43%

66%
MX 50%
46%

64%
DE 28%
36%

64%
UK 51%
48%

55%
KO 69%
47%

53%
SA 60%
67%

52%
US 61%
61%

51%
NL 42%
56%

49%
HK 51%
48%

48%
SW 54%
54%

34%
TW 46%
63%

27 2022 Global PKI and IoT Trends Study

As organizations plan the evolution of their PKI,
where are the greatest areas of possible change
and uncertainty? Figure 23 provides the top two
choices. Accordingly, U.S., Taiwan, and Russia
respondents say new applications such as IoT
are driving change and uncertainty. France,
U.S., and Hong Kong respondents say external
mandates and standards are driving change
and uncertainty.

Figure 23. Where are the greatest areas of change and uncertainty in the evolution of your PKI?
(Top 2 choices)

36% External mandates

US 48% and standards
4% New applications
TW 43% (e.g., Internet of Things)
29%
RF 41%

33%
DE 40%

36%
HK 40%

27%
ME 37%

31%
SW 36%

35%
BZ 34%

33%
AU 32%

28%
KO 32%

41%
FR 31%

22%
MX 27%

35%
NL 26%

26%
SA 26%

28%
JP 23%

29%
SP 22%

35%
UK 18%

2022 Global PKI and IoT Trends Study 28

Figure 24 reports what respondents believe are
the most important trends that are driving the
deployment of applications that make use of PKI.
As can be seen, France, Hong Kong, and Taiwan
are most likely to cite cloud-based services as
driving the deployment of applications that make
use of PKI. Brazil, Taiwan, the UK, and Korea are
most likely to see IoT as a driver to PKI adoption.
Southeast Asia, Hong Kong, and Mexico are more
likely to see consumer mobile as a driver.

Figure 24. What are the most important trends that are driving the deployment of applications
that make use of PKI? (Top 3 choices)

66% Cloud-based services

FR 35%
27%
Internet of Things
58%
HK 34%
Consumer mobile
53%

56%
TW 60%
31%

54%
SP 50%
44%

54%
US 36%
34%

53%
AU 33%
30%

51%
SA 35%
55%

51%
UK 57%
32%

49%
KO 57%
46%

48%
NL 39%
48%

48%
SW 42%
42%

46%
RF 49%
42%

44%
BZ 65%
32%

44%
ME 53%
46%

40%
MX 47%
53%

40%
DE 56%
30%

28%
JP 49%
45%

29 2022 Global PKI and IoT Trends Study

PART 3

Methods
2022 Global PKI and IoT Trends Study 30
Table 1 reports the consolidated sample response
for 17 separate country samples. Data collection
was conducted in January 2022. Our consolidated
sampling frame of practitioners in all countries
consisted of 162,436 individuals who have bona
fide credentials in IT or security fields. From this
sampling frame, we captured 7,056 returns of
which 792 were rejected for reliability issues. From
our final consolidated 2022 sample of 6,264, we
calculated the PKI subsample to be 2,505.

Table 1. Sample response Frequency

Sampling frame 162,436

Total returns 7,056

Rejected or screened surveys 792

Overall sample (encryption trends) 6,264

PKI subsample 2,505

Ratio subsample to overall sample 41%

Figure 25 reports the respondent’s organizational reported their position as associate/staff/

level within participating organizations. By design, technician. Respondents have on average 10.4
62 percent of respondents are at or above the years of security experience with approximately
supervisory levels and 37 percent of respondents 9.2 years of experience in their current position.

Figure 25. Distribution of respondents according to position level

(Country samples are consolidated)

1% 6%
3%

Senior Executive

37% 20% Vice President

Director

Manager/Supervisor

Associate/Staff/Technician

Other
33%

31 2022 Global PKI and IoT Trends Study

Figure 26 identifies the organizational location of This is followed by security at 21 percent of
respondents in our study. Almost half (46 percent) respondents and lines of business at 13 percent
of respondents are located within IT operations. of respondents.

Figure 26. Distribution of respondents according to functional area

1%
8%

IT operations
11%

Security

46% Lines of business

13%
Compliance

Finance

Other
21%

Figure 27 reports the industry classification of
respondents’ organizations. Twelve percent of
respondents are located in the financial services
industry, which includes banking, investment
management, insurance, brokerage, payments,
and credit cards. Eight percent of respondents
are located in retailing and seven percent of
respondents are in each of the following: health
and pharmaceuticals, public sector, services,
and technology and software.

Figure 27. Distribution of respondents according to primary industry classification

(Country samples are consolidated)

4% Financial services Manufacturing & industrial

4% 12%
4% Retailing Transportation
4% Health & pharmaceutical Agriculture & food service
8%
4%
Public sector Defense & aerospace
5% 7%
Services Education & research
Technology & software Entertainment & media
5%
7%
Consumer products Other
5% Energy & utilities
5% 7% Communications
6% 7% Hospitality
6%

2022 Global PKI and IoT Trends Study 32

According to Figure 28, more than half (56 percent) of respondent are located in larger-sized
organizations with a global headcount of more than 1,000 employees.

Figure 28. Distribution of respondents according to organizational headcount

(Country samples are consolidated)

6%
7%

27%
More than 75,000

25,001 to 75,000
19%
5,001 to 25,000

1,001 to 5,000

500 to 1,000
17%
Less than 500
24%

33 2022 Global PKI and IoT Trends Study

PART 4

Limitations
2022 Global PKI and IoT Trends Study 34
There are inherent limitations to survey research that need to be carefully considered
before drawing inferences from the presented findings. The following items are specific
limitations that are germane to most survey-based research studies.

Non-response bias are representative of individuals who are IT or IT

The current findings are based on a sample security practitioners within global companies
of survey returns. We sent surveys to a represented in this study.
representative sample of IT and IT security
Self-reported results
practitioners in 17 countries resulting in a
The quality of survey research is based on the
large number of usable returned responses.
integrity of confidential responses received from
Despite non-response tests, it is always possible
respondents. While certain checks and balances
that individuals who did not participate are
were incorporated into our survey evaluation
substantially different in terms of underlying
process including sanity checks, there is always
beliefs from those who completed the survey.
the possibility that some respondents did not
Sampling-frame bias provide truthful responses.
The accuracy of survey results is dependent
upon the degree to which our sampling frames

35 2022 Global PKI and IoT Trends Study

About Ponemon Institute
The Ponemon Institute© is dedicated to advancing responsible information and privacy
management practices in business and government. To achieve this objective, the Institute
conducts independent research, educates leaders from the private and public sectors, and
verifies the privacy and data protection practices of organizations in a variety of industries.

About Entrust Corporation

Entrust keeps the world moving safely by enabling trusted experiences for identities, payments,
and digital infrastructure. We offer an unmatched breadth of solutions that are critical to
enabling trust for multi-cloud deployments, mobile identities, hybrid work, machine identity,
electronic signatures, encryption, and more. With more than 2,800 colleagues, a network of
global partners, and customers in over 150 countries, it’s no wonder the world’s most entrusted
organizations trust us. For more information, visit entrust.com.

Entrust, nShield, and the hexagon logo are trademarks, registered trademarks, and/or service marks of Entrust Corporation
in the U.S. and/or other countries. All other brand or product names are the property of their respective owners.

© 2022 Entrust Corporation. All rights reserved.

PK23Q2-2022-pki-iot-trends-study-re
2022 Global PKI and IoT Trends Study 36