Over the last year, the Public Key Infrastructure (PKI) and cybersecurity markets have seen a host of events which has brought about a catalyst for organizations to reassess and update their security posture, including; new regulations and changes, discussions around certificate validity periods, evolving AI-enabled cyber threats, as well as real-life examples of the devastating impact security incidents can have on IT teams and organizations in today’s digital landscape.
GlobalSign’s Chief Product Officer, Lila Kee, talks about how the market is changing and how businesses can adapt to be prepared for further evolutions in the years to come: “Across the PKI and cybersecurity industries, there has been a significant shift in refocusing the commitment to data and digital identity security, evidenced by the changes that have been proposed by key players, like those from the CA/B [Certificate Authority/Browser] Forum and internet browsers. These changes will affect the way organizations operate on every level, and how they can use a variety of solutions to navigate them.”
In this blog, we look at how the catalyst inducing events are shaping what could be in store for the year ahead.
1. The evolution of AI
2. New regulations are emerging and it’s becoming global
3. Future-proofing digital trust with post-quantum computing
4. Is there a Blockchain-PKI fusion on the horizon?
5. Certificate lifespans could decrease (again) and digital certificate usage is increasing
6. Security should be everyone’s responsibility
7. Growing skills shortage in PKI and cybersecurity
1. The Evolution of AI
We couldn’t look at the upcoming trends within the market without addressing the technological advancement of the year, Artificial Intelligence (AI).
AI has been around for a while, quietly building in knowledge and sophistication, but earlier this year usage boomed and online conversations were dominated with the subject as we were introduced to the platform ChatGPT. As AI took the world by storm, there were both embraces and reservations of the technology within organizations as the benefits and drawbacks emerged throughout the year.
AI is no longer a distant dream and is fast finding its place within modern technology, providing the opportunity to redefine what’s possible, and have the potential to enhance efficiency and productivity within organizations. But there have been a mix of stories on its impact and role within the cybersecurity and PKI markets; on one side it’s been shown how AI has been used to enhance cyber-attacks, such as business email compromise and phishing, making them harder to spot and mitigate against, but on the other side AI has been shown in research to reduce the time needed to address a breach or apply patches.
With the average cost of a data breach increasing by 15% (since 2020), the future of AI’s role within the PKI and cybersecurity markets is still yet to be fully defined but let’s watch this space as AI technology continues to learn and advance.
2. New Regulations are Emerging and it’s Becoming Global
Over the span of decades standards, regulations and protocols have been introduced and refined, with the aim to provide better protection and transparency online especially when it comes to data protection and online transactions. The eIDAS regulation has largely led this path over the years and the introduction of eIDAS 2.0 and EUDI Wallets (European Digital Identity Wallets) brings enormous opportunity, not only within the European market but also globally as other countries look to the regulation and the use of digital identity verification as a framework to potentially adopt or adapt for their own use.
Earlier this year, the White House revealed its National Cybersecurity Strategy and other countries are expected to follow suit, if they have not done so already. As cybersecurity rises on the political agenda it’s something organizations should be aware of, both in their operating region but also globally to adhere to relevant areas in which trade is conducted.
Providers to Adapt with the Regulatory Changes
With a number of existing regulations already in place and changes expected globally, choosing a provider to support and guide organizations is important. GlobalSign is a Qualified Trust Service Provider with a number of services available designed to offer enterprises a variety of solutions to meet the eIDAS regulation, but we also provide solutions to support the Payment Services Directive (PSD2).
3. Future-Proofing Digital Trust with Post-Quantum Computing
Advancements and research into Quantum Computing are ongoing, although mostly it seems in the background, and whilst not likely to make giant steps next year, it is a threat companies are becoming increasingly aware of. The question around the security of digital certificates in the face of quantum advancements has been raised and honestly, it might be still too early to tell, however, as we discussed in our blog earlier this year, post-quantum computing is the response which aims to develop cryptographic algorithms that are resistant to attacks from the quantum computer threat.
No matter which way you look at it, quantum computing is coming, and with it new unknown threats and challenges. Without new public key cryptography standards, quantum computer-equipped hackers could listen in and interfere with systems that rely on trust. The conversation around quantum computers is likely to develop further into 2024, so choosing a Certificate Authority which is proactive in researching cryptographic methods, such as GlobalSign, means that you can have confidence that your certificates are going to remain secure as the landscape evolves.
4. Is there a Blockchain-PKI Fusion on the Horizon?
Blockchain technology was established as the founding component of Bitcoin and is a distributed ledger, or decentralized database, made up of blocks of data which form a chain using cryptographic hashes, allowing information to be shared securely within a business network. Over the years a number of theories have been developed to show how blockchain could be used to secure digital communications by utilizing identity through PKI whilst offering built-in certificate transparency.
Up until fairly recently, you could argue that blockchain technology and PKI have been running adjacent to each other but as time has ticked by, could it be that a blockchain-PKI fusion is on the horizon?
5. Certificate Lifespans Could Decrease (Again) and Digital Certificate Usage is Increasing
Certificate lifespans have been reducing over the past decade from five years to the current one year (397 days), but if previous trends are an indication, the likelihood is that certificate validity periods will continue to shrink.
Earlier this year, fresh conversations were sparked throughout the PKI market and cybersecurity industry as a proposal to reduce SSL / TLS certificate lifespans emerged. The aim of the proposal is to reduce certificate-based website vulnerabilities and minimize exposure to potential breaches but whilst it does do this, it also increases the number of certificates for IT teams to manage and track – a trend we are seeing outside of SSL / TLS alone.
Digital certificates are a versatile cryptographic tool which for any one organization could be used to secure users, devices or endpoints. This could be utilized in a multitude of ways across security infrastructures to prevent unknown actors gaining access to company systems and networks. From the Internet of Things (IoT) to development code, the possibilities and use cases for digital certificates is vast and growing. But with this so does the workload and pressure placed on IT teams as they juggle different requirements within an organization.
Automation Can Adapt to Your Requirements
To manage this increase, businesses are turning to tools to automate PKI operations including the process of certificate issuance, renewal, and revocation. Automation solutions can adapt to business requirements and as the number of certificates grows, ensure that they are consistently in line with company security policies and industry regulations.
Reduce the need for manual tasks and human error and gain real-time visibility into the certificate lifecycle to allow IT teams to be proactive in monitoring certificates and respond to issues promptly with automation. The need for PKI automated solutions is no longer a nice to have, it’s a necessity.
6. Security Should be Everyone’s Responsibility
With many sophisticated and AI-fueled attacks hijacking the headlines this year, there is one statistic that has stood out: human error still accounts for over 80% of data breach incidents. This number may have fluctuated over the years but continues to be a trend in the market and this year is no exception. As we look to the year ahead, security should be everyone’s responsibility. The statistics above shows that more can be done internally to reduce the risk and prevent organizational data and information falling victim to a cyber-attack.
Organizations are looking to enable faster delivery of customer value and agility at scale through the adoption of DevOps practices, however security is often viewed as an afterthought. This viewpoint is beginning to change as the industry shifts however; according to Gartner®, DevSecOps practices are expected to be embedded in 85% of product development teams by 2027.
In the latest IBM Cost of a Data Breach report, the top ranking effective cost mitigator was the adoption of a DevSecOps approach and is essential to building security into any tools or platforms an organization depends on. Earlier this year, a zero-day attack on the company MOVEit rocked the world of cybersecurity and had devastating consequences, some of which are still being discovered. Enterprises globally are patching vulnerabilities and looking to secure themselves against similar attacks in the future but integrating security into all stages of the DevOps lifecycle enables the mitigation of risk continuously.
7. Growing Skills Shortage in PKI and Cybersecurity
As 2023 draws to a close, it’s becoming more apparent on the shortage of cybersecurity and PKI skills and knowledge gaps within businesses. For example, in the UK, 50% of all UK businesses have a basic cybersecurity skills gap, while 33% have an advanced cybersecurity skills gap.
Cyber threats are continuously evolving, and a robust security stance establishes trust and safeguards data access and integrity. Whilst countries are working on strategies and regulations to strengthen their cyber ecosystems, there is a growing need in the interim for cybersecurity and PKI expertise within organizations.
Reducing the Gap and Seeking Trust and Expertise from Your PKI Solution Provider
The use of integrations and APIs for certificate management has also been on the increase as organizations try to find ways to minimize the impact of the skills shortage to manage, maintain and audit certificates. As the new year approaches, it’s an optimal time to revisit your strategic security goals and consider how PKI can help with encryption, authentication and access control, certificate lifecycle management, compliance, regulations, and more—any one of which can be a security target at any point in the process.
Here at GlobalSign, we have a number of solutions designed with your business in mind to mitigate against risks and secure your users, devices and end-points. Discuss your PKI requirements with our experts today to find the solution which best suits your needs.