Article adapted from Michelle Davidson’s blog of same subject.
Over the last year, the Public Key Infrastructure (PKI) and cybersecurity markets have seen a host of events which has brought about a catalyst for organizations to reassess and update their security posture, including new regulations and changes, discussions around certificate validity periods, evolving AI-enabled cyber threats, as well as real-life examples of the devastating impact security incidents can have on IT teams and organizations in today’s digital landscape.
GlobalSign’s Chief Product Officer, Lila Kee, talks about how the market is changing and how businesses can adapt to be prepared for further evolutions in the years to come: “Across the PKI and cybersecurity industries, there has been a significant shift in refocusing the commitment to data and digital identity security, evidenced by the changes that have been proposed by key players, like those from the CA/B (Certificate Authority/Browser) Forum and internet browsers. These changes will affect the way organizations operate on every level, and how they can use a variety of solutions to navigate them.”
In this blog, we look at how the catalyst inducing events are shaping what could be in store for the year ahead.
1
The Evolution of AI
AI has been around for a while, quietly building knowledge and sophistication, but earlier this year usage boomed, and online conversations dominated the subject as we were introduced to the platform ChatGPT. As AI took the world by storm, there were both embraces and reservations of the technology within organizations as the benefits and drawbacks emerged throughout the year.
AI is no longer a distant dream and is fast finding its place within modern technology, providing the opportunity to redefine what’s possible, and have the potential to enhance efficiency and productivity within organizations. But there have been a mix of stories on its impact and role within the cybersecurity and PKI markets; on one side it’s been shown how AI has been used to enhance cyber-attacks, such as business email compromise and phishing, making them harder to spot and mitigate against, but on the other side AI has been shown in research to reduce the time needed to address a breach or apply patches.
With the average cost of a data breach increasing by 15% (since 2020), the future of AI’s role within the PKI and cybersecurity markets is still yet to be fully defined but let’s watch this space as AI technology continues to learn and advance.
2
New Regulations are Emerging and it’s Becoming Global
Over the span of decades—standards, regulations and protocols have been introduced and refined, with the aim to provide better protection and transparency online especially when it comes to data protection and online transactions. The eIDAS regulation has largely led this path over the years and the introduction of eIDAS 2.0 and EUDI Wallets (European Digital Identity Wallets) brings enormous opportunity, not only within the European market but also globally as other countries look to the regulation and the use of digital identity verification as a framework to potentially adopt or adapt for their own use.
Earlier this year, the White House revealed its National Cybersecurity Strategy and other countries are expected to follow suit, if they have not done so already. As cybersecurity rises on the political agenda it’s something organizations should be aware of, both in their operating region but also globally to adhere to relevant areas in which trade is conducted.
Providers to Adapt with the Regulatory Changes
With several existing regulations already in place and changes expected globally, choosing a provider to support and guide organizations is important. GlobalSign is a Qualified Trust Service Provider with a number of services available designed to offer enterprises a variety of solutions to meet the eIDAS regulation, but we also provide solutions to support the Payment Services Directive (PSD2).
3
Certificate Lifespans Could Decrease (Again) and Digital Certificate Usage is Increasing
Certificate lifespans have been reducing over the past decade from five years to the current one year (397 days), but if previous trends are an indication, the likelihood is that certificate validity periods will continue to shrink.
Earlier this year, fresh conversations were sparked throughout the PKI market and cybersecurity industry as a proposal to reduce SSL / TLS certificate lifespans emerged. The aim of the proposal is to reduce certificate-based website vulnerabilities and minimize exposure to potential breaches but whilst it does do this, it also increases the number of certificates for IT teams to manage and track – a trend we are seeing outside of SSL / TLS alone.
Digital certificates are a versatile cryptographic tool which for any one organization could be used to secure users, devices, or endpoints. This could be utilized in a multitude of ways across security infrastructures to prevent unknown actors gaining access to company systems and networks. From the Internet of Things (IoT) to development code, the possibilities and use cases for digital certificates is vast and growing. But with this so does the workload and pressure placed on IT teams as they juggle different requirements within an organization.
Automation Can Adapt to Your Requirements
To manage this increase, businesses are turning to tools to automate PKI operations including the process of certificate issuance, renewal, and revocation. Automation solutions can adapt to business requirements and as the number of certificates grows, ensure that they are consistently in line with company security policies and industry regulations.
Reduce the need for manual tasks and human error and gain real-time visibility into the certificate lifecycle to allow IT teams to be proactive in monitoring certificates and respond to issues promptly with automation. The need for PKI automated solutions is no longer a nice to have, it’s a necessity.
4
Future-Proofing Digital Trust with Post-Quantum Computing
Advancements and research into Quantum Computing are ongoing, although mostly it seems in the background, and whilst not likely to make giant steps next year, it is a threat companies are becoming increasingly aware of. The question around the security of digital certificates in the face of quantum advancements has been raised and honestly, it might be still too early to tell, however, as we discussed in our blog earlier this year, post-quantum computing is the response which aims to develop cryptographic algorithms that are resistant to attacks from the quantum computer threat.
No matter which way you look at it, quantum computing is coming, and with it new unknown threats and challenges. Without new public key cryptography standards, quantum computer-equipped hackers could listen in and interfere with systems that rely on trust. The conversation around quantum computers is likely to develop further into 2024, so choosing a Certificate Authority which is proactive in researching cryptographic methods, such as GlobalSign, means that you can have confidence that your certificates are going to remain secure as the landscape evolves.
5
The world is changing and so is your digital identity
With the rapid pace of technological advancements and new regulations, digital certificates are constantly undergoing revisions and adjustments. By following the ever-changing industry standards, we can ensure that our identities are secure and fully trusted.
One example is the recent implementation of S/MIME baseline requirements (BR). This brings stricter guidelines and additional requirements, S/MIME BR assures that you are safe from attacks, even with the use of the latest technology. And with S/MIME BR, the use of digital certificates on email may soon be a norm.
And with the release of eIDAS 2.0, it is almost like becoming a global standard. Other countries are adopting the same regulations or following the same practices. As eIDAS transforms digital identities not just in EU but for the rest of the world.
6
New tools to gain trust and security
These new technologies also bring us new products and services. As these technologies improve our work, you should still make sure that you are safe. As they might also bring new threats and exploits, and current tools might not be sufficient. Check for updates to confirm you are covered. Or ask for an updated product portfolio, as you might find those that you were missing before, and maybe even more.
Expect more defined products, integrations, collaborations, and partnership. Watch out for new and upcoming releases from your trusted security providers, like GlobalSign.
7
Security Should be Everyone’s Responsibility
With many sophisticated and AI-fueled attacks hijacking the headlines this year, there is one statistic that has stood out: human error still accounts for over 80% of data breach incidents. This number may have fluctuated over the years but continues to be a trend in the market and this year is no exception. As we look to the year ahead, security should be everyone’s responsibility. The statistics above shows that more can be done internally to reduce the risk and prevent organizational data and information falling victim to a cyber-attack.
Organizations are looking to enable faster delivery of customer value and agility at scale through the adoption of DevOps practices, however security is often viewed as an afterthought. This viewpoint is beginning to change as the industry shifts. According to Gartner®, DevSecOps practices are expected to be embedded in 85% of product development teams by 2027.
In the latest IBM Cost of a Data Breach report, the top-ranking effective cost mitigator was the adoption of a DevSecOps approach and is essential to building security into any tools or platforms an organization depends on. Earlier this year, a zero-day attack on the company MOVEit rocked the world of cybersecurity and had devastating consequences, some of which are still being discovered. Enterprises globally are patching vulnerabilities and looking to secure themselves against similar attacks in the future but integrating security into all stages of the DevOps lifecycle enables the mitigation of risk continuously.
8
Growing Skills Shortage in PKI and Cybersecurity
In the UK, for example, 50% of all UK businesses have a basic cybersecurity skills gap, while 33% have an advanced cybersecurity skills gap. Cyber threats are continuously evolving, and a robust security stance establishes trust and safeguards data access and integrity. Whilst countries are working on strategies and regulations to strengthen their cyber ecosystems, there is a growing need in the interim for cybersecurity and PKI expertise within organizations. A similar situation is going on in Singapore, where there’s a clear increase in cyber threats, but the tech sector finds itself short on cybersecurity professionals.
Reducing the Gap and Seeking Trust and Expertise from Your PKI Solution Provider
The use of integrations and APIs for certificate management has also been on the increase as organizations try to find ways to minimize the impact of the skills shortage to manage, maintain and audit certificates. This 2024, it’s an optimal time to revisit your strategic security goals and consider how PKI can help with encryption, authentication and access control, certificate lifecycle management, compliance, regulations, and more—any one of which can be a security target at any point in the process.
Here at GlobalSign, we have a number of solutions designed with your business in mind to mitigate risks and secure your users, devices, and endpoints. Discuss your PKI requirements with our experts today to find the solution which best suits your needs.