2024 has been a year of significant development in the cybersecurity industry. Looking back on GlobalSign’s predictions last year, a lot of the trends we saw then look to continue on into the next year, as we see continuous shifts in areas like Artificial Intelligence (AI), Post-Quantum Computing (PQC) and decreasing certificate lifespans.
AI has firmly established itself in the industry and we’re now seeing developing regulation as it is further implemented into many online tools. Meanwhile, eIDAS 2.0 and the European Digital Identity Wallets continue to be a hot topic as they affect industry standards, and new developing regulation also seems poised to have its own effects in the coming year. PQC also continues to be subject to speculation, with the first standards being released this year making post-quantum seem closer than ever.
This blog will explore these trends and more alongside the effect they’ll likely have in the coming year, alongside how we expect these will come to shape the Public Key Infrastructure (PKI) industry going forward, and how what we’ve seen this year will be relevant going into the next.
1. The Rise of AI in PKI
2. Preparing for Post-Quantum Cryptography (PQC)
3. Digital Identity and Regulatory Changes
4. The Internet of Things (IoT) and PKI
5. Zero Trust Architecture
6. Growth of Cloud-Based Solutions
7. Shortening Certificate Lifecycles
1. The Rise of AI in PKI
As AI and machine learning advance, their integration into PKI systems is becoming essential. AI-driven phishing and spoofing attacks are growing more sophisticated, making traditional detection methods less effective. To keep up with this, cyber defenses must follow suit. PKI's reliance on asymmetric cryptography provides a robust framework for authenticating and securing communications, but with the pace with which AI tools are being developed, vigilance will be needed going forward to constantly develop defenses to respond to increasingly automated, intelligent threats.
AI is already leading to an increasing prevalence of fake material in the market as a result of prolific content generation tools. Going forward this will mean robust identity verification may become necessary for users to be able to trust content they see and interact with online. It’s also not unlikely that we’ll see shifts in adaptation to enhance users’ awareness of content sources, whether through regulations or organically.
“Advancement in AI will not only blur the lines between real and fake content but will also significantly increase the prevalence of fake material in the market. As a result, the need for robust identity verification and binding will become essential for users to trust any form of media content.” - Mohit Kumar, Vice President of Product Management
On the topic of regulation, we’re likely going to continue to hear about new legislation to address the growing use of AI globally. We’re of course already seeing this, with regulations like the EU's Artificial Intelligence Act which will come fully into force in 2025, and various US initiatives emphasizing responsible AI use; such as the Algorithmic Accountability Act, National AI Initiative Act and major state-level regulations being implemented by states like New York and California.
The effects this will have on PKI management will be felt over the next year, with AI and machine learning set to play a bigger role in prediction of certificate expiration, detection of anomalies, and prevention of outages. Security vendors are increasingly integrating AI into their PKI platforms for these benefits, showing their growing role in the industry, moving towards more intelligent, agile solutions.
2. Preparing for Post-Quantum Cryptography (PQC)
Quantum computing poses a significant threat to traditional encryption methods, necessitating the development of quantum-resistant cryptographic algorithms. As quantum technology advances, the focus on securing data against these future threats is growing.
Quantum-resistant cryptographic algorithms are designed to withstand the computational power of quantum computers, ensuring the continued security of digital communications and data. Google and NIST are leading efforts to implement these new standards, with Google having recently introduced a hybrid post-quantum cryptographic algorithm in Chrome.
Regulations like NIST’s first Post-Quantum Encryption standards being released earlier this year highlight that post-quantum technology may be closer than ever, and will continue to be monitored by the industry. More regulation looking at post-quantum will likely be inevitable in the coming year, as concern over its eventual arrival continues to grow and governments and organizations are forced to consider the effects of its adoption.
“As quantum computing continues to advance, the focus on quantum-resistant cryptographic algorithms and quantum encryption should grow as well … Perhaps 2025 will be the year these new methods begin to supplant current encryption.” – Amanda Faverty, Enterprise Account Manager
Organizations and Certificate Authorities (CAs) must quickly adapt to these changes by embracing quantum-resistant encryption and staying ahead of regulatory requirements. This will ensure the continued security and trustworthiness of digital identities and communications. Preparing for post-quantum cryptography is an immediate priority for the industry. As quantum computing advances, the focus on developing and implementing quantum-resistant cryptographic algorithms will be essential for maintaining security.
Future-proof digital trust with safe certificates
3. Digital Identity and Regulatory Changes
We’ve already discussed a range of regulatory changes, which were always going to be inevitable as the cutting edge of technology became more readily used in the public domain. As the industry continues to see changing circumstances as we also better understand activity online, we’ll continue to see changes around how digital identity is authenticated, measured, and secured.
Developing cyber threats are at the heart of this, leading to stricter requirements for digital certificate management. These compliance standards are especially focused on at-risk industries like healthcare, finance and manufacturing. These can be seen in developing regulations like PSD3 in Europe expected to be implemented throughout 2025-2026, or updates to HIPAA in the US that will be enforced from 2025. These regulations emphasize strong digital identity verification and compliance, pushing organizations to adopt robust PKI solutions.
PKI is vital for ensuring secure and compliant digital interactions. As AI-driven threats and regulatory demands increase, organizations must leverage PKI to safeguard digital identities and meet compliance requirements effectively.
4. The Internet of Things (IoT) and PKI
With the continued growth of IoT devices, which is expected to reach 55.7 billion by 2025, PKI is increasingly essential for securing device communication, authentication, and data integrity. PKI will likely come to provide a foundational security layer within IoT ecosystems, ensuring each device can securely communicate and authenticate its identity. It’s roles in securing the industry will only expand over time, and will see increased responsibility in areas such as:
- Device Communication Security: Encrypts data transmissions, protecting them from interception and tampering.
- Authentication: Uses digital certificates to verify device identities, ensuring only legitimate devices can access the network.
- Data Integrity: Signs data with private keys, allowing recipients to verify its integrity and origin.
These use cases are supported by the adoption of PKI authentication by leading platforms like AWS IoT and Microsoft Azure IoT Hub. On top of that, ongoing regulation such as the IoT Cybersecurity Improvement Act of 2020, and more recently, legislation like the UK’s Product Security and Telecommunications Infrastructure (PSTI) regime, continue to emphasize device identity management, pushing manufacturers to integrate PKI. As the number of connected IoT devices continues to accelerate, PKI's role in providing robust security solutions will become increasingly important.
5. Zero Trust Architecture
The adoption of Zero Trust models is growing, making PKI essential for identity-based authentication and encrypted communication. Zero Trust’s expansion will mean there will be requirements beyond external communication and ongoing security will also need to cover continuous verification of users, devices, and applications, with PKI providing the necessary security framework.
This trend is an ongoing effect of multiple regulations that are beginning to push organizations towards Zero Trust in an effort to improve cybersecurity standards. The US Executive Order on Cybersecurity from May 2021 mandated a shift towards Zero Trust architectures and continues to push organizations towards its adoption. Zero Trust means a need for constant verification, highlighting PKI's critical role in establishing secure identities. In fact, Gartner predicts that by 2025, over 60% of enterprises will replace traditional VPNs with Zero Trust Network Access (ZTNA), relying heavily on PKI for secure authentication.
“The adoption of Zero Trust models will continue to grow, making PKI a critical component for enabling identity-based authentication and encrypted communication.” – Debbie Hayes, Director of Product Marketing
PKI is and will continue to be crucial for implementing Zero Trust models, providing robust security for identity verification and encrypted communication. As Zero Trust adoption grows, PKI's role in maintaining secure and compliant environments will become increasingly significant.
6. Growth of Cloud-Based Solutions
As businesses continue to embrace cloud-native architectures, the adoption of PKI for securing cloud-based applications, microservices, and containerized environments is set to surge. This shift is driven by the need for robust security measures that can keep pace with the dynamic and scalable nature of cloud environments. Gartner predicts that by 2025, over 95% of new digital workloads will be deployed on cloud-native platforms, underscoring the critical role of PKI in securing these environments and ensuring data integrity and authentication across diverse and distributed systems.
PKI solutions are expected to evolve significantly to support cloud-native deployments seamlessly, focusing on providing scalable and flexible certificate management tailored to the unique requirements of cloud-based services. Enhanced automation and integration capabilities will be key features, enabling organizations to manage certificates efficiently in complex cloud ecosystems.
As microservices and containerized environments become more prevalent, the need for secure communication between these components will drive the adoption of PKI, ensuring that each microservice and container can authenticate and communicate securely, preventing unauthorized access and data breaches. The future of PKI in cloud-based solutions will be characterized by its ability to scale with the growing demands of cloud environments, allowing businesses to adapt quickly to changing security needs and ensuring continuous protection without compromising performance.
7. Shortening Certificate Lifecycles Necessitate Crypto-Agility
In response to evolving security concerns and industry regulations, the trend towards shortening certificate lifespans is expected to continue. This shift is driven by the need to enhance security by reducing the window of opportunity for compromised certificates to be exploited. Shorter certificate lifespans mean that even if a certificate is compromised, its validity period is limited, thereby minimizing potential damage.
The CA/Browser Forum's decision in 2020 to reduce the maximum validity period for SSL / TLS certificates to one year reflects this trend. This move was aimed at improving security by ensuring that certificates are renewed more frequently, thus reducing the risk of long-term exploitation of compromised certificates. The momentum towards this increased this year with Apple proposing a bold move to shorten the lifespan of public SSL/TLS certificates to just 47 days by 2027. This proposal, announced at the latest CA/Browser Forum meeting, follows Google's earlier push to limit certificate validity to 90 days.
The rise in phishing attacks and incidents of certificate misissuance has also pushed organizations to adopt shorter certificate lifespans. By limiting the validity period of certificates, organizations can have better control and mitigate the risks associated with these threats.
Automation in certificate renewal processes are a key enabler of this trend. By automating the renewal process, organizations can ensure that certificates are updated promptly without the risk of human error or oversight. This not only improves security but also reduces the administrative burden associated with manual certificate management, and helps foster a state of crypto-agility which has been emerging as critical for maintaining secure operations.
“With the evolving developments around the decreasing lifespan of digital certificates, it is imperative that organizations look to adapt their security models with crypto-agility in mind. By adopting automated solutions, businesses can reduce the risk of compromised or expired certificates, stay ahead of evolving threats and maintain robust security in an increasingly dynamic digital landscape.” - Laurence Pawling, Vice President of Global Infrastructure
The shortening of certificate lifecycles is a critical development. As organizations continue to face sophisticated threats, the move towards shorter certificate lifespans, facilitated by automation, will play a crucial role in enhancing security and protecting digital assets. This trend underscores the importance of agile and proactive certificate management strategies in the ever-evolving cybersecurity landscape.
Optimize your certificate ecosystem by talking to us today
Navigating Industry Changes with Trusted Security Solution Providers
The trends we saw in 2023 have largely come to fruition and have continued developing throughout 2024, setting the stage for future developments. Organizations must stay informed and proactive in adopting these trends to build resilient security infrastructures capable of withstanding evolving threats.
“2025 will be a year of profound change for the PKI and CA industry—where AI, regulatory rigor, and cutting-edge technologies like quantum-resilient cryptography will converge to create a more secure and flexible digital infrastructure.” – Arnaud Vanderoost, Vice President of Sales EMEA
The future of PKI is promising, with continuous advancements ensuring robust and trustworthy digital security in an increasingly interconnected world. Organizations will need to revisit their security and how they manage digital certificates to stay ahead in the coming year. PKI remains a cornerstone of digital communications, providing the necessary tools to authenticate identities, encrypt data, and ensure the integrity of transactions.
GlobalSign, a trusted leader in the field of digital security, offers comprehensive PKI solutions tailored to meet the needs of modern businesses. With expertise in scalable and flexible certificate management, automation of renewal processes, and integration with leading cloud providers, GlobalSign is well-equipped to support organizations in enhancing their cybersecurity posture.
Ready to enhance your security? Connect with our experts today.
