SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Public Key Infrastructure adoption and the future of cyber risk
Wed, 8th Mar 2023

With threats on the rise, countries, industries, and organisations are developing a set of best practices and regulations to mitigate increasingly sophisticated attacks. Public Key Infrastructure (PKI), being the backbone of IT security, naturally plays a big role as organisations need to make sure they have the right security solutions in place. 

According to the 2022 Global PKI and IoT Trends Study by Entrust and Ponemon Institute, changing standards and regulations are one of the top areas where stakeholders expect change and uncertainty. That’s because the regulatory landscape is growing and becoming more defined and rigid.

For example, at a federal level, most countries are looking closely at cybersecurity – from the White House issuing a mandate to improve the nation’s cyber security to the Australian Government’s Australian Cyber Security Centre providing guidelines for organisations on protecting their systems and data from cyber threats. From government intelligence to the individual level with personally identifiable information (PII), a lot of these are most certainly in place with the aim of protecting data. 

Protecting data now and in the future

Data protection is also a focus when we look at something like post-quantum (PQ). This is another area of concern, and it certainly appears as though this specific area is going to be a major concern within the next decade.

Although there is no final regulation or recommendation from the standards bodies about the cyber threats posed by PQ, we’re already seeing an increasing number of calls to action. These often begin with inventorising data so organisations and companies understand what their most sensitive data is and where it resides before then prioritising that data.

When the organisation is at the stage of securing its data, implementing PQ cryptography is key, and this will require PKI.

For that conversation, we encourage customers to talk to their security vendors to ensure they are buying and using solutions that are “PQ-ready” in order to future-proof those protection mechanisms. It is an investment that needs to be made.

Unified regulation and control is key

Increased regulation is happening globally, but with each country having their own set of guidelines, the waters are increasingly murky, which can exacerbate the situation.

Further, this is not only happening at the country level – in the US, we’ve seen IoT regulation coming out at the state level in California and Oregon. Additionally, each industry has its own set of requirements too, such as we see in healthcare and finance.

As more regulations emerge across a range of geographies and industries and those protections layer over one another, it can be challenging for organisations to navigate and ensure they’re meeting all requirements. In the PKI and IoT Trends Study, we saw that the top three challenges to deploying and managing PKI are: A lack of internal skills, resources and no clear ownership.

This points to the fact that not all organisations have the expertise to cope properly and are struggling with PKI and associated regulations. It also means there might not be one single group overseeing these requirements at an organisational level which could leave the company open to compliance risks. 

However, at a federal level, data protection and data sovereignty are key focuses. With news of breaches and ransomware attacks practically a daily occurrence, it seems that many have come to accept the threat from bad actors as a case of ‘when’ rather than ‘if’.

As such, while much is being done to fortify systems and users, there is a growing focus on ensuring that data and communication are protected, even in the event of a loss of information - whether that may be intentional or accidental. To meet these needs and shape their strategy, organisations look to regulations and compliance to help instil trust in investors, users, and customers. Therefore, regulations such as those laid out by the Australian Signals Directorate and Department of Home Affairs will continue to be critical tools in the fight to prevent data breaches.

We’re also seeing an increase in regulation being put in place to protect end users/consumers, including the state-level regulations mentioned earlier. The Australian Government also recently issued the Code of Practice: Securing the Internet of Things for Consumers. It puts the onus of IoT security on the manufacturer of commercial devices to improve consumer security as individuals own more connected devices that communicate with one another without human intervention. 

Finally, there are threats like PQ. Since a quantum computer is capable of breaking the public key cryptography in use today, it is necessary to have an eye on the future and consider this a real risk. Although regulation and recommendations in this area are still in the early days, we’re seeing more and more countries, agencies, and regulatory bodies looking at this to ensure digital ecosystems, data, and communications remain secure should a quantum computer be used to break that cryptography.

Summing up, PKI infrastructure is an essential part of a secure ecosystem and will only increase in importance over the coming years. As the Global PKI and IOT Trends Study reveals, more organisations and government bodies are bending their will to solidify governance around PKI and connected systems – so it is essential for organisations to keep up with any changes and ensure their compliance – but also that their own, in-house governance is carefully considered and planned. Only by presenting a unified front will cyber and data risks be diminished.