PKI Predictions for 2023: A Focus on Software Supply Chain Security, IoT device Standards, and More

In 2023, PKI will continue to break into the mainstream enterprise discourse as a business-critical investment. Keyfactor’s State of Machine Identity Management 2022 report shows that organizations are struggling to modernize their PKI practice.

• 66% are deploying more keys and certificates across their IT landscape, while 70% say the growth of keys and certificates has increased operational burden. 
• 57% ranked crypto agility as a top strategic priority for digital security, and 55% said zero-trust initiatives were a top driver of PKI, keys, and certificates. 
• 81% of organizations experienced multiple disruptive outages due to expired certificates in 2021 and 2022, with an average remediation time of 3.3 hours.

As outages become more high-stakes, new compliance standards take shape, and zero-trust gains traction as a practical framework, we can expect to see PKI and its usage evolve this year. 

To understand how the shifting regulatory environment, threat landscape, and emerging business strategies will impact — and be impacted by — PKI, we turned to Tomas Gustavsson, Keyfactor’s Chief PKI Officer. He gave us the inside scoop.

Tomas Gustavsson: With the introduction of new legislation from the EU and the U.S. government, particular types of IoT devices will fall under scrutiny. These regulations will address traditional software vulnerabilities and the potential for cryptographically secure updates and data encryption. 

I predict this discussion will continue and heighten in 2023, not least in the E.U. with the introduction of the EU Cyber Resilience Act. We can expect best practices recommended by NIST and ENISA to become mandatory, though this will happen slowly.

Tomas: Some industries like telecom and critical infrastructure have long prioritized supply chain security. The software supply chain has lagged because it isn’t as obvious, and research hasn’t yet been well established. The software world has prioritized innovation over security, even in consumer software that handles essential, sensitive data. 

But that’s changing for a few reasons:

• We’ve seen larger software consumers fall victim to supply chain attacks, and we’ve watched them respond by raising security standards for their suppliers. This will trickle down to smaller organizations and will be driven by both government and private procurement. 
• In recent years, academic research has picked up considerably around the software supply chain, so we can expect popular software packages to be analyzed more deeply, and thus improved.

Currently, it requires quite a bit of expertise to implement optimized security controls in the development and software supply chain, but in the coming years, we can expect these security controls to become more built into the tools and easier to optimize.

It’s practically impossible to secure software supply chains without using PKI, so we can expect PKI to become easier to integrate into development tools.

Tomas: All sectors! PKI is the most mature and standardized approach to solving the security demands most industries face. 

Some industries, like telecom, have used PKI for decades, so we may not see as much growth in those industries compared to sectors like automotive and manufacturing. These settings are transitioning to an everything-connected model, which requires them to escalate their PKI usage compared to what they’ve traditionally needed. 

Even enterprise organizations, which have used PKI solidly for many years, are seeing massive growth in PKI usage due to initiatives like zero trust. 

Tomas: PKI can’t solve everything. Organizations need multi-stage protections to guard against ransomware and other attacks. For instance, code signing is a critical component in preventing malware from being installed in your systems. If you can guard against unauthorized software, you can stay protected against many types of attacks. 

That said, stolen code-signing keys can enable ransomware to be signed. For a company with a private ecosystem of devices, it’s better to use privately trusted code-signing certificates rather than publicly trusted ones. This insulates the manufacturer’s devices against stolen publicly trusted keys and certificates. 

In 2023, we can expect security around publicly trusted code-signing keys to strengthen as Microsoft enforces the use of hardware security modules for subscribers of code-signing certificates used to sign Windows code.

Tomas: Remote work is here to stay; the hybrid workplace is the new normal. PKI is the backbone for secure communication, and most products that secure remote work use PKI in one way or another. Regardless of whether it’s a VPN solution, video conferencing, or office collaboration tools, companies need to adopt a zero-trust strategy.

Zero-trust strategies will expand PKI usage into parts of the network that previously relied solely on network segmentation to enable easy, secure access to all the resources remote workers need. 

There is no reason it should not be just as easy to work from anywhere in the world—securely.

Big changes are in store for 2023, and maintaining a well-run PKI will be vital for enterprise success. To hit the ground running with your zero-trust initiative or to start planning to modernize your PKI, Keyfactor can help you scale PKI to meet your goals without sacrificing speed, efficiency, or security.