50 Years of Growth, Innovation and LeadershipA Frost & Sullivan White Paperfrostby Swetha Krishnamoorthi, Senior Industry Analyst, Cybersecurity and Jarad Carleton, Principal Analyst, CybersecurityThe Global TLS Certificate Authority MarketKey Insights for Enterprise End Users Frost & SullivanCONTENTSIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3The Importance of Transport Layer Security (TLS) Certificates . . . . . . . . . . .4The Major Functions of TLS Certificates 5The State of the Market . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Market Share Analysis 6The Future of the Market 9The Final Word. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10The Global TLS Certificate Authority Market: Key Insights for Enterprise End Users3All rights reserved © 2019 Frost & SullivanINTRODUCTIONTwo-thirds of the UK population, about 44 million consumers, used digital payment methods in 20171. In the US market, consumers have also embraced digital payments, spending $453.46 billion on the Web for retail purchases2. While this is great news for the e-commerce sector, approximately 6.17 million data records are stolen every day3. Line of business (LoB) and information security executives need to remember, a Web site is the first touchpoint for B2B and B2C interactions in the digital world and it is the first indicator of the security posture of an enterprise. The growing volume of online fraud resulting from phishing and online brand impersonation is a serious challenge for enterprises around the world that is directly impacting brand reputation. Additionally, reputational damage is a rising concern among enterprises as more consumers are increasingly wary of digital transactions because of security concerns. Two methods frequently used by cyber criminals to steal user data, such as banking information and personally identifiable information (PII), are:1. Email or SMS-based phishing attacks that trick users into clicking on links leading to impersonated Web sites to capture log in credentials2. Man-in-the-Middle (MitM) attacks Because of these factors, todays highly mobile and Wi-Fi connected environment makes it critical to encrypt data transmission from laptops, tablets, and smartphones to Web sites for data protection. Frost & Sullivan research shows that as online fraud continues to grow, consumer digital trust in organizations is negatively impacted. This erodes enterprise brand equity and revenues for those businesses perceived as less secure. In fact, the 2018 Global State of Online Digital Trust survey and index conducted by Frost & Sullivan directly links falling digital trust to lower revenues. This is illustrated by the fact that 48% of consumers state that they stop using a service if they believe their data was compromised as a result of using that service4. Whether the data compromise is the result of a data breach, phishing, Web site impersonation, or a MitM attack, digital trust and enterprise revenue is the collateral damage. Furthermore, the Global State of Online Digital Trust study shows that consumer digital trust is in jeopardy. Globally, only 38% of consumers reported higher levels of digital trust, while 40% of consumers trust levels remained the same, and 22% reported a decrease in digital trust. For the US, France, Italy, and Japan, the data provides a warning for online business because digital trust levels are so low that 1-2 major cyber incidents could push digital trust into negative territory. In 2018, consumers in the UK, Germany, and Australia, reported they have less digital trust online than they did 24 months ago (Figure 1). 1 statista/statistics/491938/digital-market-outlook-digital-payment-users-by-segment-uk/ 2 digitalcommerce360/article/us-ecommerce-sales/ 3 breachlevelindex/ as of 19 December 2018.4 CA Technologies 2018 State of Online Digital Trust Survey conducted by Frost & Sullivan ca/us/collateral/white-papers/the-global-state-of-online-digital-trust.htmlThe Global TLS Certificate Authority Market: Key Insights for Enterprise End Users4 All rights reserved © 2019 Frost & SullivanFIGURE 1: End-User Change in Online Digital Trust in Organizations Over the Last 2 years, Global, 20185In light of the crisis of falling digital trust of Internet users, it is essential for enterprises to boost trust by providing a safer, high assurance, encrypted digital environment. Likewise, enterprises can protect their own processes and put in place stronger security controls by requiring high assurance identity verification processes for the tools they use for encryption, such as digital certificates. The default use of HTTPS (hypertext transfer protocol secure) to encrypt data traffic to and from a Web site will enhance digital trust, particularly now that the major browsers notify users that sites using unencrypted HTTP are unsecure.THE IMPORTANCE OF TRANSPORT LAYER SECURITY (TLS) CERTIFICATESTLS6certificates are issued by a certificate authority (CA) and are bound by strict industry standards that govern certificate issuance. These enable inbound and outbound data encryption between the Web servers they are installed on and the browsers on endpoints7accessing Web sites. When properly implemented, TLS 5 Ibid. 6 TLS or Transport Layer Security is the updated and more secure version of SSL (Secure Socket Layer) and the two terms are used interchangeably7 Desktops, laptops, tablets, and smart phones are collectively referred to as endpoints.USA+936%49%19%33%21%30%19%62%22%74%7%18%16%26%27%44%13%27%21%21%+36 +12 +3 +46 +4 +672 23 7Net Change(PercentagePoints)BRA UK FRA GER ITA AUS IND JPN CHNDecreasedIncreasedN = 900.Source: CA Technologies 2018 State of Online Digital Trust Survey conducted by Frost & SullivanThe Global TLS Certificate Authority Market: Key Insights for Enterprise End Users5All rights reserved © 2019 Frost & Sullivancertificates protect data in transit from being read by cyber criminals and nation-state cyber adversaries, provided that one of the endpoints is not compromised by malware. On Web sites using a TLS certificate and depending on the type of certificate used, in the URL bar of their browser visitors will see:1. A padlock displayed in the URL bar of the browser (domain validation, or DV)2. A padlock in the URL bar of the browser and the ability to view company information in the certificate details (organization validated, or OV), or3. The name of the company or another visual indicator such as the color green (extended validation, or EV)There are several reasons to use TLS certificates, but the primary business purpose is to protect data in transit from unauthorized access by a cyber adversary. TLS certificates help enterprise protect their brands as well as demonstrate to customers that internal security controls have been implemented. TLS certificates help establish, rather than erode, digital trust. This is important since Google Chrome and other major browsers began notifying users in 2018 that Web sites using clear text data transfer are not secure. Today, when a user goes to an unencrypted site, a warning is displayed and the user must confirm they want to visit the site despite the stated security risk. Since Googles Chrome browser is used by about 61.5% of users globally8, the warnings have shaped Internet user behavior. Additionally, because Google search results give higher preference to sites using TLS certificates and since Google controls approximately 64.4% of the search engine market9, business owners cannot afford to ignore the importance of data encryption for inbound and outbound Web site data traffic. The Major Functions of TLS Certificates AuthenticationThe certificate authorities verify different types of information about an organization before issuing an SSL certificate, such as control of a domain, if the domain owner is a business or an individual, the physical mailing address, or the legal existence of an organization. EncryptionThe TLS certificate encrypts any data exchanged between the user and Web site, which is otherwise transmitted as plain text accessible to hackers. Data IntegrityTLS certificates prevent data loss or alteration during data transmission by using a message authentication code (MAC) algorithm. THE STATE OF THE MARKETThe last two years have been eventful in the global high assurance (HA) certificate market. Highlights of a few major announcements that had a significant impact on HA Certificates market are described in Figure 2. 8 October 2018, gs.statcounter/ 9 October 2018, gs.statcounter/search-engine-host-market-share The Global TLS Certificate Authority Market: Key Insights for Enterprise End Users6 All rights reserved © 2019 Frost & SullivanFigure 2: HA Certificates Market Announcements & Implications, Global, 20162018Distrust of Symantec issued certificates shook the competitive dynamics of the SSL market when millions of Web sites were facing the prospect of being tagged “Not Secure.” Some of the Web sites included the worlds biggest financial institutions, which handle highly sensitive consumer data and monetary transactions. The fallout led Symantec to exit the CA market and the business was acquired by DigiCert, a respected and trusted CA. The acquisition consolidated part of the market and propelled DigiCert into the global market leading position for HA certificates.Market Share AnalysisWith market consolidation, the high assurance certificates market share has undergone a major change since Frost & Sullivan last examined the market. An analysis of market positions for CA vendors in 2018 reflects that DigiCert gained significant market share and is the leader for high assurance certificates targeting the enterprise market. However, the CA vendors with a higher focus on DV certificates, including Sectigo and GoDaddy, lost market share because businesses focus the majority of certificate budgets on HA certificates. Because HA certificates hold more significance for medium and large enterprises, especially in the financial, healthcare, and retail verticals, DigiCert is expected to retain its market leading position because of its HA focus (Figure 3). ANNOUNCEMENTWhat it Means for CAs What it Means for BusinessesSHA 2 hashing algorithm mandated for use in browsers by January 2017TLS certicates issued by vendors need to be migrated to SHA 2 hashing algorithm because SHA 1 is not considered cryptographically secure. Web site owners must request new certicates from their CA to avoid being tagged as “Not Secure” by major browsers. Web site owners can be assured of regularly updated security protocols, which help strengthen and build higher levels of digital trust for Internet end users.Technologically, CAs need to regularly update their security protocols. From a business point of view, it means more frequent renewals/validations, but higher levels of security. Validity of SSL certicates reduced from 3 to 2 yearsSymantec was the market leader in the TLS market and its business was acquired by their strongest competitorDigiCert. The acquisition propelled DigiCert, already considered a leader in technology, standards and customer support, into the market leader position with data centers around the world.Web site owners with Symantec certicates were able use DigiCert to replace certicates free of charge. Post-acquisition, DigiCert was able to address data sovereignty and privacy issues with global data centers. Symantec issued certicates distrusted by Google & Mozilla and consequently exited the CA businessThe Global TLS Certificate Authority Market: Key Insights for Enterprise End Users7All rights reserved © 2019 Frost & SullivanFIGURE 3: Total HA Certificates Market: Percent of Revenue, Global, 2018The competitive landscape (Figure 4) illustrates the market positioning of CA vendors participating in the HA certificate market across several parameters, including seal recognition, trust, price, customer loyalty, install base, and vertical representation. The size of each bubble corresponds with the percent of revenue each vendor has achieved. FIGURE 4: Competitive Landscape, HA Certificates Market, Global, 2018DigiCertSectigoGoDaddyGlobalSignEntrustNetworkSolutionsOthersLowNotMeetingNeedsMeetingNeedsHighTrustwaveEnterpriseBusinessNeedsMarket PenetrationDigiCertSectigoGoDaddyGlobalSignEntrustNetwork SolutionsOthersTrustwave10%11%4%16%13%3%5%38%The Global TLS Certificate Authority Market: Key Insights for Enterprise End Users8 All rights reserved © 2019 Frost & SullivanMost vendors in the SSL certificate market compete in the DV space, which has become price sensitive as a result of LetsEncrypts free offerings. In contrast, the HA certificate market strikes a balance between value and price. Because the certificates themselves have little scope for differentiation, vendors differentiate between them based on value-added features and services for the price offered. Trustwave, GoDaddy, Sectigo, and Network Solutions offer certificates at a lower cost compared to vendors such as DigiCert, Entrust, and GlobalSign. However, CAs competing merely on price dont tend to invest as much in research and development and have a more difficult time meeting the business needs of enterprise customers. An exception in the market is DigiCert, which has invested heavily in R&D to ensure that customers never have to worry about the validity of its certificates as standards evolve. In addition, having access to a CA with modern infrastructure, global data centers, and scalability is as important as dashboards that reduce the time and effort involved with certificate management. Price should never be the sole deciding factor for an enterprise when choosing a CA. It is important to also consider five additional areas:1. Management consolesA well-developed management console can save time and help ensure compliance. Both time and compliance can have a quantifiable impact on an enterprise IT budget.2. Technical supportThe availability of a top-rated technical support department that can quickly resolve issues impacting a business can save significant time and revenue for an enterprise.3. AutomationThe automation of tedious, time-consuming processes involved with certificate requisition will free up skilled IT personnel to work on higher value tasks for the enterprise.4. Security seal brand recognitionInternet savvy and less technically inclined end users are more confident using Web sites with security seal brands they recognize, such as Norton.5. Scale and global reachin a global digital economy, a CA with data centers around the globe with the capability to scale solutions to meet the needs of growing enterprise is important.Industry trust in the CA, as well as brand recognition among Internet end users, should also be deciding fa