Jakub Jirsák - stock.adobe.com

Outsourcing PKI to the cloud: What enterprises need to know

Moving public key infrastructure deployments to the cloud can bring a lot of benefits to IT leaders and their wider organisations, but first they need to make sure doing so is right for them

Cloud computing promises many benefits to enterprise users, from an efficiency and automation perspective, while enabling businesses to remain competitive by acting as the bedrock to their digital transformation strategies.

Security concerns related to storing data and business-critical applications in the cloud still persist, though, and have served to make moving off-premise a slower process for some firms compared to others, and mean a wholesale move of all their business applications and workloads to the cloud is out of the question.

Enterprises are slowly growing more confident in migrating workloads off-premise as both cloud infrastructure and software provides continue to prioritise security during the design and marketing of their products and services.

While cloud providers offer layers of security that allow users to mitigate vulnerabilities, the lack of expertise within IT departments means businesses may struggle to deploy these often-complex security measures effectively.

If designed and implemented correctly, public key infrastructure (PKI) may provide one of the answers.  

What is PKI?

As pressure builds to provide an increasing number of services online, the demands on security have begun to play a significant role within companies of all sizes. Organisations need to maintain reliable and highly trusted networks to not only safeguard all business functions but to be able to meet specific regulations encompassing confidentiality and privacy. PKI is used to provide security services such as authentication, confidentiality, and data integrity.

From that perspective, PKI consists of roles, security policies, communication protocols and procedures needed to generate, manage, distribute, and revoke digital certificates, while also managing public-key encryption to make secure and trusted communications between different entities both inside and outside of an organisation.

The function of PKI, therefore, is to aid in the secure electronic transfer of information for many networking tasks, from internet banking to secure email, or any activity in which passwords alone are deficient for authentication purposes, and to enable the more rigorous proof of identity required to validate the information that is being transferred.

The registration and issuance of certificates are managed by a certification authority (CA), and the process can be automated or issued under human supervision, contingent on the security and trust levels that are necessary on a client-by-client basis. A registration authority (RA) has the responsibility to assure valid and correct registration, with the power to accept requests for digital certificates and authenticating the individual entity. 

PKI in the enterprise now: Why?

In recent years, PKI has evolved from a means to protect websites, into the heart of the digital management function within the cyber security structure. Today, it is used to manage digital identities, applications, and devices within companies.

It is also being adopted and deployed by IT teams to combat a growing variety of cyber security threats, spanning distributed denial of service (DDoS) attacks to malware, and phishing attempts to the hacking of internet of things (IoT) devices.

While PKI is an integral part of keeping the enterprise safe, deploying, and managing the program, on-premise is a resource-intensive process, and IT leaders sometimes find it a struggle to find and employ experienced staff to oversee the setup too.

For example, PKI services like the Secure Sockets Layer (SSL) are designed to protect online communications and client certificates used for two-factor authentications, digitally signed documents, and email encryption that allow enterprises to maintain high levels of information online. As the number of SSL and client certificates used within an organisation grows, so does the budget and time taken by staff, related to managing the higher quantities.

New wave of offerings

With today’s agile and secure cloud infrastructure, a new wave of highly reliable, cloud-based PKI offerings are now available for enterprises to use, known as PKI-as-a-Service (PKIaaS), which enable IT departments to maintain control while all the complexity that comes with managing their PKI setup is contracted out to the service provider. 

PKIaaS brings together the necessary infrastructure, automation, control, billing, and distribution of certificates while also simplifying and centralising the management of client certificates. The

companies which offer these services provide integrated processes and platforms that can make PKI management simple, including:

  • Dedicated staff that are trained and up to date on security and regulatory requirements to keep the system’s current and compliant
  • Policies and procedures are rigorously adhered to, based on best practices
  • An automated platform that is scalable for businesses to simplify PKI deployments to meet the company’s requirements
  • Multiple alerts issued from the PKIaaS platforms before a certificate is due to expire; therefore, there is less risk associated with expired certificates.

Handing off PKI requirements to the cloud

Another benefit of outsourcing PKI to the cloud is in having a centralised account. With a PKIaaS solution, a company would only be required to be vetted once, in contrast to each time that a certificate is issued, which can be costly due to how time-intensive the vetting process is. This allows pre-vetted companies to be issued certificates from a single account while selected administrators have the authority to be able to issue any type of certificate on demand.

The use of a centralised account to manage all certificates also makes for easier reporting and monitoring of the costs involved. Detailed reports can be exported by the administrator on findings, from certificate application, upcoming renewals, issuance, spend, and more. Administrators can designate roles and privileges to other approved members of staff, enabling them to distribute responsibilities by department while keeping all the certificate lifecycle information in one place.

In cases where the management of certificates is undertaken on-premise, responsibility falls on the IT team for the issuance, installation, inspection, remediation, and the renewal of certificates, but in doing so, the process can be made difficult by lost, compromised or expired certificates that need immediate attention.

Suddenly the prospect of having hundreds or thousands of client certificates across numerous departments within a company to monitor suddenly does not seem so appealing.

The practical and efficient way to deal with the sheer administrative load associated with all this would be to focus on a foundational strategic approach and to consider hosted PKI management tools and platforms that promote automation.

PKI: What you need to know

For businesses that are considering deploying and managing client certificates internally, there are a few challenges to overcome, particularly when it comes to software licenses, ongoing maintenance costs, operational capacity, and the infrastructure required to support PKI.

An organisation would need to build, maintain, update, and support everything themselves, and the employees must be trained and certified to keep up with the security compliance requirements. Also, as companies grow in scale, organically or through acquisitions. they frequently take on diverse architectures and platforms that may be using different PKI solutions.

While the decision to manage PKI on-premise is often chosen by some IT leaders and teams to save on costs, other businesses may have strict internal security policies, or industry compliance needs to uphold, which may lead them to set up their own internal PKI infrastructure. This could be the ideal choice for smaller companies because there is less risk involved, whereas larger companies may have the skills required to manage all or some of their PKI needs internally.

Cloud-based PKIaaS or managed PKI is a growing trend with more and more IT leaders, considering it as a valid option. PKIaaS providers automate client certificate life cycles and include dedicated staff, systems, and distributed datacentres that scale and meet the growing needs of their clients, while also providing the platform to improve efficiency and effort required to manage all company certificates.

Read more about public key infrastructure

These automated PKI platforms can be easily integrated into the business systems to simplify deployment to clients. The lifecycle of the certificates is managed through open standard application program interfaces (APIs) for certificates associated with users, devices, and networks.

The use of standard APIs allows PKIaaS to integrate easily with third-party tools and systems. The service providers can customise workflows that automate certificate requests, for example, SSL, code signing, and document signing.

The automation of PKI dramatically reduces the risk of human error, which can lead to dangerous cyber security exploits. PKIaaS enable companies to successfully support certificates across large numbers of devices and applications in line with best practices and changing standards.

There are some drawbacks to outsourcing, though. These can include the ongoing costs of using an outsourced service provider versus the lower upfront costs associated with in-house management. At the same time, the enterprise will become increasingly reliant on the provider to be fully compliant and up to speed on industry standards and regulatory concerns.

And, like most other cloud-based offerings, if the providers’ system goes down, so does the company’s.

Whether choosing on-premise or PKIaaS, automation should play a key role in companies' PKI implementation. The final choice rests on the skills of the IT teams and the investment that a company is willing to make to maintain the internal PKI. 

Read more on Infrastructure-as-a-Service (IaaS)