Aug 22, 2019 8:50:25 AM
PKI in the Cloud: What it is, why it matters and how to do it right

Adoption of the cloud and “as a service” IT has changed the way we do business. While there was once a time when migrating infrastructure and applications to the cloud triggered fear and doubt. Those days of uncertainty are over. Now it’s about timing. And funding. And having the confidence to trust in your cloud providers. The challenge that continues to stymie digital transformation for businesses today is the willingness to take on intricate projects in order to reap the rewards waiting on the other side.

Simply put, the question is no longer “should we use the cloud” but rather “how, where, and to what degree can we leverage the cloud to our advantage?” It often starts with a few servers and applications, eventually extending to more mission-critical applications that enable Security, DevOps and IT to rapidly evolve and respond to changing business needs.

Security in the Cloud

When you’re talking security, the cloud takes center stage. It’s an area of the business that cannot get thwarted by budget or project prioritization wars. The major breaches we’ve seen from companies like Equifax and Target didn’t happen because security measures weren’t in place.

At Keyfactor, we’ve talked to hundreds of IT professionals responsible for their in-house security. And more often than not, breaches large or small happen because of unintended human error. The most successful attacks are the result of hackers preying on these vulnerabilities cause by simple misconfiguration and oversight. Things like default passwords or expired digital certificates.

Complexity is an enemy of security. If security controls demand a high degree of knowledge to operate, then it makes sense that challenges with talent or just plain human error are more likely than not to negatively impact the overall security profile of your business.

With enterprises feeling more secure with the cloud, and understanding the importance of working with managed service providers that also take security seriously, CISOs are looking to cloud-based services as a way to automate processes, offload backend infrastructure and maintenance tasks, and enable their teams to focus instead on what they do best – protecting the business.

PKI: Security Risks & Challenges

Public key infrastructure (PKI) is a cornerstone of security in any enterprise – enabling encryption and secure connections between people, applications, and devices across the organization. PKI is no longer limited to isolated use cases like secure email, digital signatures, and SSL certificates.

PKI today is expected to support a growing number of connected devices and enterprise applications, like DevOps and IoT security. And with more stringent data security regulations coming to fruition, businesses are becoming more reliant than ever on PKI to guarantee trust.

With all its proven benefits, it’s also not surprising that PKI is complex – very complex. Unlike other security tools, it’s not just about technology. PKI is a set of moving parts including hardware, software, policies and procedures.  And across mid-to-large enterprises, it’s often responsible for guarding hundreds of thousands of digital certificates. To get it right requires the simultaneous mastery of both art and science.

But despite PKI’s central role in cybersecurity, business goals don’t revolve around creating a robust PKI. The average enterprise uses 75 different products to secure their network. Engineers and security professionals likely have several other responsibilities like audits, risk assessments, penetration testing, and so on. It comes as no surprise then that only 39% of organizations claim to have sufficient IT security staff dedicated to PKI, according to a 2019 Keyfactor-Ponemon Study.

Not only is PKI more complicated than most people realize, it is something that operates over an extensive lifespan, so it is easy to put aside, ignore or even completely forget about – that is until a serious breach or outage occurs. 

Compliance mandates, business changes, and the evolution of cryptography as a practice are all solid reasons to take a second look at how you’re managing your PKI. When built and operated securely, your PKI should uphold high-assurance from implementation throughout its lifecycle, but it’s not an easy feat.

So what’s the answer? Look to the cloud.

Managed PKI in the Cloud

When it comes to PKI, you have two options:

  1. Build your own PKI in-house
  2. Leverage a cloud-hosted managed PKI.
“DIY” PKI isn’t impossible. The real question is, does your organization have the resources and expertise to build it right and to keep it secure? Even if you do have the resources in-house, should they be dedicated to maintaining infrastructure? Or should they be focused on securing your business?

Managed PKI is essentially your PKI, but you’re no longer responsible to run it in-house – freeing up valuable IT and Security resources to focus on other priorities. Plus there are the obvious cost advantages to having a professionally managed PKI. An in-house PKI deployment is typically over 2x the cost of using a managed service. But beyond dollars and cents, the real advantage of managed PKI is high-assurance security.

Moving your PKI to the cloud can immediately reduce the risks associated with building and running it in-house. Everything from physical security to patch management is offloaded to a trusted vendor that specializes in one thing and one thing only: PKI. If your enterprise falls under attack, you have one less critical system to restore thanks to your PKI hosted safely in an isolated, off-premise cloud location.

How to Choose the Right PKI Management Partner

Enterprises often have tunnel vision on keeping critical IT functions in-house without realizing the potential security benefits of moving services to the cloud. But many are starting to recognize the business and financial benefits. In fact, 55% of organizations are already outsourcing or planning to outsource their PKI deployment. As the industry learns that they can accomplish all of the same goals as an in-house PKI without the risk and complexity of running it, it comes down to one final obstacle.

Trust. The biggest challenge that security teams have is trusting someone else with their cryptographic material. It’s the “what happens if...” questions. What happens if my PKI vendor disappears? What happens if I want to move my PKI back in-house? What happens if my PKI is breached?

A common misconception about cloud-hosted PKI is that you must give up control of the virtual keys to your kingdom. But it’s easy to have it both ways – maintaining control while outsourcing complexity. It comes down to the provider you choose.

A reputable PKI provider will offer a platform that gives your business complete control over Root CA keys and PKI recovery materials, while design, deployment, and management tasks remain their responsibility. They should also guarantee the flexibility to integrate with multiple certificate authorities (CAs) – both public and private. That way, you’re free to transform your PKI without limits or lock-in.

Cybersecurity threats aren’t going anywhere and consequently, neither is the need for a strong security posture. No matter how it’s maintained, properly managing your PKI is absolutely critical. Keyfactor is the market leader in High-Assurance Managed PKI and Certificate Lifecycle Automation, trusted by enterprises, governments and manufacturers everywhere. Our customers benefit from a secure PKI built from the ground up – backed by a team of experts, proactive compliance, and state-of-the-art security.

Ready to take the next step? Download our eBook to uncover whether Managed PKI is the right move for your business:

DOWNLOAD GUIDE