Most organizations, regardless of any size, lean towards having an in-house PKI. By all measurements, their PKI stays secure with hardware security modules and has well-defined certificate policies. There's a larger group of organizations that run a more simplified PKI that may not be subject to intense regulation or audits.
However, what starts out as using PKI for a simple business use case (e.g. client authentication for Wi-Fi) quickly evolves into a complex environment as your devices grow and adoption of multi-cloud becomes your new normal.
Automation now becomes an important part for your PKI success.
Whether you’re on the simplistic or more secure side, here are some goals of PKI automation and how you practically assess your current stage of maturity.
Automation to Increase Operational Efficiency
All organizations want to save money through automating routine tasks. That’s why RPA (robotic process automation) is one of the fastest growing markets in enterprise software. For those running PKI, they want the same thing.
The reality is that only 38% of IT and security professionals say they have sufficient IT security staff dedicated to their PKI deployment. Most meet service level agreements (SLA) through manual execution of work and this becomes a huge problem for operational efficiency. Since there are a limited number of PKI experts in your business, compounding workloads can put meeting these SLAs at risk.
Using PKI automation for key and certificate lifecycle management tasks can reduce the amount of manual work required. Leveraging automation also allows you to re-use certificates, as well as swap out identities across servers, load balancers, firewalls, containers, cloud workloads, mobile, and IoT devices.
Bottom line, more automation equals increased operational efficiency for those responsible for PKI.
Automation for Ensuring Business Continuity
Due to the current pandemic, the term “business continuity” went from being boring to immediately relevant. It seems like everyone now wants talk about how to ensure business continuity in these uncertain times.
However, the mark of a successful PKI has always been the ability to ensure business continuity and prevent outages. The most common cause of system outages can be traced back to an expired certificate. These certificates expire due to a bottleneck of manual processes required for renewal, reissuing, and deploying these certificates at scale.
PKI automation can help eliminate those missed manual tasks through automated endpoint discovery, reporting on impending expiration, and handling certificate renewal and re-issuance. Once PKI automation is set up properly, these outages can be reduced if not eliminated.
Tracking Your PKI Maturity
More certificates, shorter lifecycles, and changing standards in cryptography have exponentially increased the risk of outages and failed audits. Take the goals we’ve just discussed and see where you currently fit in PKI automation maturity.
Phase 1: Manual
Despite adoption of new technologies like cloud, mobile and IoT devices, most organizations still use manual methods to track and manage certificates.
Signs that indicate you’re in a manual stage:
- Using Excel Spreadsheets
- No Key and Certificate Discovery in Place
- Exposed to a High-Risk of Outages
Phase 2: Reactive
CA-provided tools and PKI interfaces are a level up from spreadsheets, but without centralized discovery and automation, security teams are still locked into a reactive mode.
Signs that indicate you’re in a reactive stage:
- Multiple CA Silos
- Limited Visibility & Control
- Zero to Limited Automation
- Minimal Reporting and Analytics
Phase 3: Proactive
As organizations start to invest in tools to discover and automate the lifecycle of certificates, they’re able to focus less on preventing outages and more on enabling new PKI use cases.
Signs that indicate you’re in a proactive stage:
- Complete Visibility in Every Digital Key and Cert
- Embraced End-to-End Automation
- Real-time Reporting & Alerting
- Standardized Policy Enforcement
Phase 4: Dynamic
Effective PKI is more than just managing keys and certificates, it’s about the people, infrastructure and policy behind your PKI that allow you to respond and adapt to change effectively
Signs that indicate you’re in a dynamic stage:
- Deployed a Cloud-First PKI Strategy
- CA & Technology-Agnostic
- Obtained Crypto-Agility
- Highly Scalable & Extensible
It's highly probable that your current PKI automation resides in one of the first two phases. And that's OK. Being honest with which phase your PKI deployment currently sits allows you to set a realistic course of correction.
Share this article and white paper with the rest of your InfoSec team to start planning a PKI automation road map for the future.