When it comes to finding the right resources to stand up and manage your PKI, you’re going to need a team or tool that provides the highest level of expertise and oversight possible.
Deploying PKI effectively, however, requires deep knowledge and expertise -- a gap that many enterprises admit exists in their organization. The scarcity of skills and resources leaves more organizations looking for an alternative to managing it in-house.
Luckily, you’ve got options to stand up and manage a modern PKI:
- Traditional In-House PKi: Deploy and manage your own PKI internally, using internal infrastructure and staff to run it
- Managed In-House PKI: Deploy PKI in-house and bring in help from a third-party provider for additional expertise and oversight.
- PKI as-a-Service/Managed PKI: Use a third-party service provider to deploy, manage, and host your PKI infrastructure in the cloud
Let’s take a deeper dive into what each option could look like:
Option One: “DIY” PKI
While most PKIs were managed internally over the past decade or so, time and technology has expanded the functionality and skillset needed to properly deploy and manage a truly secure PKI.
For an in-house PKI (either on-prem or in the cloud) to function and scale properly, you’ll need a fully trained team with the specialized skills and depth in IT personnel to run PKI effectively.
Other requirements to see success and security with a complete in-house PKI are back-up and disaster recovery, certificate policies and practices,and highly secure facilities and logical controls to protect your root and issuing CAs.
Before deciding if a DIY PKI is the right option for your organization, consider the following questions:
- How much will it cost to deploy and maintain your PKI? (Think hardware, software, operations, training, end-user support, etc.)
- Can your organization manage and control operations of the PKI to an extent that meets scale requirements and risk posture?
- Will there be a process in place to ensure the operation of the PKI remains in line with the organization’s expectations? What does that look like?
If your answers to those questions aren’t suitable for your organization, it’s time to consider re-thinking the way you run your PKI.
Option Two: In-House, Managed PKI
For an in-house managed PKI, the focus is to augment the skillset and availability of your internal PKI or InfoSec team with the right expertise.
Most organizations we see operating with this option have historically decided that there was a business need for an in-house PKI, whether it is enrolling certificates for internal servers, client authentication for Wi-Fi and VPN, IPsec for encrypted tunnels, etc. However, due to challenges associated with “DIY” PKI, like lack of proper personnel and expertise to maintain that PKI solution, they chose to have a third-party provider manage or co-manage it instead.
With this option, they still host and run all of the infrastructure in house, including CA and revocation infrastructure, but now they can focus more on other priorities while offloading some of the maintenance tasks related to PKI.
Some good questions to ask if your organization is considering this option are:
- Does your team have the specialized skills and depth in IT resources to run PKI effectively in-house?
- Does your current vendor meet the risk assessment and policy requirements for the application/use case?
- Are you able to run PKI as securely and cost-effectively in-house as a third-party provider can?
If your answers to those questions are unsatisfactory, it’s time to look at a cloud-hosted PKI solution.
Option Three: Fully Managed PKI/PKIaaS
Managed PKI, or what Keyfactor calls “PKI as a Service,” allows our team of experts to replicate a similar experience of what you would get if you hired a “PKI dream team” to design, deploy and run your PKI for you.
We then combine that with our certificate management software, allowing your organization to access a purpose-built, dedicated PKI instance and your own secure root and issuing CAs in a single-tenant infrastructure designed specifically for you and managed by a team of experts on your behalf.
If your organization needs skills and resources to manage your PKI, needs to reduce infrastructure cost and complexity,, or if your organization has a cloud-first initiative, having a fully managed PKI is likely your best and most secure option.
While not a comprehensive list, here are some questions to ask when evaluating managed PKI solutions:
- Is running PKI in-house worth the operational costs, infrastructure and maintenance requirements?
- Does the vendor offer a dedicated, single-tenant solution for PKI deployment? Or is it run on shared infrastructure?
- What physical and logical security controls are used to protect the root and issuing CAs? Are you able to retain control over the root keys?
- Is the service offering able to meet your scalability and availability requirements?
No matter how you “do PKI,” you’ll have to evaluate the specific needs and requirements of your organization and how you’ll be able to expand the use of PKI as your business grows.
To dive deeper into what it takes to run a PKI effecitvely, view our PKI and Certificate Management Tools Evaluation Checklist: