Why Your Legacy PKI Solution Isn’t Working

Organizations of all sizes are up against a battle between the demand to enable new applications and data and the need to protect their business and consumers. If you’re an IT or security professional, you know this all too well. You’re on the battlefield facing these pressures every day.

Explosive growth in the connectivity between users, devices and applications has made it increasingly difficult to keep up with the day-to-day, never mind get ahead. What at one time may have been considered comprehensive coverage is now just enough to keep the lights on.

Public key infrastructure (PKI) is no doubt a core building block in IT, but it’s taken on an even more critical role in this new cybersecurity landscape. Once viewed as a backend technology used to secure HTTPS-protected websites and applications, PKI is now being leveraged to secure and enable new initiatives at the forefront of digital transformation.

How did we get here? PKI is nothing new, but it hasn’t always looked the way it does today. In a previous blog, our CTO Ted Shorter outlines the evolution of PKI in three different phases:

1. Internet PKI: In the early days of the Internet, companies needed widely trusted certificates to secure their public-facing websites and applications. Digital certificates were purchased at a high cost from a limited number of Public CAs.
2. Enterprise PKI: As enterprise networks grew, there was an increasing need to secure user devices, network appliances, Wi-Fi and VPN access with certificates that did not need to be trusted outside the organization. Standing up a Private PKI allowed more control over these certificates and eliminated the per-certificate costs of purchasing from a Public CA.
3. Next-Gen PKI: Today, everything and everyone is connected. Adoption of the cloud, IoT and mobile devices has dramatically changed the technology landscape. Highly scalable and proven, PKI has become the de facto standard for securing digital identities in this new environment.

With each generation technology has become more connected, more mobile and more fast-paced. Deploying a PKI 10 years ago meant an entirely different set of use cases, challenges, and standards than those that enterprise face today. Here are the top impacts to Enterprise PKI today:

• Adoption of IoT, Cloud & DevOps. An increasing number of applications require the use of encryption and authentication, but in many cases, existing PKI deployments aren’t equipped for the job. According to the 2019 Global PKI and IoT Trends Study, 56% of organizations say that their existing PKI is incapable of supporting new applications.
• Rapid Growth in Digital Certificates. It goes without saying that the number of keys and digital certificates in use across organization’s has grown exponentially, making it even more difficult to track how many have been issued and where they live across your infrastructure. Without the right tools, outages due to expired certificates cause significant downtime and security risk to the organization.
• Disjointed “DIY” PKI. Far too often, organizations don’t even know how many CAs are issuing certificates across their environment. Multiple “DIY” CA set-ups are implemented for different use cases, without any oversight by the security team. Instead of a dedicated, well-architected PKI, these ad hoc CAs create a disjointed and frankly messy environment that can be difficult to clean up.
• Insufficient Skills & Resources. Large enterprises used to have a dedicated team responsible for all things PKI, but over time, that task has been transitioned to the IT or security team. While security professionals are knowledgeable, they have dozens of tools and apps to run outside of PKI. However, without constant diligence, the integrity of PKI inevitably degrades below acceptable service levels. Best case, it creates operational headaches. Worst case, the PKI must be re-built from the ground up.
• Evolving Crypto-Standards. Every certificate expires, every algorithm evolves, and with recent advances in quantum computing, the risks grow even greater. The need to adapt swiftly and prepare your PKI for the post-quantum era has never been more important.

What is legacy PKI? At the highest level, it typically involves a mix of solutions that could include CA-provided tools, spreadsheets and custom scripts, and other homegrown solutions. That approach was the best available option in the past, but today, when certificate counts reach tens or even hundreds of thousands, it is sorely inadequate.

Legacy PKI implementations leave organizations locked into a reactive mode, where different departments (i.e. DevOps, Network Engineers, AD Admins) implement CAs for their own use cases without any oversight or control, and security teams are constantly hunting down expired or non-compliant certificates to prevent disruptive outages.

As certificate-related breaches and outages continue to stagnate productivity and put the organization at risk, IT and security teams are looking for a new approach that can close the wide gaps left by their PKI of the past.

Gartner states that, “Technical professionals need to transform the perception – and the deployment – of PKI to establish an automated regime for PKI.” As we transition to the next generation of PKI, enterprises will need to evolve and adapt.

Getting it right will require investment in infrastructure, personnel and ongoing operational support, but the payoff for building a robust and reliable PKI is invaluable. Download our white paper to understand what it takes to build it right and get started on your path to PKI success. You’ll also learn how Keyfactor Command can deliver all the benefits of PKI, without the cost or complexity of running it in house.