Build or buy: What to consider when deploying on-premise or cloud-based PKI
Public Key Infrastructure (PKI), once considered an IT table stake, has transformed from a tool used to protect websites to a core digital identity management function within the cybersecurity framework. Today’s PKI establishes and manages digital identities across people, applications and devices within the enterprise. IT teams are deploying PKI to combat several growing cybersecurity threats too, from ransomware and phishing attacks to IoT device hijacking.
PKI remains a core component within the larger IT and security framework but deploying and managing the program in-house requires significant budget and resources to balance its intricate ecosystem of applications, hardware and software. Leaders are struggling to find and retain qualified staff to deploy the program and manage its requirements day-to-day. Recent Keyfactor research found that only 39% of organizations have appropriate PKI staffing resources.
When it comes to PKI, leaders have two choices: build or buy
The so-called “free” PKI capabilities included in server operating systems can appear to be a simple, low-cost in-house PKI solution, but the reality is that there is far more infra¬structure, security and process involved. Hidden costs and complexities mean IT and security teams often overlook critical steps, only to find themselves months later with a PKI far less secure and reliable than when they started out.
The agility and security of today’s cloud infrastructure has enabled highly secure cloud-based PKI deployments – known as PKI as-a-Service (PKIaaS) – hosted and managed by a trusted partner. Outsourced PKI is on the rise – research shows that 55% of surveyed IT leaders have or plan to outsource all or part of their PKI deployment, with many looking for relief in the cloud. Today’s cloud environments and turnkey deployment mean it’s easy to have it both ways – maintaining control while outsourcing complexity.
Key requirements
Here are 5 requirements every leader should consider when evaluating PKIaaS for outsourced PKI:
1. Robust security: The security policies and practices used by PKIaaS providers have been tested over time and at scale, providing you with the confidence to know that your PKI is in the right hands. Consider that dedicated PKIaaS providers can also commit far more resources to state-of-the-art PKI infrastructure than is feasible in-house. If your enterprise falls under attack, you also have one less critical system to restore, since your PKI is hosted safely in an isolated, off-premises cloud location.
2. Reduced cost & complexity: Adopting the right PKIaaS platform means your infrastructure teams can focus on other mission-critical projects. If budget is a key concern when weighing in-house versus outsourced options, consider that PKIaaS makes costs much more predictable, since the many hidden and traditional expenses of PKI are replaced with a flat rate billing model. Moving your PKI to the cloud can take multiple security controls, maintenance tasks and infrastructure costs completely off your hands.
3. Scalability & availability: Legacy PKI deployments can’t handle more than one or two applications and lack support for appropriate redundancy and scalability. On the other hand, reputable PKIaaS providers have the right in-depth experience and knowledge of industry standards to help you get it right from the start – designing a PKI that is customized to your current needs and scales with your future growth.
4. Business continuity: Avoid the lapses in regular maintenance tasks, such as signing and publishing certificate revocation lists (CRLs) and renewing CAs (certificate authorities) as that can cause significant day (or week) long outages. Deploying PKI in the cloud ensures that, regardless of shifts in your IT and security personnel, infrastructure continues to operate smoothly and without interruption.
5. Lifecycle automation: Choosing the right PKIaaS provider can provide the tools to manage and automate the lifecycle of keys and digital certificates issued from both your cloud-hosted private PKI and any number of third-party public CAs, such as DigiCert, Entrust, Sectigo and others. Lifecycle automation reduces the workload on your PKI team and certificate end-users and drastically minimizes the risk of a certificate-related outages or breaches due to human error or oversight.
PKI has been around for decades, but shifting standards, digital transformation and the evolving cyber threat landscape is modernizing and changing the way PKI is deployed. Scalable tools are lessening the burden on short-staffed IT teams and making flexible, affordable PKI a reality for IT leaders.