Transcription
EBOOKWhy It’s Time to Re-thinkYour PKI5 reasons to move your PKI deployment to the cloud
Rethink your PKI eBookTable of ContentsINTRODUCTION. 3THE CHANGING ROLE OF PKI IN YOUR ENTERPRISE. 4GETTING IT RIGHT: THE COMPLEXITY OF PKI. 5BUSINESS CHALLENGES.7IN-HOUSE VS PKI AS-A-SERVICE. 85 REASONS TO MOVE YOUR PKI TO THE CLOUD. 9KEYFACTOR PKI AS-A-SERVICE. 11 2021 Keyfactor, Inc. All Rights Reserved www.keyfactor.com2
Rethink your PKI eBookIntroductionWhether it is securing a network, sensitive data, or connected devices, IT leaders turn toPKI as the proven technology to establish trust in their environment. With vast coveragethat spans across the enterprise, PKI is a complex undertaking, requiring highly securefacilities, trained personnel, and the right hardware and software to run it effectivelyand keep it under control.To achieve this goal with limited IT and security resources, more and more organizationsare moving their PKI to the cloud. Agility and security of cloud infrastructure has enabledhighly secure cloud-based PKI deployments — known as PKI as-a-service (PKIaaS) —hosted and managed by a trusted partner.Moving PKI to the CloudNot long ago, IT leaders were reluctant to put any dataor applications in the cloud. Now most have realizedthat cloud service providers like AWS, Microsoft Azure,and Google Cloud invest far more in the people andprocesses required to deliver reliable and secureinfrastructure.State-of-the-art data centers are built to the highestof organizationshave or plan tomigrate theirPKI deploymentto the cloud.1standards in security, with everything from physicalaccess controls to multi-layered encryption. Moving tothe public cloud has allowed teams to focus more attention on protecting sensitive data and mission-criticalworkloads, and to worry less about keeping the underlying infrastructure running and secure.Organizations have similarly recognized that movingtheir PKI to the cloud — managed by industry expertswith the right knowledge of standards and bestpractices — can help them achieve much higher levelsof security and operational efficiency than is feasiblein-house. As businesses become more reliant thanever on PKI for encryption, authentication and digitalsignatures, the importance of getting it right cannotbe overstated.12020 Keyfactor-Ponemon Report 2021 Keyfactor, Inc. All Rights Reserved www.keyfactor.com3
Rethink your PKI eBookThe Changing Role of PKI in your EnterpriseToday, the most prevalent use of PKI and digital certificates is secure web browsing, made possible through SSL/TLS certificates purchased from a number of trustedthird-parties known as public certificate authorities (CAs).Most organizations also deploy their own PKI in-house to issue certificates internally— known as a private CA or private PKI. No longer limited to a few use cases, privatePKI is now emerging as a core technology to secure business initiatives like zero-trust,multi-cloud, and DevOps.Web ServersInternet of Things (IoT)SSL/TLS certificates on external facingMutual authentication, encryption andweb and applications to enable trust.integrity controls for connected devices.Multi-CloudSecure EmailEphemeral certificates to authenticateDigitally sign and encrypt emails acrosscontainers, microservices, and workloads.corporate and BYOD devices.Network DevicesDevopsAuthentication between routers, firewalls,Signing containers and software builds,load balancers, and SSL inspectors.and securing ephemeral workloads.MFA/SSOMobile DevicesMulti-factor authentication for singleTrusted access for mobile apps, mobilesign-on applications such as Windowsbrowsers, Wi-Fi authentication, S/MIMEHello or Office 365.email encryption, and more.VPN AccessWi-Fi accessReplacing expensive VPN authenticationAuthentication to Wi-Fi connections tosolutions with password-free certificat-ensure that only trusted users are access-ed-based authentication.ing the network.PKI supports more than 11 differentapplications on average.222020 Global PKI and IoT Trends Study nCipher, an Entrust Company 2021 Keyfactor, Inc. All Rights Reserved www.keyfactor.com4
Rethink your PKI eBookGetting it Right: The Complexity of PKIDesigning, deploying and maintaining the necessary systems to support your ownprivate PKI can be a costly and time-consuming commitment. Even a single expiredcertificate can render the groundwork of your cybersecurity spend useless. Worse yet,if your underlying PKI is compromised, every certificate in your environment is rendereduntrustworthy. Getting it right is critical, but it is not an easy feat.ExpertisePKI is a multi-faceted system that requires specialized expertise and dedicated IT staff to plan, buildand manage throughout its lifecycle. IT personnel oroutside consultants will need to design the certificatehierarchy, develop policies and procedures, implementthe required software and hardware, create and test adisaster recovery plan, and track certificates throughouttheir lifecycle.Significant IT resources must also be committed tosupport ongoing maintenance of audit logs, certificatevalidation and revocation, IT training, and end-usersupport for users that leverage digital certificatesacross the business.InfrastructureA comprehensive set of infrastructure is required to runan in-house PKI effectively. High availability, backup,and disaster recovery must be carefully planned toensure continuous operation.Dedicated infrastructure will need to be procured andprovisioned to host the root CA, issuing CAs, revocationendpoints, enrollment processes, private key storage,and so on.Additionally, FIPS 140-2 validated Hardware SecurityModules (HSMs) must be configured to protect to theroot, policy, and issuing CAs. 2021 Keyfactor, Inc. All Rights Reserved www.keyfactor.com5
Rethink your PKI eBookSecurityIn the interest of saving time or avoiding operationaleffort, far too many PKIs get deployed with lower-thandesired security controls. But most IT and security teamsTHINK YOUR PKI IS FREE?don’t realize the impact if they lose control of their PKI,“Free” PKI capabilities included in serverif it’s compromised, or if it’s mishandled internally.operating systems can appear to be a simple,Because PKI supports business-critical applications,low-cost PKI solution, but the reality is thatsecurity must come first. Organizations without athere is far more infrastructure, security, andhighly secure facility, data center, and access controlsprocess involved.will need to invest in a higher security level to protecttheir PKI.Hidden costs and complexities mean IT andsecurity teams often overlook critical steps,Achieving appropriately high levels of security withinonly to find themselves months later with ayour existing IT infrastructure can be challenging andPKI far less secure and reliable than whenexpensive. The root CA is the anchor of trust in your PKIthey started out.environment. The integrity of your PKI relies entirelyon the security of the root CA, and requires highlyspecialized controls to be maintained effectively. Forstarters, adequate protection requires on-site security,continuous monitoring, highly trained personnel; securevault storage, hardware-level protection, multi-personauthentication, biometric controls, and of course, aproper root CA signing ceremony. 2021 Keyfactor, Inc. All Rights Reserved www.keyfactor.com6
Rethink your PKI eBookBusiness ChallengesIt’s clear that PKI is taking on a more important role in security, but there’s a number ofbusiness challenges that stand in the way of success.PKI Operations Under StressToday, PKI deployments initially built for one or twoapplications are now expected to cover more usersand devices than ever before. Demand for encryptionand authentication has increased pressure on legacyPKI systems that weren’t originally designed for thislevel of scale or complexity. As a result, integrity of thePKI typically degrades as new use cases are adoptedof organizationssay they havesufficient ITsecurity staffdedicated to PKIdeployment.3without consideration for the policies and proceduresset in place from the start.No Clear OwnershipLack of Tools & ProcessesPKI has always been a bit of a technical “hot potato.”Security teams might overemphasize focus on theThe sheer complexity of public key cryptography isinfrastructure and how to get certificates out initiallyenough to keep most IT professionals away. And if itand underestimate the effort dealing with pendingisn’t the complexity, it’s the risk. The consequences forexpirations and outage prevention. Without softwarefailure within enterprise PKI is considerable. Takingto handle the lifecycle of certificates, expirations andresponsibility for that level of risk leaves few inclined tooutages are inevitable, causing serious disruption totake on the challenge.business operations. Required audits also become difficult, expensive, and time-consuming.Limited Expertise & ResourcesDue to the intricacies of PKI, problems are likely to ariseunless you happen to have that knowledge withinyour organization, and equally important, the depth inpersonnel to be able to execute it properly. The numberof professionals specialized in the art of PKI is waning.Furthermore, it is not always considered a core operation within the enterprise.32020 Keyfactor-Ponemon Report 2021 Keyfactor, Inc. All Rights Reserved www.keyfactor.com7
Rethink your PKI eBookIn-House vs PKI as-a-ServiceWhen it comes to private PKI, you have two options: either build your own or adopt acloud-hosted PKIaaS solution. Build-it-yourself PKI isn’t impossible — the real questionis whether you want to spend the time, effort, and investment to build and maintain ityourself.In-House PKIPKI as-a-ServiceEnterprise designs, builds and deploys theirPKIaaS provider hosts and manages theprivate PKI infrastructure, assuming 100backend hardware and software required topercent of the risk and cost of implementation.run the private PKI and manage certificatelifecycles. You maintain control of the PKI.Trusting your PKI in the CloudEnterprises often limit their PKI deployment to components bundled into their operating system, but this mayprovide a false sense of simplicity. The real effort andexpense of PKI lies in its maintenance. Organizationsmust also consider how digital transformation willchange demands for encryption and authentication inthe future.Previous notions that security and control are bettermanaged in-house are changing. As IT environmentscompound, enterprises are putting their trust in aPublic-key infrastructure (PKI) anddigital certificates are hard tomanage. Organizations are alsoexpanding the use of PKI within IoTand DevOps pipelines. Technicalprofessionals need to transform theperception — and the deployment —of PKI to establish an automatedmanagement regime for PKI.”reliable PKIaaS partner. With dedicated PKI expertise at their disposal, proactive compliance coverage,and multi-layered security across infrastructure andoperations, PKIaaS providers can deliver a much moreGARTNER, THE RESURGENCE OF PKI IN CERTIFICATEMANAGEMENT, THE IoT AND DEVOPS, PAUL RABINOVICH,ERIK WAHLSTROM, 23 OCTOBER 2018effective, and ultimately more secure, PKI deployment. 2021 Keyfactor, Inc. All Rights Reserved www.keyfactor.com8
Rethink your PKI eBook5 Reasons to Move your PKI to the CloudWhy should you re-evalutate your PKI deployment? Here are the top reasons why ourcustomers have made the shift to PKI as-a-Service:Robust SecurityScalability & AvailabilityThere are many considerations when it comes to migrat-A PKI supporting mission-critical applications must being your PKI to the cloud. All are important, but securityavailable around the clock and scale up on-demandis at the top of the list, and it’s up there for obviousto support millions of identities. However, legacy PKIreasons. If the root key or private keys are compromised,deployments typically lack support for appropriateit can result in significant disruption and downtime toredundancy and scalability. A “next, next, next” instal-PKI-dependent applications.lation of Microsoft CA is simple, but it will not scale tosupport your future demands. Each new use case willSince it is their core business, PKIaaS providers canadd to the complexity of your initially “free” PKI solution.commit far more resources to state-of-the-art PKIinfrastructure, security, and expertise than is feasibleBy contrast, reputable PKIaaS providers have thefor most enterprises. Furthermore, their security policiesright in-depth experience and knowledge of industryand practices have been tested over time and at scale,standards to help you get it right from the start –providing you with the confidence to know that your PKIdesigning a PKI that is customized to your current andis in the right hands. If your enterprise falls under attack,future business needs. High availability and scalabilityyou also have one less critical system to restore.built into cloud-delivered PKI models support growthdemands, coupled with 24/7 service monitoring toLower TCOMoving your PKI to the cloud can take multiple securitycontrols, maintenance tasks, and infrastructure costscompletely off your hands. Frankly, the capital expenditure needed to properly manage a solid internally runPKI is considerable, forcing many organizations to makeensure that all critical components are always running.Most importantly, service level agreements (SLAs)guarantee response times and ensure that there is only“one throat to choke” should an incident occur, and itisn’t yours.Business Continuitycritical PKI operations a secondary task.People and processes drive the success of PKI, but inAdopting the right PKIaaS platform can save a signifi-today’s workforce, personnel can quickly shift, leavingcant amount of time and resources, enabling your highlyPKI in unfamiliar hands. Shifts in PKI ownership inevita-skilled IT and security teams to be more productive,bly increase the risk of security gaps as inexperiencedand allowing your PKI to get the attention it deserves.hands fall on mission-critical infrastructure. Lapses inInfrastructure teams are able to focus on core projectsregular maintenance tasks such as signing and publish-— not getting caught up repetitive tasks like CA renewal,ing certificate revocation lists (CRLs) and renewing CAsserver patching, and HSM maintenance. Costs alsocan cause significant outages that take days or evenbecome much more predictable, since the many hiddenweeks to remediate.and traditional expenses of PKI are replaced with a flatrate billing model. 2021 Keyfactor, Inc. All Rights Reserved www.keyfactor.com9
Rethink your PKI eBookDeploying your PKI in the cloud ensures that, regardless of shifts in your IT and security personnel, yourinfrastructure continues to operate at full capacity.WHAT ABOUT CONTROL?PKIaaS providers ensure that no aspect of your PKIA common misconception about cloud-hostedis overlooked, from design throughout its lifecycle.PKIaaS is that you must give up control of theSystem-wide outages are easily avoided by leveragingvirtual keys to your kingdom. But it’s easy toa dedicated PKI team to help you stay ahead of criticalhave it both ways — maintaining control whileday-to-day management and maintenance tasks. Alloutsourcing complexity. It comes down to thethe while, built-in disaster recovery and backup provideprovider you choose.high assurance that your critical PKI functions can beeffectively remediated should an incident occur.A reputable PKIaaS provider will offer aplatform that gives your business completeLifecycle Automationcontrol over root CA keys and PKI recoverymaterials, while design, deployment, andmanagement tasks remain their responsibil-Beyond the nuts and bolts of PKI, you need visibility andity. That way, you always retain the ability tocontrol over every certificate issued. Manual scripts andmove your PKI in-house should the need arise.spreadsheets cannot keep up with the thousands orhundreds of thousands of certificates in use across yourorganization today. All it takes is one expired certificateto slip through the cracks to cause a serious network orapplication outage.Choosing the right PKIaaS provider can enable youwith the tools to manage and automate the lifecycleof keys and digital certificates issued from both yourcloud-hosted private PKI and any number of third-partypublic CAs. Lifecycle automation reduces the workloadon your PKI team and certificate end-users, and drastically minimizes the risk of a certificate-related outagesor breaches. 2021 Keyfactor, Inc. All Rights Reserved www.keyfactor.com10
Rethink your PKI eBookSimplify your PKI.Move it to the Cloud.Keyfactor PKI as-a-Service combines expert-run PKI with powerfulcertificate lifecycle automation in a single cloud platform.The Leader in PKI as-a-ServicePKI is critical to enterprise security, but setting up theinfrastructure and hiring the skilled personnel needed tobuild, operate, and maintain it 24x7 is no easy task. Withsecurity teams under increasing pressure, they need a newcloud-first approach to simplify and scale PKI on demand.1 Billion Certificates issued globally10 of the Fortune 100Run on Keyfactor PKIaaS60%Reduction in PKI SpendWhy KeyfactorAll-in-one solutionTested and provenNo lock-inOne vendor - combines fullymanaged PKI and certificatelifecycle automation.We’re the most reliable andwidely adopted PKI as-a-Service platform – since 2011.You retain full control over rootkeys and recovery materials inescrow to avoid any lock-in.Tenured PKI expertsUnmatched servicesLimitless scalabilityOur roots started in PKIconsulting – no one knows howto build and run PKI like we do.Fast SLA-driven response, SOC2 Type II audited annually, and99% support satisfaction.Scale up easily with high-availability and geo-redundantoptions. 2021 Keyfactor, Inc. All Rights Reserved www.keyfactor.com11
Rethink your PKI eBookReady to re-thinkyour PKI?See how Keyfactor’s PKI as-a-Servicecombines expert-run PKI with powerfulcertificate lifecycle automationin a single cloud platform.There comes a time in every PKIs lifespan whenit must move out and scale up to the growingdemands of your business. If you’ve adopted acloud-first strategy, don’t leave your PKI in the dust.You already know that PKI is critical to your enterpriseREQUEST A DEMOsecurity, but the hassle and hardware required to keepit running and secure often just isn’t worth it. Whetheryou’re a skeptic or you’re all in on cloud, request a demoto see if it’s the right time to re-think your PKI.Keyfactor is the leader in cloud-first PKI as-a-Service andcrypto-agility solutions. Our Crypto-Agility Platform empowerssecurity teams to seamlessly orchestrate every key and certificate across the entire enterprise.CONTACT USwww.keyfactor.com 1.216.785.2990We help our customers apply cryptography in the right way frommodern, multi-cloud enterprises to complex IoT supply chains.With decades of cybersecurity experience, Keyfactor is trustedby more than 500 enterprises across the globe.For more information, visit www.keyfactor.com or follow us onLinkedIn, Twitter, and Facebook. Built on a foundation of trustand security, Keyfactor is a proud equal opportunity employer,supporter and advocate of growing a trusted, secure, diverseand inclusive workplace. 2021 Keyfactor, Inc. All Rights Reserved www.keyfactor.com12
PKI as the proven technology to establish trust in their environment. With vast coverage that spans across the enterprise, PKI is a complex undertaking, requiring highly secure . disaster recovery plan, and track certificates throughout their lifecycle. Significant IT resources must also be committed to support ongoing maintenance of audit .
![[Page 1 – front cover] [Show cover CLEAN GET- AWAY 978-1 .](/img/13/9781984892973-6648.jpg)
