As the digital world continues to explode, having a modern and effective public key infrastructure (PKI) program has never been more important for enterprises. PKI can establish trust in this digital world by securing all of the digital identities within your organization, from traditional IT infrastructure to connected products and everything in between – if it’s managed correctly.
Today, a well-managed PKI program typically means a cloud-based program for most organizations. With that in mind, let’s take a look at the potential options for PKI in the cloud to help determine the right approach for your business.
The Cloud is the Way Forward for Most – But Not All – Organizations
Before we go into the options for moving your PKI program to the cloud, it’s important to note that not all organizations can make this shift – and that’s okay.
Certain organizations have regulatory or business requirements that make a move to the cloud far more challenging. Instead, they might require the additional level of control and oversight afforded by an on-premises environment (and would therefore have a clear business case for the additional resources to manage this setup).
For example, government agencies and other businesses operating in industries subject to ultra-high security will have extremely strict and unique regulatory requirements that may mean they need the deep, in-house control of an on-premises deployment.
Other organizations, such as manufacturing plants in remote areas, may be unable to rely on the cloud or internet for various reasons, which would require either on-premises or hybrid PKI.
3 Paths to Cloud-Based PKI
Unless your organization has unique regulatory or business requirements as noted above, a move to the cloud is the best way to modernize your PKI program and ensure it can meet the high demands of today’s digital world.
That said, there is no one path to PKI in the cloud. Three options exist, and which one is right for your organization will depend on a number of factors. Here’s what you need to know about each path to make a more informed decision:
Option 1: Cloud-Native CAs
First, there are several cloud-native CAs, which include capabilities for deploying and managing certificate authorities offered by cloud service providers like Google (Google CA Service) and Amazon (AWS Private CA). They offer automated workflows with the high availability and scalability for which these service providers are known.
These options work well for issuing TLS certificates within their own cloud environments, but they are not cloud-agnostic. As a result, this limits the scope for organizations that operate in a multi-cloud world.
Ultimately, your business will need an enterprise-wide solution for PKI and certificate management, and while cloud-native CAs may be an important piece of that, they are likely not the only solution on which you can rely (unless your entire organization operates within the confines of a single cloud provider).
Option 2: Turnkey PKI Solutions from Dedicated Providers
Next, there are dedicated PKI providers that offer turnkey solutions your team can deploy directly from a marketplace. For instance, Keyfactor offers EJBCA Cloud or SaaS.
These solutions offer the high availability and scalability of the cloud (as well as the reduced expenditures compared to managing on-premises) all backed by a team of PKI experts.
Importantly, they are also cloud-agnostic, meaning your team can deploy and manage all of the certificates across your organization – regardless of where they live or even if they came from a cloud-native CA – in a single place.
This setup allows your organizations to consolidate and simplify PKI management by bringing everything related to PKI, including certificate issuance, management and overall governance, into a centralized and automated platform. Additionally, the turnkey nature means you can get up and running with this approach extremely quickly.
Option 3: PKI-as-a-Service (PKIaaS)
Finally, a dedicated PKI provider may also offer PKI-as-a-Service, which is a more hands-off approach for your organization to manage cloud-based PKI. At Keyfactor, our cloud PKIaaS is a fully managed cloud-based PKI solution that provides all the advantages of enterprise PKI without the cost or complexity of running the program in-house.
Specifically, a PKIaaS option means that the PKI provider takes over management of the PKI program in a subscription model that includes hands-on management through continuous service monitoring and round-the-clock support. And once again, it includes the high availability and scalability of the cloud, plus the benefits of a centralized and automated program.
Adopting PKIaaS not only leaves your organization’s program in the hands of dedicated experts (and saves the costs and time associated with hiring full time employees to lead PKI), but it also frees your IT and security teams to focus on high-value projects.
Inside Look: How Real Organizations Have Found Success with PKI in the Cloud
There is no right or wrong approach to adopting cloud-based PKI. It depends on the unique needs of your business. These two real-life success stories demonstrate exactly how different approaches can work.
EQ Bank Adopts PKI-as-a-Service
EQ Bank is the digital platform of Toronto-based Equitable Bank. Launched in 2016 as Canada’s first-born digital bank, EQ Bank has fueled rapid growth by challenging traditional banks with a completely branchless experience and smarter banking solutions.
Recently, the bank began to experience several challenges with their existing PKI program, including a lack of visibility into certificate expirations and configurations that led to unexpected outages, shadow PKI in the form of self-signed certificates and an inability to support DevOps and cloud use cases.
In response, EQ Bank decided to adopt PKIaaS with Keyfactor to eliminate outages and enable DevOps teams to move faster, without the cost and complexity of running PKI on-premises.
This move to the cloud has allowed EQ Bank to modernize its PKI program, leading to benefits like greater visibility to remediate risks, automation to help eliminate outages due to expired certificates and integrated certificate provisioning in DevOps workflows.
Additionally, by adopting a PKIaaS model with Keyfactor, EQ Bank has reduced the certificate-related task workload by two full-time equivalents (FTE) – resulting in enormous time savings for their in-house security team.
Erie 1 BOCES Chooses Turnkey SaaS PKI
Erie 1 BOCES is a New York public school cooperative that delivers technology and support to more than 100 school districts across seven counties in New York. It was established as a way for local school districts to collaborate on services and reduce their individual expenses.
As part of the cooperative’s approach to managed IT services, they recently recognized the need for a new way to authenticate mobile devices for Wi-Fi access and identified cloud-based PKI as the best solution.
Erie 1 BOCES already used Microsoft Azure Active Directory and Microsoft Office 365 and wanted to stay within that environment. This led the team straight to Keyfactor’s EJBCA Enterprise certificate issuance and management system, which works with Microsoft Azure and Microsoft Intune.
They were able to deploy EJBCA Enterprise directly from within the Azure marketplace, allowing the cooperative to be up and running with the new cloud-based PKI program within two weeks. Now, they have a fully modern PKI program for mobile device and workstation validation on the cooperative’s Wi-Fi network running seamlessly within their existing Microsoft footprint.
Which Path to Cloud PKI is Right For You?
As you consider cloud-based PKI, it’s critical to take the time to evaluate your options to determine which path is the right fit for your team’s needs and resources.
But whichever route you do choose, you’ll be well on your way toward a more modern and scalable PKI program — and the importance of that can not be overstated.