Five Key Reasons to Modernize Your PKI

Legacy PKI infrastructure may be the anchor weighing down your cloud strategy. 

Twenty years ago, on-premises infrastructures were the norm. Certificate usage was a fraction of what it was now, and certificate lifecycles now are a fraction of what they were then. As a result, these organizations accrued a massive Active Directory footprint and a wide range of disparate PKI solutions issuing certificates to end users, internal applications, third-party contractors, workstations, servers, factory sensors, and more. 

But now, organizations find themselves moving some or part (or all) of their infrastructure to the cloud, and they are stuck using on-prem PKI to issue certificates to cloud-based resources. This isn’t optimum.

So what’s the big deal? Even if the current state of your PKI isn’t going to bring the organization down in flames, it is a small but important gear in the greater organizational machine. Modernizing PKI can enable and accelerate greater innovation and agility initiatives.

As new technologies and workloads emerge and become mainstream, but legacy infrastructures remain unmodernized, it creates a gap that becomes less and less tenable. 

Containerization, automation, and micro-services architectures are all of these innovations that can revolutionize the business, but they all consume certificates and depend on a modern, efficient PKI.

From medical devices to cars, equipment manufacturers need a modernized PKI to issue unique machine identities to hundreds of thousands of product units and to sign the code that will keep them working with each update. 

Shifts in the way employees work, like remote work or compliance-driven modifications to workflows, will likely drive certificate usage and demand greater flexibility and control over the organization’s PKI.

To meet new use cases, PKI deployments are growing more complex as more teams need to use certificates. Without a holistic PKI strategy, decreased visibility and consistency will hobble performance and create issues.

• When siloed, different teams will acquire their own certificate authorities with no regard to how other teams are handling PKI.
• IT admins and developers spin up self-signed certificates without documenting them.
• PKI and certificates are consumed without governance, best practices, or policies.

This increases the threat of unknown (and consequently untracked) certificates that can take a service or application offline when they expire. Keyfactor’s 2023 State of Machine Identity Report found that the average organization is maintaining 255,000 certificates at any time — but it just takes one to bring operations to a screeching halt.

When the sphere of PKI existed entirely on-prem, the entire PKI could be serviced by a robust solution like Active Directory. But as organizations adopt cloud services, they often do so without a strategy that evolves their PKI efficiently and concisely. 

With no organization-wide policies, practices, or standards to adhere to, siloed teams consuming certificates will resort to doing it their way. They adopt point solutions for their particular challenges. A team with AWS or Linux or IoT use cases will adopt AWS-, Linux-, or IoT-specific solutions.

That’s how organizations end up with an average of nine different certificate authorities, according to Keyfactor’s 2023 State of Machine Identity Report.

More tools create more problems. Organizations need to integrate these disparate PKI systems and gain the control they need to scale and execute the cloud strategy.

Most respondents to the report (53%) said their organization does not have enough resources or staff to deploy and maintain PKI effectively. The ownership of PKI varied from one organization to the next.

So who owns PKI? 

• IT teams (29%)
• Security teams (24%)
• Identity and Access Management (15%)
• Infrastructure (14%)
• No clear owner (17%)

Interestingly, there is no far-and-away winner, and it makes sense. PKI is an extremely technical, niche specialty, and there are very few PKI-dedicated technicians out there. However, IT and security teams likely lack the PKI knowledge to avoid missteps that will necessitate serious reconstruction later. Not to mention the challenge of managing PKI on top of their primary responsibilities.

Organizations may have no choice but to entrust PKI to these teams. However, if they must do so, they should endeavor to minimize the burden of PKI as much as possible through centralized control and automation.

Despite being a niche feature of the organization’s infrastructure, PKI affects everyone in the form of outages and downtime. 

According to Keyfactor’s 2023 State of Machine Identity Report, organizations suffered three certificate-related outages in the past 24 months. Over half of those outages severely disrupted customer-facing services. 

Expired certificates wreak havoc on the business. When CA and certificate sprawl proliferate, it takes more time to comb through the infrastructure to locate the expired certificate and identify all the locations where that certificate was installed. Then, the team handling PKI must restart services and remediate systems, provision the certificate to all locations, then finally renew and re-issue the certificate. 

Without a way to detect all certificates in the organization and automate their renewal, staying ahead of certificate expirations is impossible, and certificate lifecycle management becomes a game of whack-a-mole.

Many organizations take their cloud implementations as an opportunity to broadly modernize and de-clutter their infrastructure, and PKI is no exception. 

Modernizing PKI can enable better security, offer more versatility in meeting a wider array of use cases, and give teams managing PKI more bandwidth to tend to their other responsibilities. 

Cloud environments are becoming more diverse with the rising popularity of hybrid cloud and on-prem and multi-cloud infrastructures. In searching for a better approach to PKI, organizations should seek out solutions and platforms that can facilitate their entire cloud strategy and address potential needs in the future, rather than becoming another limitation that necessitates a complicated workaround. 

The right solution should also provide a range of service options, whether an organization would like to keep managing PKI while using the solution’s infrastructure or hand off PKI completely through a SaaS model. These options give organizations access to niche PKI skills without the burden of hiring them in-house. 

Ready to learn more? Watch Keyfactor’s on-demand webinar, “5 Reasons to Modernize Your PKI” and contact our team when you’re ready to take the next step.