Scaling PKI in Hybrid & Multi-Cloud Operations

Hybrid and multi-cloud are the new norms. Of course, where your organization is on its cloud journey is another story, but the reality is that – regardless of the pace you’re moving – it’s the direction we’re all headed.

In this imminent shift to dynamic and distributed IT, security teams naturally ask themselves, “What should stay within our datacenter? What should move to the cloud?” Not just applications and workloads, but all the solutions they rely on to secure them.

Public key infrastructure (PKI) and machine identities are key ingredients to securing everything from containers and virtual machines to applications and code in this new hybrid world.

The shift to the cloud doesn’t necessarily introduce new challenges in PKI and certificate management. Rather, it doubles down on the gaps we already dealt with in traditional IT:

• Trust issues: Application owners use wildcard certificates, self-signed certificates, and untrusted CAs without proper configuration, policy, and security.
• More complexity: Different trust requirements, specialized use cases, and environments require multiple CAs, increasing the complexity of managing PKI.
• Limited visibility: Getting a complete and accurate inventory of certificates is impossible when you’re dealing with multiple tools and interfaces.
• Heavier workloads: High volumes of short-lived certificates increase the workload on the teams responsible for monitoring and renewing them before they expire.
• Lack of integrations: Micorosft PKI (aka ADCS) will not support all of your enterprise needs. A modern approach is needed to support non-Microsoft, Cloud, and DevOps environments.

Enterprises now face a dilemma with their current PKI implementation. As a result, many need to re-build or re-think their PKI to support this new reality. Often, it starts with understanding the wide array of CAs that serve as the certificate issuance engine behind your PKI.

According to Gartner, “Trust requirements, migration, specialized use cases, hybrid environments, and the lack of out-of-the-box PKI integrations are all drivers for the usage of multiple PKIs and CAs.” In other words, traditional on-premise PKI just doesn’t cut it anymore.

Hybrid and multi-cloud PKI environments now include public, private, and cloud-based CAs to meet increasingly complex requirements. A recent report on the State of Machine Identity Management shows just how decentralized PKI has become.

Let’s take a look at the various types of CAs, when and where they are used, and key considerations for implementation.

Publicly-trusted certificates are purchased and issued from a third-party CA provider. These TLS and code-signing certificates authenticate and verify trust for external-facing web servers, load balancers, services, and software.

Organizations also deploy an internal, privately rooted PKI to support things like user and device authentication, DevOps, and IoT devices. On-premise PKI is often deployed as a software or hardware appliance (e.g. PrimeKey EJBCA), or as a component of Microsoft Active Directory (ADCS).

Certificate issuance capabilities are built-in to DevOps tools such as HashiCorp Vault, Istio, and Kubernetes. These tools are used for the high-volume issuance of short-lived certificates in dynamic containerized and service mesh environments.

Some cloud service providers offer privately rooted CA services, such as AWS Private CA or Google Cloud Certificate Authority Service (CAS). In addition, there are turnkey PKI solutions, such as PrimeKey EJBCA SaaS, which is deployed within minutes in the cloud.

Fully managed, cloud-hosted PKI services offer all the benefits of private PKI, but without the effort and expense of running it in-house. True PKIaaS combines fully managed PKI and certificate lifecycle automation in a single cloud solution.

Whether you have dozens of CAs in your environment or you’re just getting started from scratch – there is a lot to consider when it comes to PKI and certificate management:

To meet these unique requirements, organizations should have the flexibility to deploy PKI how and where they want, without running into roadblocks like lack of integrations, high complexity, and limited visibility.

That’s why Keyfactor offers multiple flexible options to help you simplify your PKI and take control of every certificate – no matter where it’s issued from or where it needs to be deployed.

Learn more about the Keyfactor Platform and find the right fit for your business.