The Future of PKI: Cloud and SaaS

PKI isn’t a new concept, but it is one that’s constantly evolving with the times. And the future of PKI is cloud and SaaS. So what exactly does this mean?

Harry Haramis, GM of PrimeKey US, explored this topic in-depth at PrimeKey Tech Days 2021. Here’s a look at his perspective on the future of PKI in the cloud based on decades of experience in IT security.

When we really think about it, the shift to the cloud is a natural evolution for PKI. And it’s not the first evolution of its kind.

Consider the following: Would you still have a well in your backyard and use buckets to consume water? Would you install your own septic tank to deal with sewage? At one point these practices were commonplace, but today they’re outdated and unnecessary. Instead, you’d subscribe to a utility for all of these needs. The utility takes the burden of doing the work off your hands. It also offers economies of scale by providing the same service to thousands of homes, which makes the outputs much more effective and allows you to pay as you go without any upfront investment. 

We’re seeing the same type of evolution in how organizations manage the technology that supports their business. For example, not too long ago every company had their own data center. Then there was a shift to co-location facilities, which helped minimize costs around power and cooling and ease bandwidth challenges. However, this was not a perfect solution, as these facilities still required organizations to own and manage hardware. The shift to the cloud removes that last barrier and finally frees companies from managing something that’s not their core business.

Previously, any organization that wanted to do PKI right would need a secure area in a data center or co-location space. This typically involved expensive, highly involved elements like bulletproof glass and man-traps to offer protection within the shared facility.

The opportunity to shift PKI to the cloud changes all of this entirely, and it’s forcing organizations to evaluate if they really need PKI on-premise (similar to conversations about moving storage and other infrastructure from on-premise to the cloud). 

So what exactly does a modern, cloud-based PKI look like? Shifting PKI to the cloud offers three major benefits for most organizations:

From a security perspective, it’s easy to fall into the trap of thinking that running PKI in your own data center offers more control and, therefore, tighter security. But in most cases this assumption isn’t accurate. 

Cloud providers can offer a much higher level of security than individual organizations because doing so is core to their business. They have huge budgets to support anti-DDOS systems, IDS systems, IPS systems, and so on, and they have thousands of people dedicated to security, acting on every single alert they see. Ultimately, it’s very hard for any single organization running their own tools to match that level of security. 

Individual organizations also can’t match the elasticity and instant global availability of the cloud, which is critical to scaling operations to meet the needs of a growing business.

For instance, imagine your company is developing a product and doesn’t need a big PKI footprint yet — just a small, functional representation of what the PKI infrastructure would look like to support development. As your product moves into the pilot phase, you might have a small subset of customers trying it out. At this point, your PKI will need high availability, but it still doesn’t need massive scale yet. However, that changes when you’re ready to roll out the product fully, at which point you need the scalability to issue hundreds of millions of certificates from your PKI. 

Of course, this is just one of many examples that illustrate the growing need for highly elastic and available PKI, and gradually expanding PKI in this way is far easier and more reliable to do in the cloud compared to on-premise.

Running PKI in the cloud also reduces or even eliminates upfront capital expenditures since it allows organizations to follow a pay-as-you-go model rather than making large, upfront investments in infrastructure.

In fact, if you go to a cloud marketplace, such as those for AWS or Azure, you can get a PKI up and running within minutes. With PrimeKey’s EJBCA, the SaaS product is operated entirely by our expert team, leading to more specialized support as well as savings compared to bringing on that expertise in-house to operate on-premise PKI.

Importantly, the shift to the cloud isn’t just a passing fad — the benefits that it delivers for both organizations and cloud providers alike mean that it’s a permanent one. In fact, companies like Microsoft are making a big push to move all of their on-premise customers to the cloud over the next decade.

That said, going 100% cloud is not for everyone. Many organizations have certain needs that will require a hybrid approach. For instance, if you have factories you might need on-premise PKI because you can’t rely on the cloud and the internet. But once your products are in the field, they can’t rely on your factories and you absolutely need a cloud-based PKI. And of course, there will always be government agencies and other ultra-high security organizations with, especially unique and stringent requirements.

Regardless of your exact needs, PrimeKey has you covered with options for on-premise and cloud PKI that continue to evolve alongside the market. Going forward, we see more and more organizations adopting the new paradigm of cloud-based PKI and this is a trend that will only continue to pick up steam in the coming years.

For even more insight on what’s driving the shift to cloud PKI and what your business needs to know, click here to watch the full discussion with Harry Haramis on the future of PKI from PrimeKey Tech Days 2021.