How To Future-Proof Your PKI (original) (raw)
Gregory Webb is the CEO of AppViewX, a leading cybersecurity and IT infrastructure automation platform enabling digital transformation.
getty
With most critical transactions and communications taking place online, ensuring the privacy of these exchanges has become the No. 1 priority for the enterprise. Among the most common ways to ensure that all traffic remains protected is encryption, a mechanism that uses matching sets of certificates and keys that help authenticate people and devices. Modern enterprises have a robust public key encryption (PKI) infrastructure. But as the CEO of a company that provides enterprise key, certificate management and PKI as a service (PKIaaS) solutions, I've found that the ever-growing number of connected devices that require PKI protection, including IoT and cloud applications, are beginning to strain DevSecOps and NetOps teams’ ability to provide agile and scalable security that today’s enterprises need.
Managing PKI infrastructure is a multistep process that is made even harder by the growing number of connected devices, the adoption of microservices architecture and the modern application delivery practices such as CI/CD. Manual PKI management processes can no longer keep up, which increases the risk of outages, creates potential security vulnerabilities and slows down application delivery cycles.
Current Trends In Certificate Life Cycle Management (CLM)
To gain better control over their security infrastructure, some companies are opting to outsource their PKI management to third-party vendors. These PKIaaS providers assume complete responsibility for issuing and maintaining certificates for their customers, freeing up the clients’ SecOps resources and streamlining the process of issuing, distributing, installing, monitoring and revoking certificates. While this approach is definitely a step up from using spreadsheets and homegrown tools, it doesn’t solve the problem of managing the security infrastructure for a multivendor, multiplatform enterprise. PKIaaS vendors typically only manage the certificates they themselves issue, leaving the SecOps teams to deal with mismatched systems and devices supporting their on-prem and cloud applications.
Another trend that I am seeing is DevOps teams setting up their own private certificate infrastructure to protect containers, microservices, VMs and service accounts. Their needs are different from SecOps teams that secure traditional devices like servers, or even IoT, because communications between microservices require certificates that only last for only a few hours, not months, and they need to be constantly renewed and updated.
Then, there’s the issue of different needs between cloud and on-prem. Some organizations are cloud-native and are facing incompatibilities between on-prem certificate authorities (CAs) and their cloud platforms. Setting up private CAs can be costly and requires a skill set that they often don’t have in-house. Other enterprises are in no hurry to move to the cloud and find on-prem infrastructure more suitable for their current needs. They may be looking for solutions that would provide a full spectrum of advanced PKI capabilities on hardened appliances.
What A Future-Proof PKI Solution Might Look Like
While there’s no one-size-fits-all approach, a future-proof PKI management platform needs to be platform- and vendor-agnostic, agile, scalable and intuitive to meet the diverse needs of today’s enterprises. Companies should look for a system that supports a growing number of devices and emerging technologies; integrates with existing DevOps tools and processes to perform certificate operations in DevOps environments; provides end-to-end visibility into the entire keys and certificates life cycle; allows for auto-enrollment in certificates via SCEP, ACME, and EST; and is quick to deploy and easy to use. The ease of use part is especially valuable for enterprises that are ready to depart from centralized certificate management and offer self-servicing forms to application owners to provision certificates to servers as needed. In addition to full life cycle management and automation, a robust CLM solution should have automated discovery to help locate and inventory certificates issued across all endpoints.
Here are a few questions I’ve used with our enterprise customers to help determine their solution requirements for managing and simplifying their PKIs.
• Have you assessed the current and future PKI requirements for your organization?
• Is your current PKI provider evolving to support all new and upcoming use cases? Most organizations focus on the current issue or outage at hand and procure a tool in haste. By the time they realize the tool’s shortcomings, it is already way past time to ask this question, and they've already spent weeks or months on deployment and implementation.
• Have you run a compliance audit to list all possible compliance checkpoints for the solution provider to check off? Compliance is key. I cannot stress enough the importance of sorting this out at the get-go.
• Do you have a list of integrations that the provider should be able to support, including more futuristic integrations with IoT and DevOps toolchains? A shortsighted approach with integrations can prove fatal when you are trying to up your PKI game and adapt to the new trends in the industry.
• Is the solution built in a way that it can scale according to your needs and demands in the future? An archaic platform will do you no good, however efficient it may seem to be now.
• Can the solution run on cloud or containers? Many solutions don’t have modern architecture to run on cloud optimally, which might make them obsolete in the future.
• Is the solution easy to navigate and automate? It is increasingly evident to me that simple user interfaces (UIs) and workflows help set up users for success. More importantly, you should take the level of automated tasks in comparison to the manual tasks into account.
• What is the time taken to value? Asking this question will help ensure that you derive value from the solution in a manner that aligns with your overall PKI implementation timeline.
Asking these questions and choosing an automated certificate orchestration platform that meets these criteria can help enterprises not only support their current goals, but also better prepare for the future of encryption-based security.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?