Scaling PKI: Real-World Lessons from Enterprise

Written by

Public key infrastructure (PKI) is a mature technology, and most organizations have a good sense of its ability to secure information across networks — and authenticate individuals and devices.

Unfortunately, many IT teams also struggle to manage PKI implementations and scale them to new use cases. According to the Ponemon Institute, new applications like IoT devices and external mandates and standards drive the most uncertainty. At the same time, 64 percent of IT security professionals say they lack the resources they need to deploy and manage PKI. Only 38 percent say they have PKI specialists on staff.

No wonder cloud-based PKI-as-a-Service (PKIaaS), outsources the complexity of the PKI infrastructure while retaining the control of the trusted assets and reducing the cost of operating and deploying PKI.  But how can you expand or migrate in-house PKI without disrupting your environment?

In this article, we’ll review two case studies from HID enterprise clients that show just how painless the transition can be — and what PKIaaS has helped them accomplish.

In Search of a Single Pane of Glass

A multinational food manufacturer was responsible for managing over 275 thousand public and private certificates to secure its websites and internal networks. Private certificates were issued via Microsoft Certificate Authority, whereas public certificates were managed separately, via one of the top public TLS/SSL certificate providers.

PKIaaS now enables the company to manage both types of certificates through a single cloud-based service. A browser-based portal powered quick certificate management for the food manufacturer’s IT team, while representational state transfer (REST) APIs helped integrate certificate management with existing infrastructure. The company’s new PKI infrastructure operates as follows: A dedicated trust anchor offers multiple private trust certificate types for workstations, network devices, and mobile devices. It connects with Microsoft tools like auto-enrollment and AD CS (Active Directory Certificate Services) to automate the deployment of certificates to any network device. It also uses Microsoft Intune connector to automate certificate deployment to mobile devices. Meanwhile, a centralized Account Certificate Manager portal — provides flexibility to issue and manage TLS/SSL certificates across the company’s domains, and the request and approval process has been integrated into the company’s ServiceNow workflow.

In addition to reducing cost and complexity, having a single management console for both public and private trust certificates reduces the risk of certificate-related outages.

Avoiding a Single Point of Failure

A Japanese bank that provides retail, corporate and investment banking services relied on multiple private CAs to implement two-factor authentication for their users and devices to access VPN. These certificates will also be used for machine authentication for Network Access Control (NAC). They also wanted to use multiple public CAs for TLS/SSL certificates to reduce the risk that a single point of failure would compromise the issuing certificate authority.

After migrating to PKIaaS, the bank now has a single pane of glass with Account Certificate Manager (ACM) to manage the entire lifecycle of public and private certificates. It uses an autoenrollment connector to automate the certificate deployment to any user or devices that are connected to the domain. Public TLS/SSL certificates from HID IdenTrust and Digicert support crypto-agility and are integrated into the same management console.

Scalable, Cost-Effective PKI

PKI tools are built into the systems and services that power most enterprise networks. However, that doesn’t mean it’s free to build, maintain and scale in-house PKI.

Cloud-based PKI-as-a-Service help organizations leverage the technology’s power without the administrative overhead, securing all devices even in the most complex ecosystems. Migration from on-premise PKI to PKIaaS is fast and simple, because PKIaaS natively integrates with Microsoft tools such as Autoenrollment and AD CS. And once PKIaaS has been implemented, organizations can manage both private and public certificate services through a single cloud-based service — and scale as they grow. It is operational in days so you get an immediate return on investment].

PKI can do more. Find out how to leverage the technology’s full power in our executive brief, Certificate Use Cases

Brought to you by

What’s hot on Infosecurity Magazine?