Businesses face a globally connected world and rely on secure digital communications to protect their business-critical data. This security is based on digital certificates and public key infrastructures (PKI).
However, today’s hybrid multi-cloud environments require a new PKI approach. In order to implement this, organizations need to understand what a PKI is and what factors they need to weigh up.
In general, a PKI is defined by a set of roles, policies, hardware and software components, and procedures required for creating and managing digital certificates and managing cryptographic keys. Essentially, the creation, management, distribution, use, storage, and revocation of certificates must be considered to cover their entire lifecycle.
The X.509 certificate verifies the owner of the corresponding private key. They can be visualized as the electronic equivalent of an ID card or passport. A well-known example of a PKI-based security control is the use of Secure Socket Layer (SSL) certificates. Thanks to them, visitors to a website can be sure that they are communicating with the intended recipient.
The traditional PKI and the decentralized approach
The relocation of on-premises structures in and around the extensions through the cloud poses new challenges for companies. Integration into the infrastructure of third-party providers and the resulting risk of misconfiguration can lead to security risks. The duration of use of the certificates issued today by the PKI has also changed and many existing approaches can only deal with the volume of certificates to a limited extent.
As a result, many organizations have outgrown their traditional PKI and need to re-evaluate and, if necessary, re-implement their infrastructure, or at least redesign the existing ones to adapt. Essentially, they need to understand that today’s PKI is a decentralized trust network composed of a mix of on-premises and cloud environments.
What favors the use of a decentralized PKI?
The move to a decentralized PKI is favored by a number of factors. One of them is an already existing, hybrid trust model. Many organizations rely on a mix of trusted third-party CAs and in-house private CAs. It is precisely because of the cloud strategies that are becoming established in organizations that the situation arises time and again in which cloud offerings are used, for example, by AWS, Azure and Google Cloud Platform, each of which has its own integrated PKI functions for issuing certificates. This then has to be integrated or adapted into the company’s own PKI.
The decentralization of the PKI also scores with its availability – this is business-critical. A decentralized PKI infrastructure is used in clustered, geo-redundant or high-availability architectures. This avoids a single point of failure to ensure end-to-end availability of a PKI for issuing and revoking certificates.
Decentralized teams and departments are another factor because they prefer different certification authorities in companies in order to reduce costs or have to cover individual requirements and use cases such as continuous integration / continuous delivery (CI/CD), containerization or short-lived SSL/TLS certificates. A lack of integration for these scenarios also leads to a decentralized infrastructure, which puts a strain on teams as they each have to develop their own scripts and mechanisms for tracking.
Best practices for implementing a modern PKI
When planning, implementing and expanding a decentralized PKI, companies must consider several important aspects. It is particularly important to define the requirements for the level of trust to be achieved. Organizations should be aware of where their public and private keys are stored and used to ensure the level of trust they require. It also means they are concerned about their PKI required to support this trust model. This includes ensuring trust across different silos.
In addition to the required and defined level of security, it is also essential for companies that the use cases for certificates are clearly defined and recorded. This includes the question of whether it is used for test purposes or in a productive environment. It is important to record which types of certificates are required for which purposes, with which volume and in which applications.
Likewise, the aspect of crypto agility should not be lost sight of. This means developing preparations and concepts so that changes can be made quickly at any time – from key lengths to algorithm changes. The ability to revoke and reissue certificates on a large scale plays a key role here.
The implementation and operation of a PKI must not be underestimated, because there is no one-size-fits-all solution for all use cases. Hybrid multi-cloud infrastructures often require decentralized PKI implementations, which require good planning.