Public key infrastructure in the cloud
Turnkey
Every industry has a need to authenticate and secure digital communications. The topic of how to communicate securely, whether by a virtual private network (VPN) or over Transport Layer Security (TLS), immediately brings public key infrastructure (PKI) into play. This security infrastructure has spread globally as the most trusted technology to identify people and devices, as well as secure digital communications between participants.
PKI is rightly seen as the entity that provides a trust anchor, which conversely means that a compromised PKI could render an entire digital communication system insecure. Therefore, up to now, organizations have implemented their PKI locally for security reasons.
However, the need for scalability and lower investment or operating costs suggests outsourcing PKI to the cloud. IT security administrators do not have to make any security compromises, and they are spared the need to set up everything from scratch, which they would have to do in an on-premises environment. Whether PKI is better suited as a cloud platform or software as a service (SaaS) essentially depends on the use cases. Adaptability to new regulations and new cloud-native features can also influence the choice.
Classic PKI is Expensive
Setting up the PKI security infrastructure from the hardware security module (HSM) to the database and integrating the detailed processes requires technical expertise to regulate the processes of creating, issuing, and exchanging digital identities in the form of certificates. A new implementation of a further use case pending in a local environment requires extensions to the existing infrastructure and even building new hardware systems.
The security admin also faces some challenges in operations, which is easier for admins with skills that go beyond network administration. Potential hurdles in everyday life, such as managing operating system patches and administering hardware security modules and their backup and restore functions can be overcome more quickly. But what about the increasing global accessibility of corporate services, whether for internal services or in operations, which determine the special requirements for PKI?
One example is the Online Certificate Status Protocol (OCSP) responder information service used as a fundamental component of PKI. For this service to query worldwide whether a certificate has been revoked or blocked, it is necessary to take the transaction load into account. Checking the code signing certificate when a software package is installed while overlooking that the OCSP responder is overloaded and cannot respond is useless.
Local PKI for Complex Customizations
On the other hand, the universal character of PKI also offers advantages in the application because digital identities for a use case, once provided by the established corporate PKI, allow additional use cases to be safeguarded. For example, a company would first establish a PKI that issues digital identities for access to offices and business premises. Smart card or other token technologies, among others, could be used, as well. The next step would be to use these certificates for secure VPN access for employees, followed by the integration of support staff who need a secure remote maintenance solution.
Server certificates for the entire e-commerce infrastructure, including web servers, load balancers, and server farms, are also conceivable as an extension of PKI. The prerequisite for this approach is a scalable enterprise PKI that can be expanded according to the use cases.
IoT Scenarios Predestined for Cloud PKI
As IoT scenarios continue to grow, so do the requirements for scalability and flexibility, as well as predictable cost models, which are where cloud-based PKI comes into its own and forms the central instance when it comes to applications in the area of machine-to-machine (M2M) communication, device certificates, or TLS encryption in the IoT area.
One example is the healthcare industry where countless IoT use cases illustrate the need for PKI as a Service (PKIaaS) or PKI from the cloud. For example, patient records increasingly need to be available digitally, requiring secure authentication and access in the hospital. Wards also use items such as infusion pumps, in which the software controls medication intake by drip infusion. The only way the software can securely identify any intravenous therapy is by authenticating with a digital certificate. In turn, the machine running the software must ensure that no one tampers with this application. Just to ensure that a patient is administered the correct dose of their medication, multiple digital certificates and PKI-based processes need to interlink successfully, which is the only way to rule out any manipulation of the data, devices, and communication channels.
In a modern hospital, comparable requirements also apply to surgical robots, cooling units, and key cards for security areas such as medical cabinets. In such an IT environment, one advantage of a PKI from the cloud pays off particularly well: Its centralized deployment can be shared among multiple facilities within the hospital operator's setup. Local IT teams do not additionally have to set up and manage local server hardware and applications. Basically, they are faced with the decision of either operating their security architecture as SaaS or as a full PKI platform. The full PKI platform variant is provided within a cloud instance.
Buy this article as PDF
(incl. VAT)