Public key infrastructure in the cloud

Turnkey

PKIaaS or as a Cloud Platform

Cloud is not just cloud these days. As in many other cloud arenas, for PKI, the question arises: PKIaaS or as a cloud platform? PKIaaS offers a fixed set of functions. Billing is per certificate or per device. The approach is an obvious choice if the environment is dominated by standard scenarios that hardly need to be adapted and only a few special cases. Complete individualization is impossible, and deep PKI integration is difficult. The SaaS approach shows its strengths in the provision of standard certificates for servers, TLS, or VPN and pays off immediately because of the inexpensive implementation.

For an extensive PKI implementation or for a very specific use case, relying on a full cloud platform is recommended. This should have deep API support. It is equally important to ensure that billing is based on a single license for an unlimited number of certificates. This means that the system costs less and scales better (e.g., to cover the rapidly increasing IoT use cases). An administrator has full control over a PKI cloud platform and can cover every PKI functionality and component in the cloud.

Digital communication is also influenced by national and international regulations. Adapting to these regulations and integrating corresponding security aspects is one of the strengths of PKI from the cloud, particularly with regard to requirements for the operating environment and the use of approved system components. Some cloud providers cover precisely these aspects. The company uses its PKI from the cloud in the usual way and saves itself costly and time-consuming auditing and certification processes.

New Functions for the Cloud Future

Technological advancements continue, of course. Recent cloud-native features include a dedicated external Validation Authority (VA) that efficiently scales the OCSP. Cost reductions are promised by a feature that supports the AWS Key Management Service. Administrators will be delighted with simplified configuration for clustering, cloud databases, and the integration of a cloud HSM.

The level of integration already taking place in the cloud is illustrated by scaling capacity and throughput, as needed. This capability pays dividends when certificate validation requirements suddenly skyrocket because the PKI user introduces new services or products. Another important advance involves the ability to run a PKI environment with multiple cloud providers. The need may arise from legal requirements. The improvement now is to manage the PKI through one management interface, even though it is used across different clouds.

Conclusions

A PKI is and always has been capable of covering the most demanding use cases for secure digital communication, and this is even more true for the future when considering IoT and M2M environments or new scenarios, such as in connected cars or healthcare. These examples also show that a PKI in cloud operation reduces complexity. Thus far, the opposite has been the case from the critics' point of view. A cloud-based implementation now offers the refreshing approach of beaming the qualities of a proven security architecture into the next decade.

The Author

Andreas Philipp is Business Development Manager at PrimeKey.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Windows security with public key infrastructures
    A rarely used feature for improving security in Windows environments relies on certificates issued for various applications, services, and procedures that is based on a public key infrastructure.
  • Moving HPC to the Cloud

    HPC has a unique set of requirements that might not fit into standard clouds. However, plenty of commercial options, including cloud-like services, provide the advantages of real HPC without the capital expense of buying hardware.

  • Arm yourself against cloud attacks
    We present approaches and solutions for protecting yourself against attacks in the cloud.
  • Azure Sphere for Internet of Things
    Microsoft Azure Sphere links three vital elements of the Internet of Things – microcontrollers, software, and cloud service – with a focus on security.
  • Hardening network services with DNS
    The Domain Name System, in addition to assigning IP addresses, lets you protect the network communication of servers in a domain. DNS offers further hardening of network protocols – in particular, SSH fingerprinting and CAA records.
comments powered by Disqus