With the advent of digital transformation, the sheer number of connected devices has exploded. Networks consist of several hundred intertwined endpoints, each of which need to be secured to ensure that their communications remain encrypted and inaccessible to unauthorized parties. PKI and digital certificates have served this purpose for decades – nearly every organization with a digital presence now possesses a working PKI system. However, modern technology like DevOps, the IoT, Cloud Applications, and Blockchain now leverage PKI for security as well – and by virtue of these systems requiring high-volume deployments, they require PKI systems that are highly agile, and easy to scale and deploy whenever end-users require it.
The Current State of PKI
As it currently stands, an enterprise-grade PKI deployment requires significant groundwork before it can be deployed. The infrastructure needs to be configured with a private CA, maintained, and have additional instances configured in the environment in order to scale – these are manual processes that require skilled manpower with expertise in PKI, driving budgets skyward.
Now, consider IoT implementation or DevOps environments involving several thousand containers – these use-cases typically require hundreds of thousands of certificates, each of which are often short-lived and need to be replaced periodically. Conventional on-premise Private CAs are not well-equipped for this, and require the expenditure of considerable time, manual effort, and money to function in high-frequency agile environments.
The problem doesn’t end with deployment. Once the certificates are installed on their respective endpoints, they need to be continually monitored, renewed, revoked, and replaced. As is the case in most organizations, PKI is often handled by a central team that coordinates with individual BUs via raised tickets. At this scale, things can quickly get chaotic.
Managed PKI emerged as a possible solution, in the form of moving the entire PKI environment to under the purview of a vendor, where, as the name suggests, all the moving parts are managed by said vendor, with the customer receiving only the certificates they require. However, this approach denies teams the ability to exercise control over their PKI, which could raise security or privacy concerns.
There is an industry need for a PKI system that allows teams to abstract the complexity involved with managing the underlying PKI, while allowing them to retain full control over the infrastructure and operations involved. Rapid deployment, quick time-to-value, and simplified management and operation would all be highly valued characteristics of an ideal PKI for environments of all sizes.
The AppViewX-Google Cloud Platform Integration
Google Cloud Platform’s (GCP) Certificate Authority Service (CAS) is a HSM-backed, enterprise-grade PKI that can help to shrink PKI deployment time from months to minutes. Customers will gain access to a trusted Private CA that places certificate issuance squarely under their control, and requires no setup to operate as the infrastructure is handled by Google Cloud. Certificate deployments are instantaneous, and scale on demand, with the ability to issue millions of certificates with varying lifespans. It is important to note that Google Cloud’s CAS promotes flexibility by allowing users to communicate with DevOps tools and CI/CD toolchains via REST API. Key security and compliance is covered as well, with the platform leveraging Google Cloud’s Key Management Service (Cloud KMS), a cloud-based FIPS 140-2 Level 3 HSM. It also features audit logs and granular access control for added internal security.
AppViewX fully integrates with GCP, and acts as a Registration Authority for certificates issued by the CAS. Its primary benefit, however, lies in its certificate and key lifecycle management and automation capabilities. Some of the functionality AppViewX provides in conjunction with Google Cloud CAS includes:
- Auto-Enrollment of Certificates via SCEP, ACME, EST, and CMP: AppViewX facilitates auto-enrollment of certificates on endpoints via the aforementioned protocols. Certificates can be enrolled on mobile devices using SCEP as well, and managed using Enterprise Mobility Management(EMM) or Mobile Device Management (MDM) tools.
- Certificate Lifecycle Management: Certificates issued by CAS can be discovered and inventoried across a variety of endpoints. Renewals, revocations, self-service provisioning, enrollment, and monitoring operations can be performed from within the AppViewX platform.
- Self-service Provisioning to Servers and Appliances: AppViewX can publish self-service forms that end-users can use to request certificates that AppViewX will automatically provision on associated servers, devices, and appliances.
- Integration with DevOps tools: AppViewX features native integrations with leading DevOps tools to carry out certificate operations in DevOps environments: Terraform and Ansible for deployment automation, Kubernetes and OpenShift for ingress certificate automation, Istio for service mesh security via mTLS, and so on.
Our partnership with Google Cloud marks the first step in moving towards a next-generation PKI model which requires minimal setup and maintenance, yet, provides more benefits to end users than conventional on-premise PKI deployments. SMEs and organizations that require small-scale PKI deployments can realize the benefits of an enterprise-grade PKI and certificate lifecycle management solution at a fraction of the cost which can be scaled on-demand, while also obtaining access to automation, compliance, and complete security. On the other hand, enterprise-grade deployments can benefit from a PKI that is primed to permit rapid growth along with their core technology such as DevOps and IoT. They may also choose to migrate their entire PKI to this cloud-based solution in order to future-proof their PKI and promote flexibility, courtesy of our multi-vendor support.
Our technology is not the only thing that’s next-generation. Users will have the option to pay for only what they use, in an industry-first pay-as-you go model. This is a marked contrast to on-premise, monolithic PKIs which restrict users to one instance per CA used. This way, teams can start small, and grow their infrastructure incrementally, as opposed to having to make large upfront investments for minor initial implementations.
Offloading infrastructure tasks to the cloud and gaining access to an instantly deployable private PKI can have significant business benefits, too. In addition to the considerable savings in terms of time and manpower involved, you’ll realize an incredibly quick time-to-value, overall lower TCO (total cost of ownership), and minimized outages, thanks to AppViewX’s lifecycle management capabilities.
To sign up for the Beta, click here. You can also check out the solution brief for specifics on the integration.