Public key cryptography has proven to be a reliable way to protect networks and data, ensure privacy of critical transactions and communications, and authenticate the digital identity of people and devices. The public key infrastructure relies on certificates that are issued by a Certificate Authority – a public or private entity that is typically hosted on-premises, which validates the identities of transacting parties and binds them to pairs of keys. For years, the system was working just fine – organizations would generate keys and a certificate signing request directly from a device where the certificate would be installed, send it to the CA, which in turn signs it, issues a private key, and returns it. All was well in the datacenter world… and then along came the cloud.
Cloud-native applications are often built using microservices, which changes how certificates are used to express and verify identity. Microservices-based applications are connected through a mesh, and each of these connections – between containers, microservices, virtual machines, etc. – needs to be secured. In addition, a reliable way to prove the identity of each end to the others is required; there is no more reliance on server names, IPs and hardware addresses.
This means that instead of issuing premises-based certificates that are specific to each application and device and typically don’t expire for a year or more, security teams have to generate short-lived certificates on a much more frequent basis – hours instead of years. Moreover, the proliferation of IoT devices and certificates they require may in fact change the balance once again by pushing both the numbers and the complexity of certificate issuance up again.
As a result, existing on-prem CA solutions fell short of adequately supporting cloud-native applications and the coming IoT wave. It’s a classic example of a technology that was built for the datacenter, and spent years, even decades, organically growing, evolving, and ultimately thriving in these environments. But when thrust into the cloud environment of containers and microservices, it couldn’t deliver the required scalability, availability and ability to seamlessly integrate into modern applications (because it was developed long before modern API interfaces for cloud-native applications were available). What’s worse, the old certificate process will overwhelm the IT ops and security teams, further making the problem worse and the teams even more stressed and mistake-prone.
Some organizations don’t recognize the mismatch between their “tried and true” CA methods and the needs of modern application delivery. They attempt to operate a cloud as a datacenter, basically trying to replicate on-premises operations on the cloud. The most common outcome of this approach is that they wind up experiencing the majority of the cloud-related challenges, and only a fraction of the benefits, having to sacrifice agility, time to market, and ultimately revenue, because solutions they are attempting to use are not built for cloud speeds. This means that pack all their old mistakes into their luggage when they are moving into the cloud, hence making their cloud journey full of both old and new risks and challenges. They also miss the opportunity to do thing more secure, agile and optimized as they migrate.
Some DevOps teams decide that they can’t rely on existing certificate tools, so they set out to develop their own. This of course creates a whole new set of problems, with the PKI team losing control over the certificate infrastructure – they don’t know where certificates reside, how soon they need to be renewed, or even which applications or services they are tied to. And as we all know from the many highly publicized examples of expired certificates causing service outages, this is not the outcome that any company would want to have.
Organizations who built a cloud-native infrastructure from the start are generally faring better, but they too have run into their share of problems with digital certificates. Some have attempted to build their own modern CAs, but even the largest organizations who invest heavily in security, quickly realize that they have neither the additional budget nor the expertise to manage the process of issuing certificates on their own.
So, what do you do when you need something, but can’t build it yourself? You outsource, of course! And who better to outsource a cloud-native CA service to than your own trusted cloud provider, especially with both a proven track record and immense amount of experience securing its own infrastructure – Google.
Ultimately, digital certificates are about securing the infrastructure, and Google has already had lots of experience in this area, like with Kubernetes – distributed cluster technology where required certificates are automatically generated. Until recently, this was mostly done behind the scenes, but companies needed a way to integrate CA for both traditional and cloud-native applications, so Google chose to offer a standalone CA service to their customers.
The new CAS builds on Google’s principles of delivering scalable and highly available service that’s available across regions. You can use the service today while it is in beta status. It’s scalable to meet the needs of a modern enterprise, and gives DevOps the speed and agility they need, while allowing the PKI team to maintain control over their security infrastructure and support compliance with regulations that require or imply certificate use. It does so beyond the level offered by any traditional CAs in both security and agility.
Furthermore, mature organizations who have developed certificate lifecycle management practices, can rely on the new CAS being integrated with the leading CLM solutions. Google CAS supports several partners, including AppViewX.
Shifting PKI management tasks to a cloud services provider is a logical choice for any organization that’s moving forward with their digital transformation projects. Not only does it offer future-fit technology that is scalable, available, reliable and extensible, it can deliver considerable savings and support growth, while increasing security and compliance.
Sign up to experience a next-gen PKI: Instant deployment, cloud-backed security, certificate lifecycle automation, and more.