In one of their recommendations for effective PKI and identity and access management in the report, Gartner says, “Deploy multiple PKIs and CAs when required, but make sure to govern, monitor and manage their usage. Trust requirements, migration, specialized use-cases, hybrid environments and the lack of out-of-the-box PKI integrations are all drivers for usage of multiple PKIs and CAs.”
This recommendation in itself is an indicator of where the PKI industry is heading – as enterprises adopt hybrid and multi-cloud deployments, core PKI services are getting decentralized. Cloud service providers such as Google Cloud Platform (GCP) and Amazon Web Services (AWS) offer their own CAs. An organization could use Microsoft AD CS for their internal PKI and multiple third-party CAs such as AWS, Azure, Google, DigiCert, Entrust, etc., as public CAs. Choice of CAs can also be on a use-case basis, such as REST API support for DevOps pipeline integrations and provisioning protocol support (ACME, EST, CMP, etc.) for telecom and IoT use cases. It can also rely on the CA’s out-of-the-box support for the organization’s network infrastructure and integrations with existing technologies, such as service mesh, ITSM, secrets manager, and so on.
With multiple PKIs and CAs becoming the norm, the spotlight has now shifted towards the discovery, management, and automation of certificates issued by these CAs. Here’s where security professionals should pay attention: there are vendors that offer lifecycle management, but only for certificates issued by them. In scenarios where an organization uses certificates issued by multiple CAs, such management only adds complexity.
How did CERT+ score against the competition?
CERT+ integrates with all CAs and is CA-agnostic. It provides a single pane of glass to discover, manage, and automate certificates across multiple CAs. Hence, organizations have the flexibility to choose their own CA(s) while enjoying centralized management and automation of their PKI(s). That said, CERT+ provides a PKIaaS offering through its integration with various CAs, so organizations looking to migrate or deploy a PKI+CLM can leverage this integrated offering and thereby deal with a single vendor.
Solution Comparison for PKI and Certificate Management Tools
Now, we discuss some of the critical product capabilities that earned CERT+ its top spot:
Smart Discovery: CERT+ integrates with the enterprise’s DNS and provides IP-based discovery, allowing PKI operators to scan and discover certificates with authenticated and unauthenticated scanning. It also enhances its data with integration to third-party systems.
Plugin-Based Architecture: CERT+ has a next-gen microservices, plugin-based architecture that simplifies deployment in hybrid/multi-cloud autoscale, containerized, and air-gapped environments. The architecture also makes it easy to integrate with new environments and devices, other than the integrations it offers out-of-the-box. CERT+ can be plugged into endpoints that do not support standard protocols and can update their configuration to make them protocol-compliant.
Visual Workflow Automation: CERT+ is the only certificate lifecycle management solution that comes with built-in visual automation. It offers a simple drag-and-drop configuration to define your business process and approval flows. It leverages standards-based protocols (ACME, EST, CMP) to provide automation that spans certificates issued by multiple CAs, even if they don’t support these protocols themselves. This way, CERT+ can support certificate management for diverse workloads and devices such as containers and IoT.
Policy-Based Orchestration: CERT+ offers end-to-end management and orchestration by enabling security professionals to create and implement group certificate policies. Through policy-driven, certificate-aware, protocol-based automation, CERT+ eliminates certificate configuration errors, unplanned certificate expirations, and the resulting outages.
DevOps Support: CERT+ uses standard enrollment protocols and also REST APIs to integrate certificates into DevOps pipelines and manage them. It also integrates with CI/CD tools such as Jenkins, Terraform, and Ansible, enabling developers to request and install certificates from the pipeline.
Key Management: CERT+ provides HSM-backed, full-cycle management of SSH keys and certificates. It also provides symmetric key management through the KMIP (Key Management Interoperability Protocol) by acting as a KMIP server.
Smart Reporting: CERT+ comes with a built-in reporting engine that generates periodic reports on certificate status, along with their location, type, etc. It also offers a simple Build Your Own Report (BYOR) capability with which users can select parameters like cost center or business unit and build reports around them.
Building a Crypto Center of Excellence with Certificate and Key Lifecycle Management
As the report mentions, “It’s not individual ownership of a credential or even a tool that enables an enterprisewide key, secret and certificate management strategy. Instead, it’s well-defined guidelines and best practices. This is an ongoing task that requires a team — a CryptoCoE — that handles it. Technical professionals’ insight into the CryptoCoE is foundational because the devil is in the technical details when it comes to machine identities, secrets, keys and certificates. Use the CryptoCoE to provide guidance on when to set up a new PKI and provide insights on how certificates can be used, how multiple environments can be governed, and when to use what tool in the ongoing convergence. Define ownership of tools, keys, secrets, and certificates respectively. Use the guidance to move the PKI team from an “in the way management” structure to an “delegated management” structure by focusing on the guardrails and policies more than the centralization of tools.”
Source: Gartner, Solution Comparison for PKI and Certificate Management Tools, Erik Wahlstrom et al., 2 March 2021
To read the full report, go to https://www.gartner.com/en/documents/3998822 in Gartner.com(Gartner Subscription Required). To know more about AppViewX CERT+, visit here, or book a free product demo from our experts.