Digital certificates are the foundation for security and digital identity. They authenticate apps, devices, and services and enable encryption in network communication. Typically, enterprises set up a private PKI on-premises to issue and manage certificates that require private trust. But, with the growing dominance of cloud-based apps, containerized services, DevOps, and IoT devices, digital certificate volumes have increased exponentially. There is a renewed focus on enhancing and maintaining private PKI to cater to modern security use cases.
AppViewX is pleased to announce it has added PKI+, a cloud based PKI-as-a-Service (PKIaaS) to its portfolio. With this, AppViewX offers a fully managed, automated Next Generation PKI-as-a-Service (PKIaaS) along with a Certificate Lifecycle Management-as-a-Service (CLMaaS) solution that simplifies all the complexity of managing a private PKI.
But why do enterprises need a CLMaaS on top of PKI? And how is using PKIaaS different from traditional PKI?
Let’s apply the analogy of currency to certificates. The federal or central bank in each country has a set of policies and procedures based on which the currency is minted, with security and anti-counterfeiting measures in place. The minted currency is not handed over to the users directly. Instead, it is routed through retail banks, which act as intermediaries and release it for circulation among users based on certain policies, procedures, audits, record-keeping, etc. Banks make it easy and safe for users to access the money through various means such as ATMs and debit cards, after which it can be used for a whole range of transactions or use cases.
If we were to apply a similar approach to PKI, we need a high assurance minter or issuer who, for all intents and purposes, will be kept outside the purview of users. Its job is to mint certificates based on policies, procedures, and the proper security requirements. Then, we have the retail banks – Certificate Lifecycle Management (CLM) systems that handle the verification, validation, end-to-end automation, and issuance processes for certificates. Finally, we have the users that use digital certificates or identities for common use cases such as securing websites, authenticating to VPNs, email security, code or document signing, etc.
Going by the above analogy, the minter or issuer is the core PKI engine that has to be highly secure and scalable, ideally with a pay-as-you-grow model that optimizes TCO (Total Cost of Ownership). Traditional internal PKIs offer security capabilities, but to scale the infrastructure, they have to be pre-provisioned to support the projected growth; none are cloud-native or elastic when it comes to infrastructure or cost.
Here, cloud providers offer a significantly better issuance alternative. AppViewX solves the problems of traditional PKI with its PKI+ offering – a secure, highly scalable, and cost-optimized PKIaaS. With the ability to issue large volumes of certificates and HSM-backed key security, it empowers enterprises with a next-gen PKI.
The benefit in keeping issuance and automation (the mint and the bank) as two separate systems is that the CLM part takes care of all the management and use case support, keeping the PKI itself simple. When considering CLMaaS capabilities, it should be able to support all legacy and modern use cases, standards-based enrollments like SCEP, EST, ACME, CMP, etc., and non-standards-based plugin use cases. It should also support on-prem, cloud, and IoT vendors, use cases, and systems.
Every use case has a unique certificate requirement – containers need short-lived certificates that require frequent renewals. IoT devices may use the EST protocol for certificate auto-enrollment. DevOps need certificate enrollment and management to happen from the CI/CD pipeline to match their delivery speeds. Most enterprises have at least a few applications on-premises that may be legacy and will require some manual or custom process.
Amidst these disparities is the pressure to be crypto-agile. Enterprises need to update cryptographic assets, ciphers, and protocols to new standards as and when they are updated to keep their systems and communications secure. Using older protocol versions and algorithms renders networks and systems vulnerable to cyber-attacks and data breaches.
This is where certificate lifecycle management from AppViewX plays a key role by isolating the PKI from the use cases, thereby keeping the organization agile to migrate to multiple public and private Certificate Authorities (CAs). It interacts with the PKI and distributes the issued certificates to the systems, endpoints, or vendors, irrespective of their type, hosting environment, or supported protocol. The policy-based automation engine smoothes out differences and provides a unified, streamlined process to issue and manage certificates depending whether public or private trust is required.
One of the key benefits of using AppViewX PKI+ to support private PKI use cases is that as a cloud PKI it can issue certificates to on-premises apps and also apps hosted in the cloud. In this case, PKI+ can issue certificates not only to apps running on Google Cloud’s platform, in AWS or Azure but also to apps hosted on-premises. By providing a unified process that weaves together different CAs, legacy on-prem and cloud services, next-gen technologies such as containers, IoT, and DevOps, AppViewX PKI+ with CERT+ effectively creates a CryptoMesh. The CryptoMesh, just like a Service Mesh, has a control plane made up of policies that security administrators configure. Based on these policies, the control plane orchestrates various security operations on endpoints, such as renewing certificates at a set frequency, auto-enrolling certificates when a new device is added to the mesh, brokering access privileges between services, etc.
If you are exploring options to migrate your Traditional PKI to next generation PKIaaS, talk to us to get a free consultation on the best practices, steps, and how AppViewX can help you streamline the migration and quickly have you issuing certificates.