Digital certificates are the foundation for security and digital identity. They authenticate apps, devices, and services and enable encryption in network communication. Typically, enterprises set up a private PKI on-premise to issue and manage these certificates. But, with the growing dominance of cloud-based apps, containerized services, DevOps, and IoT devices, digital certificate volumes have increased exponentially. There is a renewed focus on enhancing and maintaining private PKI to cater to modern use cases.
AppViewX is pleased to announce it is adding Google Cloud Certificate Authority Service (CAS) to its PKI portfolio. With this, AppViewX offers a fully managed, automated Next Generation PKI-as-a-Service (PKIaaS) + Certificate Lifecycle Management-as-a-Service (CLMaaS) solution that abstracts all the complexity of managing a private PKI.
But why do enterprises need a CLMaaS on top of PKI? And how is PKIaaS using Google Cloud CAS different from traditional PKI?
Let’s apply the analogy of currency to certificates. The federal or central bank in each country has a set of policies and procedures based on which the currency is minted, with security and anti-counterfeiting measures in place. The minted currency is not handed over to the users directly. Instead, it is routed through retail banks, which act as intermediaries and release it for circulation among users based on certain policies, procedures, audits, record-keeping, etc. Banks make it easy and safe for users to access the money through various means such as ATMs and debit cards, after which it can be used for a whole range of transactions or use cases.
If we were to apply a similar approach to PKI, we need a high assurance minter or issuer who, for all intents and purposes, will be kept outside the purview of users. Its job is to mint certificates based on policies, procedures, and the proper security requirements. Then, we have the retail banks – Certificate Lifecycle Management (CLM) systems that handle the verification, validation, end-to-end automation, and issuance processes for certificates. Finally, we have the users that use digital certificates or identities for common use cases such as websites, VPN, email security, code or doc signing, etc.
Going by the above analogy, the minter or issuer is the core PKI engine that has to be highly secure and scalable, ideally with a pay-as-you-grow model that optimizes TCO (Total Cost of Ownership). Traditional PKIs offer security capabilities, but to scale the infrastructure, they have to be pre-provisioned to support the projected growth; none are cloud-native or elastic when it comes to infrastructure or cost.
Here, cloud providers offer a significantly better issuance alternative. Google Cloud solves the problems of traditional PKI with its CAS offering – a secure, highly scalable, and cost-optimized issuer. With the ability to issue millions of certificates and HSM-backed key security, it empowers enterprises with a next-gen PKI.
The benefit in keeping issuance and automation (the mint and the bank) as two separate systems is that the CLM part takes care of all the management and use case nitty-gritty, keeping the PKI itself simple. When considering CLMaaS capabilities, it should be able to support all legacy and modern use cases, standards-based enrollments like SCEP, EST, ACME, CMP, etc., and non-standards-based plugin use cases. It should also support on-prem, cloud, and IoT vendors, use cases, and systems.
Every use case has a unique certificate requirement – containers need short-lived certificates that require frequent renewals. IoT devices may use the EST protocol for certificate auto-enrollment. DevOps need certificate enrollment and management to happen from the CI/CD pipeline to match their delivery speeds. Most enterprises have at least a few applications on-premises that may be legacy and will require some manual or custom process.
Amidst these disparities is the pressure to be crypto-agile. Enterprises need to update cryptographic assets, ciphers, and protocols to new standards as and when they are updated to keep their systems and communications secure. Using older protocol versions and algorithms renders networks vulnerable to cyber-attacks and data breaches.
This is where AppViewX plays a key role by isolating the PKI from the use cases, thereby keeping the organization agile to migrate to multiple issuers. It interacts with the PKI and distributes the issued certificates to the systems, endpoints, or vendors, irrespective of their type, hosting environment, or supported protocol. The policy-based automation engine smoothes out differences and provides a unified, streamlined process to issue and manage certificates.
One of the key benefits of using AppViewX PKIaaS to abstract private PKI from use cases is that a cloud PKI can be made to issue certificates to on-premise apps and also apps hosted on other clouds. In this case, Google CAS can issue certificates not only to apps running on Google Cloud’s platform but also to apps hosted on-premise, in AWS, or Azure through PKIaaS. By providing a unified process that weaves together different CAs, legacy on-prem and cloud services, next-gen technologies such as containers, IoT, and DevOps, AppViewX effectively creates a CryptoMesh. The CryptoMesh, just like a Service Mesh, has a control plane made up of policies that security administrators configure. Based on these policies, the control plane orchestrates various security operations on endpoints, such as renewing certificates at a set frequency, auto-enrolling certificates when a new device is added to the mesh, brokering access privileges between services, etc.
If you are exploring options to migrate your Traditional PKI to Next Generation PKIaaS or Google CAS, talk to us to get a free consultation on the best practices, steps, and how AppViewX can help you with the migration.