PKI: To Build Or To Buy?

PKI has come a long, long way. It has gone from being simply about installing an SSL certificate or two, to being involved with every type of technology in order to authenticate devices, encrypt communications, and protect digital identities. By extension, this means almost every organization in the world has a PKI system, and possesses anywhere between several hundred to hundreds of thousands of digital certificates on file. It’s not just for securing websites anymore – certificates are being deployed to sign outgoing code, to protect IoT devices from being hijacked, to secure cloud-based environments against attacks, and so on, and so forth. It has become amply clear that PKI needs to evolve at a rapid pace to keep up with the technology it protects – it can never be a set-and-forget system.

Catalysts: Why do I need to rebuild my PKI?

The fact remains that several PKI systems have scaled on an ad-hoc basis, having been established on legacy infrastructure – with improvements being jury-rigged onto the archaic technology they were built upon. In the long run, makeshift improvements and on-the-fly management techniques will prove to be lethal to organizations. Encryption algorithms and protocols continue to be phased out as new ones are developed (the deprecation of the SHA-1 algorithm and TLS 1.0 are shining examples of this phenomenon), and enterprises need to be cryptographically agile in order to ensure that their PKI stays relevant in the facer of rapid technological evolution, with factors including chip speed, quantum computing, AI, and machine learning.

A common problem security leaders face today is the modernization of their PKI as they continue to add IoT devices, cloud computing, blockchain technology, and other cutting-edge innovations to their infrastructure. They want to ensure that their PKI can scale when new applications, devices, and environments are introduced. For reasons discussed above, this proves to be a futile task, and PKI ends up requiring rehaul and reconstruction in order to keep up with the rest of their technology upgrades. Likewise, after a redesign, one would have to ensure regular maintenance of the PKI, such that the security team doesn’t end up with an outdated or weak infrastructure again.

Control Your Certificates Before They Go Rogue!

Leaders who need to revamp their PKI (or for that matter, teams looking to implement a structured PKI for the first time), have to identify a few key areas of focus – the building blocks of a powerful public key infrastructure, if you will. Some of them include:

The cost of change: PKI is often interwoven into several other interconnected systems. Identifying the overheads as well as the associated, indirect costs is a crucial first step. Leaders must analyze the costs of building it from scratch, or purchasing turnkey solutions that can do an equally good job. What’s more, a managed PKI service or a PKI management vendor could completely eliminate future maintenance costs. More on this below.

Complexity and flexibility: Given that PKI is an interconnected, cross-departmental system, it must not be rigid and complex. A simple infrastructure which can plug into other security systems, and integrate with popular solution providers, would go a long way in reducing manual effort involved with PKI management.

Scalability: If you’re revamping your PKI because it’s become obsolete, you need to ensure that you don’t run into the same conundrum five years later. Your PKI has to possess the ability to scale and adapt to changing technology – and also allow future developers to modify any underlying code to keep up with the times.

Business continuity: An invalid certificate could cause huge losses due to website downtime, and that’s just one example. There is a pressing need for defined mechanisms that eliminate delays for certificate tasks, such as renewals – a failed renewal could result in outages of an entire web domain. Which brings us to…

Automation: When PKI management can be automated, it not only saves massive amounts of time, but also removes the human error factor. Look for a system that can automate tasks such as certificate renewals, installations, and discovery, besides other activities such as key rotation. It is important to give preference to automation tools that rely on visual, GUI-based automation, rather than one that requires specialists to hard-code automation workflows into the system.

The big question – build or buy?

For small organizations with relatively small scope of operations (<50 employees, limited online transactions, few servers and devices, not spread across geographies), an internal team should be able to do the job. They’d have to gather business requirements, organizational goals, and carry out the design and implementation of their PKI in a phased manner. Given less interdependent systems and lower risk posed by downtime, setting up certificate and key systems from scratch would be a feasible project that could be completed in a few months at most. However, for large organizations panning multiple areas of operations and possessing thousands of servers and connected devices that require protection, building a new PKI from scratch might take anywhere between several months to years. There would also be the lingering concern of causing downtime for the systems under renovation or development, which could impact business continuity. Overall, the return on investment on purchasing a PKI management system versus building one might be a lot higher. You’d also be able to accelerate the deployment of the project if you choose the right vendor (especially if the vendor supports cloud-hosted PKI systems). If you’re a large organization, or one looking to scale upwards in terms of people, processes, and digital assets, it would be in your best interest to get in touch with a vendor who can help you assess and set up a system to manage PKI, certificates, keys, HSMs, and more. You could choose to go with a certificate lifecycle management service, which is a system that helps unify, automate, and abstract the management of all certificate and key lifecycles, while also helping you integrate with other solutions such as ITMS, HSM, and IAM services. Or, you could consider PKI-as-a-service (PKIaaS), where a vendor would help set up a PKI from scratch, right from requirements gathering, to integrations, to deployment. If your budget permits it, you could leverage both a certificate lifecycle management platform and a PKIaaS, and gain an all-around modern PKI system that can handle your security needs for years to come.

To better understand cloud-hosted/on-premise certificate lifecycle management systems, sign up for a 30-minute AppViewX demo. If you’d like to learn more about PKI-as-a-service, check out encryptionconsulting.com

Tags

  • certificate lifecycle management
  • PKI
  • PKI management

About the Author

Allan Roy

Product Marketing Manager - AppViewX CERT+

More From the Author →

Related Articles

AI in Cybersecurity – “Moving forward Together” and Amping Up the Remediation Game

| 6 Min Read

Don’t Let an Expired Certificate Cause Critical Downtime. Prevent Outages with a Smart CLM

| 8 Min Read

Practical Advice for PQC Migration for TLS 1.3

| 12 Min Read