Building the Business Case for a Cloud-First PKI Strategy

Emerging use cases, complex security threats, and distributed workforces have IT and security leaders evaluating their organization’s current infrastructure and its efficacy in balancing cost versus risks. Keyfactor’s chief security officer Chris Hickman explains how Public Key Infrastructure (PKI) has emerged as a secure mechanism to support scale, distributed architecture, and safeguard the connected devices workforces relied on to maintain productivity while working remotely. 

Last year, organizations pushed the limits of business continuity and infrastructure frameworks. It also brought an unprecedented level of cyberattacks that led to massive breaches. 

Public Key Infrastructure (PKI) is a core mechanism in enterprise security – an IT building block used to protect networks, sensitive data, and a growing number of API-connected services. It is a proven technology that businesses use to establish trust.

Over the last few decades, PKI has evolved from its early use for trusted website identity to a modern-day, cryptography-based solution to secure everything from connected devices to DevOps processes. The explosion of machine identities using digital keys and certificates increased risks due to shorter identity lifespans, and evolving cryptography standards are just a few of the factors driving its continued evolution.

PKI is Getting Harder

Protecting the organization with minimal overhead for security and IT teams is a challenging balance. In practice, the modern era of PKI is complex due to the growing scale of devices and machine identities, the speed at which they get created and the unique challenges of supporting and securing those identities at scale as more workloads move to the cloud.

This complexity often leads to costly mistakes when organizations introduce PKI, such as poor planning and design, insufficient training or expertise, the unprotected root CA and/or private keys and improper certificate lifecycle planning. Avoiding these mistakes means your organization must seriously consider whether it can effectively run a PKI program in-house, which brings us to the build versus buy debate.

Learn More: 5 Reasons Organizations are Moving PKI to the Cloud

Build Versus Buy

A PKI deployment and its day-to-day management take a significant amount of human and capital investment. If you’re considering an on-premises hosted PKI program, you’ll need to account for specific needs and costs like these:

1. Deployment costs: If you’re starting from scratch, deployment costs quickly rack up thanks to specialized PKI consultancy services, initial deployment, and document creation.
2. Labor Costs: When building a PKI program in-house, it’s important to find and retain skilled PKI staff and administrators who can support the program through deployment and manage it daily.
3. Infrastructure Costs: On-premises PKI infrastructure falls into two buckets: hardware security and software security. You must account for considerations like ensuring high-security data centers are available to house root CAs, biometric controls for data centers and security personnel, among other infrastructures like environmental requirements and safeguards.
4. Hardware and software costs: To deploy an on-premises PKI you’ll need to consider server software, hardware security modules (HSMs) and annual vendor support contracts.

Learn More: Cloud-First PKI Strategy: A Game-Changer for Securing Critical Data

Meanwhile, outsourced cloud-based PKI is an alternative for companies looking to balance cost versus risk. Cloud-hosted PKI allows for increased security, often at higher levels than can be managed internally and at a lower cost than an on-premises PKI program.

• Deployment costs:  Out-sourced PKI, or PKI-as-a-Service (PKIaaS) offers a PKI program that’s deployed in the cloud and managed by a team of experts. The traditional costs associated with PKI deployment are radically reduced and rather than upfront and ongoing expenses, businesses adopting PKIaaS pay a monthly service fee instead. 
• Labor costs: With program management offloaded to a reputable PKIaaS vendor, in-house PKI teams can focus less on backend maintenance, and more on proactive security and business priorities.
• Infrastructure costs: PKIaaS eliminates many of the on-premises infrastructure requirements that an on-premises program requires, offsetting hardware and software costs. 
• Streamlined integration: Cloud-hosted PKI can easily integrate and scale with DevOps toolsets and infrastructure. On the security side, PKIaaS operates according to industry best practice and compliance requirements, reducing and mitigating risks commonly associated with a PKI program.

Regardless of which PKI model you choose, ensure it meets critical infrastructure, cloud infrastructure, compliance, operations, implementation and delivery criteria. When evaluating your options, be sure to:

• Maintain control of your root CA and key material (do not relinquish that control)
• Avoid shared infrastructure and multi-tenant environments
• Avoid standalone MPKI – look for certificate management included
• Avoid costly per-certificate pricing models
• Ensure in-depth PKI expertise

In Conclusion 

Cloud PKI provides clear benefits, reducing costs and overall risk. Yet, it does represent a change and could cause many organizations to question if the move is right for them. The best way to evaluate if cloud PKIaaS is right for your organization is to consider where you currently fall on the cost vs. risk balance scale. For example, does your organization make security compromises that reduce protection to meet lower cost requirements? If so, then it is worth investigating if cloud-hosted PKI is a better fit for your environment.

Let us know your thoughts in the comment section below or on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!