Public Key Infrastructure management: removing complexities with PKI-as-a-Service
How can a cloud-based PKI-as-a-Service (PKIaaS) remove the complexities of Public Key Infrastructure (PKI) management? FinTech Futures spoke to Mrugesh Chandarana, director of product management for PKI/IoT at HID Global, about the benefits and what needs to be considered by financial services firms when adopting this model.
Today, a person’s digital identity has become their passport for access to real and virtual space as well as a tool to complete in-person and online transactions. To safeguard customer trust, financial institutions must be future-ready: combating cyber threats and protecting the integrity of client data in real-time while creating a safe working environment for employees and customers alike. Layered authentication and out-of-band authentication solutions ensure that every online, mobile and onsite transaction is trusted and verified.
PKI plays a significant role in keeping organisations and their users and devices safe. However, they also come with significant administration challenges.
As a foundational security technology implemented for decades, Public Key Infrastructure (PKI) is already deployed in most enterprise IT infrastructures. However, the ongoing management and maintenance of an in-house PKI deployment can be difficult and can require dedicated, skilled staff – adding to overall security costs.
And yet PKI doesn’t have to be difficult. PKI-as-a-Service (PKIaaS) solutions – hosted in the cloud, managed by external vendors and delivered through a SaaS portal — enable organisations to outsource the complexities of PKI while retaining visibility and control. However, not all PKIaaS solutions offer the same levels of trust and protection.
If your financial institution is looking to implement Zero Trust architecture or simplify PKI operations, cloud-based PKI is a great fit. Here’s what you should know:
How can PKI help you implement Zero Trust architecture?
Zero Trust architecture means no resource is inherently trusted, whether it is connecting within or outside of the enterprise network. All the users’ and devices’ connections to the enterprise network should always be authenticated and all traffic must be encrypted. PKI is the foundational technology for implementing Zero Trust architecture, as it validates the identity of the users or devices for authentication and encrypts all communication in transit or at rest.
Are you struggling to manage your PKI in-house?
Let’s admit that implementing PKI in-house is very complex and requires significant resources and expertise to manage. As you expand the use cases for PKI, the in-house PKI can quickly become overburdened and slow to react. Meanwhile, the business or organisation becomes more dependent on the PKI for its day-to-day operations, increasing the need for greater operational resiliency. On the other hand, cloud-based PKIaaS takes away all the complexity of managing in-house PKI and provides better operational resiliency, scalability and risk reduction at a lower cost.
Are you fearful of losing control when you move your PKI infrastructure to the cloud?
Organisations in regulated verticals such as financial services are not able to outsource the control of their security infrastructure such as in-house PKI. The private key for the root certificate authority is a key to the kingdom, and it is always scary to outsource the control of the private keys. HID Global understands the concerns and has designed a one-of-a-kind PKIaaS offering that allows you to outsource the complexity of the PKI while retaining control of your private keys. HID PKIaaS not only provides best-in-class security measures to protect the private keys but also supports “Bring Your Own Root” and “Take It With You Root” CA programmes that enable flexibility for PKI implementation. With HID PKIaaS, the organisation is in full control while outsourcing the operation.
What should you keep in mind when choosing a PKIaaS provider and what should you expect from your provider?
The first and foremost important aspect of PKIaaS is the control of the private keys so make sure that the solution provider can support easy migration from your existing PKI infrastructure by offering “Bring Your Own Root” and “Take It With You Root” CA programmes. The solution provided should be scalable for the future, operational in days with a guaranteed SLA, geographically dispersed infrastructure, and be customisable to your needs. Also, it is important that providers can support both public and private trust certificates through a single platform and offer you the flexibility to choose multiple public trust providers for crypto-agility.
How do you navigate rolling out cloud-based PKI when you already have PKI in-house?
It would depend upon the complexity of your use case, environment, and availability of your staff to collaborate with the solution provider. Typically, it would take a few days to be operational with cloud-based PKI providers and roll out certificate lifecycle automation. For example, if your current deployment is a Microsoft CA-based implementation, a cloud-based PKI can be integrated with existing infrastructure by deploying an intermediate proxy. However, if your PKI deployment consists of complex use cases, then you may need to implement multiple protocols and connectors, which your cloud-based PKI provider will be able to assist you with.
About HID Global
HID Global powers the trusted identities of the world’s people, places and things, allowing people to transact safely, work productively and travel freely. Part of the ASSA ABLOY Group, HID Global is headquartered in Austin, TX, with over 4,000 employees and international offices that support more than 100 countries.
Visit www.hidglobal.com