Bringing PKI to the Cloud May Be Easier than You Think—And Already Happening
Most cybersecurity professionals are familiar with public key infrastructure (PKI) as it relates to creating and managing digital identities for people, platforms and devices across an enterprise. That increasingly includes building or outsourcing PKI within the cloud.
“We have always consumed PKI in the cloud, we just haven’t called it that because we have gone out and bought SSL certs that are publicly-rooted from the vendors,” explained Chris Hickman, the chief security officer for PKI-as-a-service provider Keyfactor, during an (ISC)2 roundtable discussion. “If we look at the history of certificates and how they were used, one could easily argue that PKI was actually one of the first applications in the cloud, by virtue of needing a certificate to protect my e-commerce website or my website. In general, that was what I did: I went out and bought a cert. That cert was from somebody who was providing PKI in the cloud. It is actually not a new concept.”
Maybe it’s not a new concept, but the idea of bringing privately-rooted PKI into the cloud is. This is particularly of interest as more organizations move popular workloads into the cloud, such as email.
“Privately-rooted PKI has certainly become one of those candidates because of the scale that cloud offers, because the security controls in cloud are generally very hard to replicate in an organization, and a lot of these are running on commercial server platforms that are designed and scaled to run well in cloud,” Hickman said.
“So, the move to cloud has come as a result of a lack of skills in the organization, a lack of designated ownership for the infrastructure in the organization, and knowledge and understanding that the organization is moving its critical assets into the cloud,” he continued. “They start looking for vendors and providers that can replicate great operations and great onsite security, but in a cloud basis. And that is one of the current trends that is happening across organizations: How can I move my PKI into the cloud, and get as good, if not better, results than doing it on-prem?”
Scott Stephenson, senior manager and PKI architect at Cognizant, agrees with Hickman that PKI was among the first applications to go into the cloud. From his perspective, PKI on premises and inside the cloud is drastically different.
“Even in the cloud you have to have good certificate lifecycle management; you have to have good processes,” he said. “Because if you’re going to leverage, say, a private CA in the cloud, how are you going to protect that? How are you going to leverage that going forward and make sure that nobody gets ahold of that and can issue maliciously?”
Stephenson has worked in PKI for more than two decades and sees more similarities than differences with PKI processes operating in the cloud versus on prem. For instance, keys need to be similarly protected and more client-to-server authentications can be expected.
“Whether you’re in the cloud, whether you’re out of the cloud—if you’re managing a PKI service, you have to have a good certificate lifecycle management,” he maintained. “I have seen places where folks have gotten certificates and then they want to add a SAN, or they lost the private key or this or that. They think they lost the private key and they get another certificate, and the next thing I know, I look in there from an audit perspective, I see eight certificates with the same common name and they are all still valid, but they only need one.”
That’s where a solid certificate management process is preferred. There needs to be written—and followed—procedures that include how to handle replacing or renewing or revoking a certificate, as well as dealing with expired certificates.
“In my 20 years of doing this, that has been the nemesis that I have had to deal with,” Stephenson said. “I have gone in and seen where there are so many certificates that are still open. They don’t even know. You will have two different people ordering certificates for the same common name, and they don’t even know the other person did it. And now that you have them out there, what risk could that present to you?”
Hickman agrees that certificate management is hugely important, no matter where PKI is deployed.
“If tomorrow somebody turned around and said to you, ‘I need to replace certificates because of a breach or because of a depreciation in crypto or something like that,’ how well suited are you to undertake that task? And there within lies the art of effective use of certificates,” he said.
He then added: “The deployment, the setup, the initial issue is only part of the problem, and if that is where the thinking stops, then the organization is likely not going to be successful with PKI. The burden of managing those certificates in the enterprise will exceed the ability of the resources to do it, which then becomes very costly and painful to the organization.”