Cloud Managed vs. On-premises Public Key Infrastructure (PKI)

Public Key Infrastructure, or PKI, provides businesses with a collection of mechanisms that secure the connections between linked devices and services. A well designed PKI helps build trust in the system and allows for an increased level of integrity and security. As systems become more complex and the numbers of connections increase so does the importance of a well built and secure PKI system. PKI systems provide identity management solutions that improve collaboration in the digital space, secure communications and authenticate devices to make sure only the right people have access to specific data and services.

As with almost all other IT technologies, PKIs are increasingly migrating to the cloud, and opinions are divided as to which is better, on premises or cloud managed PKI systems. When cloud based services were just getting started, there was a lot of mistrust in the technology, and the conventional wisdom of the time was that there was no security like traditional, on-premises, built-from-scratch infrastructure. Cloud based security, however, is becoming more and more reliable; and this has seen many companies make the shift to cloud-hosted PKI infrastructure-as-a-service. There is no magic bullet solution, and both approaches have their strengths and weaknesses.   

On-premises PKI

On-premises PKI, also known as in-house certificate management, is when only the internal tech team is responsible and accountable for installing, issuing, verifying and renewing security certificates. This requires significant dedicated manpower, and can cause bottlenecks when there are multiple instances of expired, corrupted or lost certificates. This is quite common, and usually necessitates immediate attention and action that can throw off the regular intended workflow for that day.

On-premises PKI solutions do offer a superior level of control, but are also extremely resource intensive, especially if the business in question is quite large. This situation requires the life cycle management of thousands of client certificates, which can be a challenge even for the most experienced security teams. There are a few key challenges to consider when opting for in house PKI. Among the most common are the sheer operational capacity and complex infrastructure needed to support PKI, as well as maintenance and licensing costs. Complications can also arise if the business needs to scale up, or merge with other systems that are often not compatible. This can require complicated integration procedures that can be time and resource consuming.

One of the most common misconceptions is that on premises PKI management is always the most cost effective solution. While this is true for smaller businesses that have relatively few dependencies and require a less complex security system, it can prove too expensive for large and intricate systems. One scenario where on-premises PKI right be the only option is if an enterprise needs to fulfill strict industry compliance standards, or has its own stringent data protection and security policies. All to often, companies simply lack the expertise, skills and manpower to deploy an on-premises PKI system effectively.

Cloud Managed PKIs

Generally speaking, most major cloud providers nowadays provide high levels of security and reliability. This has led to an increased trust in cloud security, and companies are less reluctant to trust the cloud with their sensitive and confidential data. Cloud solutions are perfect for organizations that lack the expertise and resources needed to set up their own PKI system from scratch. Outsourcing this undertaking to specialist cloud based providers means that employees can focus on their day to day operations without worrying about the company’s security infrastructure.

Cloud based PKI infrastructure as a service relies heavily on automating client certificate lifecycles. What’s more, cloud solutions often come with dedicated support systems and personnel as well as distributed systems that can handle increased traffic. This scalability is particularly appealing to enterprises that are going through, or expecting explosive growth. Another useful feature of cloud managed PKIs are various customizable dashboards that make certificate management less time consuming and more efficient.

A common fear that many business owners have is that using a cloud-hosted PKI will require giving up all control of their virtual assets. This fear is not unfounded, but can be mitigated by carefully choosing a provider that is transparent in its operations and that meets your business needs. In an ideal case, you want to outsource complexity while continuously maintaining control. Regardless of the provider, companies need to make sure that they do not give up control of their PKI recovery resources and root certificate authorities, or CAs. The activities that can, and need to be outsourced are PKI management, design and deployment. Furthermore, a reputable provider needs to be able to guarantee that their system is flexible enough to integrate with multiple public and private CAs. This gives businesses the confidence and freedom to adapt and change their PKIs as their business needs change and evolve.

In-house PKI management usually has lower upfront costs than the fixed ongoing costs of a cloud managed solution, so smaller businesses might find themselves paying for features they do not necessarily need. Going with a cloud based service also requires a lot of trust that your provider is vigilantly up to date with security standards and procedures, as well as legal and governmental compliance requirements. The bottom line is that, should their systems fail, yours will go down as well. 

Conclusion

Regardless of whether the PKI system is in house or cloud managed, it is important to invest in PKI automation. Without it, there is a huge risk of human error, be it through oversight, incompetence, or just bad luck. This leads to a far greater potential for costly and dangerous cyber security breaches. Before deciding on which path to take, it is important to carry out a full risk and cost analysis based on how much you are willing to invest, the skills of your team, as well as how crucial security is for your business.