How to Choose Between Managed or On Premise PKI?
PATECCO GmbH
PATECCO is a German company, dedicated to development and implementation of Identity & Access Management solutions.
The PKI segment has been established in many companies for years and dynamic growth is still expected. Due to the growing and constantly changing threat situation, more companies will be faced with the question of whether operating their own "private" PKI is worthwhile in the long term and how private certificates differ from public certificates.
As a proven instrument, the Public Key Infrastructure (PKI) enables authentic and confidential communication between people and machines. It issues certificates and represents the secure trust anchor in the companies. Certificates are used for Virtual Private Networks (VPNs) and secure home offices. The replication of data and files between servers, remote backup or remote administration also requires protection through secured identities, the Internet of Things or critical infrastructures rely equally on digital certificates. To protect all these systems, no device may have access unless it has proven its trustworthiness through an authorised certificate.
Once the decision for a corporate PKI has been made, the large cloud providers offer different options. If you are already with a provider, you benefit from coordinated services for generating certificates for your own cloud infrastructure and receive customised interfaces. However, the use of a dedicated corporate PKI offers more freedom and design options for the integration of certificates into corporate processes. This can be operated in the company's own data centre (on-premise) or used as a service via specialised data centre service providers and infrastructure providers.
The introduction and operation of an on-premise PKI is a demanding and complex task. Above all, companies that want to implement or have to fulfil special security requirements rely on it. These include regulatory requirements, the provision of IoT devices with certificates during production or the implementation of extensive services such as in the health care sector. It is also possible that the company is simply large enough and has both the infrastructure and the necessary specialist staff, so that the operation of its own PKI can be considered. In all other cases, however, the focus should be on managed PKI.
A modern Managed PKI should come from a trustworthy provider, who?is able to set up exclusively for the user and map the complete chain of trust. In this case, each issued private certificate comes from the company itself. Scalability and state-of-the-art key protection are further requirements. Ideally, it should also be possible to obtain public certificates via a connected public Certificate Authority.
User-friendly operation and up-to-date Certificate Lifecycle Management (CLM) are further selection criteria. This is because companies are becoming increasingly aware of the problems caused by expired certificates. A CLM significantly facilitates the introduction, monitoring and smooth operation of certificate processes. Expensive downtimes due to unintentionally expired certificates are prevented and thus the failure of production facilities or the lack of accessibility of home offices, for example, are avoided. When it comes to monitoring and renewing many certificates, automation options play a very important role.
This not only increases the quality of the processes around the certificates, but also reduces the cost-driving manual effort. With a CLM, there is full transparency about the status and whereabouts of certificates. A granular rights management, the support of the dual control principle, as well as the simple administration of any company areas with individual policies also optimises the implementation of compliance guidelines in the company. One aspect of operating a PKI that should not be underestimated is the personal support and consulting needs that companies have in this context. Even with a managed PKI, direct access to PKI expertise should therefore be kept in mind.
领英推荐
A Private Managed PKI can be implemented with significantly less effort and preparation time than the on-premise solution. Trusted authentication, verification, integrity and encryption for critical and sensitive business processes and applications are directly available. Companies can concentrate on securing their business processes and use the established PKI more quickly.
With a managed PKI, the user does not have to invest in secure configuration, backup concepts and fail-safety. Access controls and access rights are regulated, the necessary infrastructure is ready and scales with growing requirements. Furthermore, there is no need to build up extensive PKI and IT security know-how or the corresponding specialist staff. Regular software and security updates, as well as adaptations to constantly growing crypto requirements, are carried out by the service provider. The handling of hardware security modules and the necessary special knowledge are also taken care of.
The total costs for an on-premise PKI are usually significantly higher than the comparatively lower costs for software licenses because of the personnel, infrastructure and operating costs. Even open source PKI solutions therefore do not make a significant contribution to reducing overall costs. Unlike other technology solutions, PKI requires far more than the authentication software and the support infrastructure.
For organizations that plan to implement an on-premise PKI, trained and skilled personnel are required to create, manage, and support the infrastructure. Highly secure facilities are critical, as well as robust policies and procedures, to ensure that the keys used for certificates are protected. Another consideration is the need for failover technology and a scalable infrastructure to ensure continuous operation, availability can be a major concern. Employees and partners who are unable to validate their identities due to PKI unavailability may be prevented from conducting business in a timely manner.
Security of the root certificate and the certificate issuance process is a critical issue for enterprises and they must be prepared to handle when implementing an on-premise PKI. Appropriately high levels of security, background checks, procedures, and more must be in place or the root certificate could be compromised, which is very risky for the enterprise.
Whether on-premise or managed PKI - both have their right to exist. For special requirements and depending on the scenario, companies or operators of critical infrastructures and public authorities have no choice but to opt for an on-premise PKI. But especially in medium-sized businesses, where standard applications are implemented and secured, Managed PKI offerings offer the chance to significantly lower entry barriers and significantly improve security in the company, and at significantly lower costs.