Automation is the Future of (Digital Certificate) Security
As a foundational security technology that’s been implemented for decades, public key infrastructure (PKI) is already deployed in most enterprise IT infrastructures to protect network devices, workforce and internet of things (IoT) devices for a variety of use cases such as passwordless authentication, data encryption and digital signing. However, the ongoing management and maintenance of an in-house PKI deployment can be difficult and requires dedicated, skilled staff—adding to overall security costs. An on demand PKI-as-a-service (PKIaaS) solution can significantly reduce those costs and risks, allowing enterprises to scale on demand.
More Certificates with Shorter Lifespans
Digital transformation and the explosion of IoT devices have increased the number of internet-connected devices across the enterprise. On top of that, the lifespan of digital certificates to secure websites, networks and devices has shortened significantly, and managing those digital certificates manually is error-prone and creates excess overhead for IT and security teams.
The answer is automation. This is the best way to deploy and manage digital certificates for any network–connected device. When security is rendered invisible through automation, it eliminates the risk of user error and user reliance on security and corporate assets, helping to prevent certificate mismanagement and associated outages. There are numerous certificate automation models available to establish this critical PKI infrastructure and secure communications between machines, network and mobile devices, virtual servers and the IoT.
Use of Certificate Utilities
The most effective model is to use certificate utilities such as the automated certificate management environment (ACME) clients that already exist in the market. Known as connectors, they are added to or embedded in popular enterprise platforms like the Microsoft Intune mobile device and application management service, for example. This connector model differs from the other two models—agent and agentless—in that it does not rely on the introduction of a command and control platform solely for the management of certificates. Nor does it require a central management console that must be installed and maintained by the IT team to prevent failures (while becoming a central point of failure itself and imposing dependency on a single vendor). Instead, the generally standards–based connectors work autonomously and in the background to request and install certificates independent of one another, with a lightweight browser-based certificate portal providing the traditional certificate management functions like manual issuance, revocation, reporting and account management.
Ensuring that keys and certificates are generated and installed correctly becomes easier to manage when purpose-built utilities are deployed. In addition, installing and configuring automated certificate utilities, like the widely available ACME clients, ultimately saves a great deal of time compared to installing certificates manually. With ACME clients, certificates can be replaced with a simple command, and most applications can be automatically configured to use the certificate without human intervention. This leads to significant time savings and fewer service interruptions due to expired certificates.
Traditional, on-premises PKI can work for implementing this model—up to a point. The problem is, as networks and integrations become more complex and the number of endpoints grows, managing that environment at scale becomes increasingly difficult and expensive. Running an on-premises PKI service limits an organization based on the capabilities and demands of the PKI infrastructure. This could require significant extra investment for adding or updating services as opposed to using an adaptable PKIaaS solution that can expand as the technology footprint and user base grows.
In contrast, services can be tailored and expanded as needed when using a cloud-based PKIaaS solution. PKI security services can be added and changed at any time to increase capacity and expand technologies without upfront investment or concerns about demand. These scalable services can also be deployed more quickly and accurately, growing alongside evolving business and security needs. With PKIaaS, enterprises have a broad range of automation capabilities for managing privately issued and publicly trusted certificates using the connector model.
Choosing and Using a Connector
Depending on the platform, there are a variety of connectors from which to choose, from the dynamic simple certificate enrollment protocol (SCEP) in-app connector for the Microsoft Intune platform to the autoenrollment proxy add-on connector for the Windows autoenrollment protocol, which simplifies certificate automation for any Microsoft Active Directory-managed network device. We mention this particular example because it’s used widely; Microsoft Active Directory has a 44% share of the market for identity and access management solutions.
Taking Windows Autoenrollment as an example, any device on the network can easily be connected with a cloud-based PKIaaS via the Microsoft Autoenrollment connector. This out-of-the-box integration and automation support for Microsoft autoenrollment enables centralized management of all device certificates across the entire enterprise, either manually or through Active Directory of a mobile device management (MDM) platform, whether they are issued automatically or manually.
PKIaaS eliminates the need for agent-based certificate distribution and automation in these scenarios. The PKIaaS platform uses an autoenrollment connector to act as a proxy. It connects with Microsoft Active Directory for any certificate request that makes an outbound connection to the PKIaaS platform for certificate issuance or updates. There is no need to update any firewall configuration for an inbound connection since it only makes an outbound connection at port 443. There is also no agent or other configuration change required at the individual device level, enabling the use of existing technology deployments and infrastructure.
Management is further simplified if the PKIaaS platform also supports various pre-built integrations with standards-based certificate management protocols including ACME, SCEP and enrollment over secure transport (EST). Including robust RESTful application programming interfaces (APIs) facilitates integration with any other third-party tools for certificate orchestration and automation.
PKIaaS simplifies the process of seamlessly and automatically issuing, renewing, replacing or revoking certificates across the enterprise, using widely available in-app and add-on connectors with popular enterprise solutions such as the Microsoft Intune platform and the Microsoft autoenrollment protocol.
With PKIaaS, there is one secure cloud-based platform that eliminates manual, error-prone and risky processes for tracking, installing and renewing certificates.
