How Integrators Can Dispel Top 3 Myths of PKI Automation
Integrators who dispel these myths about PKI certificate automation can help clients bring trust to complex device and user ecosystems.
Security professionals know the public key infrastructure (PKI) offers the best way to protect communications between an enterprise’s machines, network and mobile devices, virtual servers and the IoT. But what sends them to an integrator is the painful realization that managing digital certificates for this soaring volume of machines, devices and network end points has exceeded any efficient or reliable manual approach to lifecycle management.
PKI certification automation is the solution. But before they can help clients realize its benefits, integrators often need to dispel three myths about the Cloud-based digital certificate lifecycle automation solutions that are now available as a service (also known as PKI-as-a-Service).
Myth #1: It is easier to just install certificates manually than to install and configure the utilities required for PKI certificate automation.
There was a time when automating PKI certificate management required the cost, configuration, support and point-of-failure risks of an intermediary command-and-control management platform. In contrast, today’s solutions use standards-based protocols such as Automated Certificate Management Environment (ACME), Enrollment over Secure Transport (EST) or Simple Certificate Enrollment Protocol (SCEP), making it much easier to automate certificate lifecycle management for any device.
Myth #2: Different solutions are needed for private PKI and public trusted TLS/SSL certificates.
On the contrary, today’s one-stop solutions automate the installation and renewal routines for many different types of certificates. Particularly valuable is the ability to manage both trusted TLS/SSL certificates and, for greater chain-of-trust control, customer-dedicated private Intermediate Certificate Authorities (ICAs) through a single Cloud-based service.
Today’s options include both a web-browser-based portal for quick deployment and representational state transfer (REST) APIs for integrating certificate management with existing infrastructure. Having a single pane of glass for managing all enterprise public or private digital certificates reduces cost and complexity and the risk of certificate-related outages.
Myth #3: There is no security downside to continuing manual PKI certificate lifecycle management.
In fact, it is extremely risky to manage PKI certificate lifecycles manually, especially in today’s complex device and user ecosystem with shorter certificate validity and more frequent renewals to improve security.
Today’s scale and complexity is much different than in the past when certificates secured a limited number of stationary devices, users and webpages connected through comparatively simple infrastructure. Certificates could be set up and forgotten for multiple years and managed through homegrown, on-prem certificate lifecycle management solutions with a bit of occasional manual intervention from IT.
The modern device and user ecosystem is simply too complex for IT departments to safely shoulder the burden of manual certificate renewal or management. An expiration will inevitably occur and create security liabilities.
Plus, the workflows associated with correcting the expiration, especially with system and service interdependencies in play, can be enormously complicated and time-consuming. If expiration then goes on to cause an outage, every minute spent fixing the problem could result in millions of frustrated users and potential loss of business and diverting IT staff from mission-critical systems.
As organizations move to automated solutions, they can benefit from “out-of-the-box” integration with existing network infrastructure components and automated provisioning using standard protocol(s). This can reduce the overall cost of implementing PKI automation by 75%. Implementing a solution with end-to-end PKI coverage within the organization will deliver the benefit of eliminating security gaps and the risk of expired certificates.
Organizations will also need to choose PKI automation solutions that can help them adapt to a new, hybrid workplace environment created during the global pandemic. As an example, organizations from businesses to universities purchased a massive volume of Chromebooks that they sent home with people so they could work and study remotely.
They will need PKI automation solutions capable of issuing and managing the digital certificates for these devices so they can be seamlessly and securely connected to corporate and university networks, without passwords.
Digital certificates provide powerful, PKI-based security to enable the creation of trusted device identities but making sure they are managed properly can be a pain point for organizations that do not understand the benefits of digital certificate lifecycle management and how best to implement it. Integrators can help them increase their information security posture using Cloud-based PKI services that emphasize automating digital certificate lifecycle management.
Mrugesh Chandarana is Product Management Director, Identity and Access Management Solutions, for HID Global.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!