PKIaaS or as a Cloud Platform

Cloud is not just cloud these days. As in many other cloud arenas, for PKI, the question arises: PKIaaS or as a cloud platform? PKIaaS offers a fixed set of functions. Billing is per certificate or per device. The approach is an obvious choice if the environment is dominated by standard scenarios that hardly need to be adapted and only a few special cases. Complete individualization is impossible, and deep PKI integration is difficult. The SaaS approach shows its strengths in the provision of standard certificates for servers, TLS, or VPN and pays off immediately because of the inexpensive implementation.

For an extensive PKI implementation or for a very specific use case, relying on a full cloud platform is recommended. This should have deep API support. It is equally important to ensure that billing is based on a single license for an unlimited number of certificates. This means that the system costs less and scales better (e.g., to cover the rapidly increasing IoT use cases). An administrator has full control over a PKI cloud platform and can cover every PKI functionality and component in the cloud.

Digital communication is also influenced by national and international regulations. Adapting to these regulations and integrating corresponding security aspects is one of the strengths of PKI from the cloud, particularly with regard to requirements for the operating environment and the use of approved system components. Some cloud providers cover precisely these aspects. The company uses its PKI from the cloud in the usual way and saves itself costly and time-consuming auditing and certification processes.

New Functions for the Cloud Future

Technological advancements continue, of course. Recent cloud-native features include a dedicated external Validation Authority (VA) that efficiently scales the OCSP. Cost reductions are promised by a feature that supports the AWS Key Management Service. Administrators will be delighted with simplified configuration for clustering, cloud databases, and the integration of a cloud HSM.

The level of integration already taking place in the cloud is illustrated by scaling capacity and throughput, as needed. This capability pays dividends when certificate validation requirements suddenly skyrocket because the PKI user introduces new services or products. Another important advance involves the ability to run a PKI environment with multiple cloud providers. The need may arise from legal requirements. The improvement now is to manage the PKI through one management interface, even though it is used across different clouds.

Conclusions

A PKI is and always has been capable of covering the most demanding use cases for secure digital communication, and this is even more true for the future when considering IoT and M2M environments or new scenarios, such as in connected cars or healthcare. These examples also show that a PKI in cloud operation reduces complexity. Thus far, the opposite has been the case from the critics' point of view. A cloud-based implementation now offers the refreshing approach of beaming the qualities of a proven security architecture into the next decade.