The importance of digital identities is growing day by day. Identities are being used not only to authenticate individuals, but increasingly to secure communications between machines, connected IoT devices, apps and services. The key to a strong regime for these machine identities is the security of the underlying TLS/SSL certificates. Organizations have two options—either trust a Certificate Authority (CA) or build your own CA.
Building your own CA server and structure comes down to deciding whether you rely on managed Public Key Infrastructure (PKI) services or building your in-house PKI.
Before even deciding how to build your PKI, you should consider if you require a PKI for your authentication challenges. Private PKIs are complex to set up and require a constant level of maintenance by skilled practitioners. Alternative methods of authentication which are easier to implement may meet your requirements just as well.
If you own a public facing site, then the best solution is to use a public CA for your certificates. These certificates are globally trusted since they are signed by an established root certificate whose keys are included in the trust stores of all browsers and operating systems.
On the other hand, if your organization has internal systems and devices that are private to the rest of the world, building your in-house PKI is the preferred solution and offers many advantages. In addition, a private PKI may be a better option for authenticating an end entity for a VPN. Finally, a private PKI might be required for technical reasons but also by standards or regulation.
According to the National Cyber Security Centre (NCSC), when designing your PKI infrastructure, you will come across certain decisions that would require to trade off certain functions of the system. These trade-offs should be on a risk-based approach and should not impact your security goals. The objective of your PKI is to mitigate all identity related risks to your organization. These trade-offs may include the following areas:
When building up your in-house PKI solution, significant additional investment is usually needed in terms of staff and technical resources. The following factors should not be overlooked when making the decision to deploy or not a private PKI.
According to NCSC, there are 12 guiding principles every organization needs to adhere to when building their in-house PKI.
If your organization has a clear idea of what it needs and has the budget and resources to accomplish it, then creating your in-house PKI gives you the highest degree of customization and control. However, for most companies the degree of expertise, time, and money required are prohibitive for building their private PKIs. In such a case, managed PKI services, delivered through SaaS solutions are usually the best bet.
Venafi Zero Touch PKI is a fully SaaS-based alternative to creating and running your own internal PKI. It can be configured and managed in any way you need, in conjunction with multiple CAs and with the options you need for security and traceability.
Venafi Zero Touch PKI gives you complete policy control and delegated administration, automation for mixed IT environments, Active Directory integration, and multiple options for migration of current PKI into new platform. To learn more, contact one of our experts.