Moving to the cloud? So are your peers. According to Cisco Global Cloud Index (2016-2021), 94% of all workloads will be cloud-based by 2021. But cloud implementation strategies are not so clear cut. An Everest Group Survey of 200 enterprises found that over 70% described their cloud as hybrid-first or private-first. As a result, many organizations are faced with the challenge of providing consistent security across implementations.
Key management is no exception. Many organizations that we speak with are struggling with extending machine identity management into their hybrid cloud environments. What many of them don’t realize is that they will still have the same responsibility for protecting machine identities in the cloud as they do in on-premises environments.
Some assume that they won’t have to care about PKI anymore because whenthey turn over responsibility to the cloud service provider, a wide range of PKI functions will be handled for them. And that's just not true.
In terms of machines, they do operate the same in the cloud as they do on premises. But that also means you will be responsible for managing the same machine identities in the cloud that you manage on premises. Why? Cloud services are the same as other managed services. It's just another kind of infrastructure that organizations can leverage. But would you feel comfortable giving your keys to a managed service provider without some level of control? It’s the same thing with the cloud.
Moving to the cloud will require access to your keys, but you need to think long and hard about how to maintain ownership over your keys in the cloud the same as you do on-premises. Essentially, you must ensure that the cloud instance is available and that there's no issue with its machine identities. You still have to provision the certificates, you have to renew them, and you have to revoke them.
That process will be even smoother if you can get a consistent view of machine identities across both cloud and on-premises. But many organizations aren’t thinking that way yet.
When organizations move to the cloud, it’s tempting for them to ask their cloud provider to provide certificates to secure communications between cloud instances. The cloud provider offers a service for certificate management. So, no problem, right? Well if you think about it a bit more, you may start to ask security questions, such as where are the private keys located, how many are they using on cloud servers, and who's taking care of the certificates there? Unfortunately, many organizations have trouble fully answering those questions. They simply have no idea where their keys were and who owned them in the cloud.
Do you really want to give up responsibility of your PKI and control of your keys? Ideally, the keys from the cloud are part of your complete machine identity inventory. That way you will know where they are installed, and who owns them.
Granted, most companies understand that there are risks they may not have considered when moving to the cloud. Many have already dealt with similar issues when managing machine identities in their on-premises infrastructure, and taking it to the cloud only adds complexity. Because most organizations use a hybrid or multi-cloud approach, it may be difficult to maintain consistent visibility and protection across all instances.
Organizations need to understand that cloud instances are just an extension of their on-premises infrastructure and should be treated just the same in terms of managing machine identities. They need to secure their keys and certificates in the same way everywhere. They still want to be able to enforce security policies, automate the certificate lifecycle and monitor all machine identity usage and behavior—just as they do in physical infrastructures.