As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Vishvas Patel, the Chief Architect and Vice President of Products at HID Global, shares insights on the value of a technology-agnostic approach to PKI automation.
Automation is a double-edged sword, but it will help you if implemented correctly. If not, it can do more harm. Maintaining a robust, flexible, and safe enterprise network requires the right automation strategy and processes. Recognizing that public key infrastructure (PKI) is essential for any enterprise security is critical. It is the gold standard for encryption, authentication, and digital signature—providing a solid and adaptable foundation for a Zero Trust security model.
One vital part of implementing a Zero Trust security model is automatically verifying every user and device connecting to the network, whether inside or outside the firewall. As we now have many more devices and users connecting to the network, the most efficient way to implement it is via automated certificate provisioning, management, and validation for passwordless authentication.
The Need for PKI Automation Is Growing Rapidly
Enterprise networks are expanding rapidly due to several reasons:
- Digital transformation is increasingly migrating applications, systems, and data to the cloud
- The growing ubiquity of the Internet of Things (IoT) in every industry
- The prevalence of multiple, connected endpoint devices driven by remote work and “Bring Your Own Device” initiatives
- An increasing trend of microarchitecture environments and the opportunity to rapidly create new production and development environments
As more devices connect to the network and more applications are being launched, the need for PKI automation and scale increases. Also, the certificate lifespan is shortening, so the risk of certificate mismanagement and outage is higher.
Automation is the key, but what is the best way to implement automated certificate lifecycle management? There are three main automation approaches—the agent-based model, agentless model, and connector model based on an open-source protocol—and it’s essential to determine which automation model is suited for your organization. The agent-based and agentless models are known in the industry but let’s look at a new approach to automation with the connector model.
The Connector Model and Why It’s the Platform and Vendor-Agnostic Approach
Instead of relying on a vendor-specific agent or agentless architectures for automation, the connector model uses open-source utilities (such as ACME clients) and already-deployed tools within enterprise networks (such as Microsoft Intune) to automate certificate deployment and lifecycle management.
Connectors work autonomously to request and install certificates independent of one another. A lightweight browser-based certificate portal provides the traditional certificate-management functions like manual issuance, revocation, reporting, and account management. This approach decentralizes the mechanics of managing certificates—eliminating the management console from being an enterprise-wide, central point of failure. In addition, connectors are not proprietary to a vendor. They can be re-configured for use with other certificate service providers. And since connectors utilize standard protocol(s), there is greater flexibility in using connectors from different vendors\providers.
What to Expect from a Connector Model
Connector models enable highly secure and straightforward certificate management, ensuring that certificates are not just automated but also perfectly tailored to your needs. They allow enterprises to enjoy:
- Scalability and modular growth. Connector certificate automation is infinitely scalable, allowing organizations to expand their use cases in the future.
- Reduced IT burdens. Free your IT department from managing agents or central servers and time-consuming manual certificate renewal and database management to focus on other mission-critical systems and software.
- Fewer outages. Expired certificates lead to outages that affect an organization’s reputation, productivity, and bottom line — and they’re almost inevitable with dated and self-driven setups.
Some vendors may offer additional benefits such as:
- Geographically dispersed architecture. If one region goes down, traffic can be diverted to another. In addition, customers with manufacturing operations in different parts of the world receive faster responses to requests—beneficial for IoT use cases.
- Simple subscription plans for predictable costs. Instead of paying per certificate, check with your provider to see if a subscription model with various thresholds is offered.
- White-Glove Managed PKIaaS. As your business grows, your services should evolve with it. PKI is complex, but managing it shouldn’t be. From initial implementation to scaling your PKI services several months down the road, receiving support and expertise after the sale is extremely valuable in keeping the burden of managing your PKI off your IT team’s hands.
The key to simplifying PKI management is automation. Using a connector model for PKI automation, an enterprise can decentralize the mechanics of managing certificates and eliminate the management console as a centralized failure point. This model also uses open-source certificate utilities that can either be added to platforms such as ACME or are already embedded in popular enterprise platforms like Microsoft Intune. Since it is not proprietary to a vendor, utilizing a connector model with other certificate providers requires nothing more than simple reconfiguration. Certificates don’t have to be complex, and thanks to automation and connector-compatible PKI services, they no longer are.