When something is core to your business, it often makes sense to keep it in-house — and what could be more central than network security, especially considering that more than 75% of organizations anticipate a successful cyber-attack within the next 12 months?
Public key infrastructure (PKI) is the gold standard for securing information across networks. Unfortunately, even organizations with mature IT teams struggle to manage the technology. According to an HID survey, 70% of organizations say their cybersecurity staff is stretched too thin. Burdening them with the mundane tasks of managing PKI infrastructure and certificate lifecycle management such as issuing, deploying, renewing and revoking digital certificates isn’t just dangerous. It’s also unnecessary at a time when managed PKI, or PKI-as-a-service (PKIaaS), solutions enable organizations to outsource the complexity of managing in-house PKI and certificate lifecycle management while retaining control of private trust assets.
Interest in PKIaaS is growing. Yet not all PKIaaS services are created equally. If your IT team is exploring different options — or struggling to achieve the operational efficiencies it was promised by a vendor — it’s worth taking a moment to understand different certificate lifecycle automation models and how they impact your organization.
In this article, we’ll unpack the options and help you find the best fit.
The Three Models of Certificate Lifecycle Automation
Three common models have emerged for certificate lifecycle automation, known as agent-based, agentless and connector. Here’s what you need to know about each — and how to choose the one that’s best for your organization.
- Agent-based models
Agent-based models install software on each device to create a gateway to the server that hosts your PKI certificates. This automates the task of certificate issuance, deployment and renewals, but it often creates additional work for your IT team. Managing an agent-based solution might be fairly straightforward if your organization’s devices all run on the same operating system. Otherwise — when you account for the time they will spend managing additional software on every machine and server in your organization — you could be asking your IT team to trade one burden (managing PKI certificates) for another. - Agentless models
Agentless models don’t require you to install additional software. But they do require you to store each device’s privileged log-in information on a server that hosts a central management console. Management consoles are proprietary to your PKI solution provider, and many are stored in the cloud. They use an API to connect with each device and manage its PKI certificates. This diminishes the burden on your IT team, but it increases the risk to your organization — if your solution provider’s network is breached, your data is exposed. - Connector models
Connector models rely on widely used protocols such as ACME, SCEP, EST and open-source utilities that rely on those protocols which are often already embedded in most operating systems and technologies deployed across the enterprise. These utilities work autonomously to request install, renew, and revoke certificates without any manual intervention while a certificate management portal enables teams to report and analyze statistics around both public and private trust digital certificates providing a single-pane-of-glass. Certificate management is not just automated but decentralized — preventing the management console from becoming a single point of failure. There’s no agent to install on individual devices or create a hole in the firewall, which keeps risk lower and saves time. What’s more, connector tools are technology and vendor agnostic and interoperable between systems, making it easier to adapt and scale as needs change.
Read more: How Much is In-House PKI Management Truly Costing You?
Managed PKI, Made Simple
PKI has become an essential network security technology. Yet it comes with administrative challenges — especially given the rise of short-lived certificates where Google has proposed to reduce the TLS server certificate validity from 398 days to 90 days, whose brief lifespans reduce risk but result in an almost continuous cycle of issuance and renewal. The right PKIaaS does more than automate these certificate lifecycle management. It also frees your IT team from time-consuming software management tasks and eliminates single points of failure. That’s where the connector model shines, reducing risk while enabling organizations to work more efficiently — and scale to fit future needs.
Ready to step into simplified PKI with the connector model of PKI-as-a-Service? We invite you to explore these additional resources or chat with an expert.