Benefits of Cloud PKI vs. On-Premise PKI

As more and more businesses migrate to the cloud, it's important to understand the advantages of cloud PKI (public key infrastructure) over traditional on-premise PKI. Cloud PKI refers to hosting and maintaining an organization’s Certificate Authority (CA) and the PKI environment for provisioning and managing certificates in the cloud. Cloud PKI solutions offer a number of benefits over on-premise solutions, including lower total cost of ownership (TCO), increased security, and easier certificate management.

We explain each of these benefits in more detail below.

What Is PKI and How Does It Work?

PKI is a system of digital certificates and is considered the gold standard for the authentication and encryption of digital identities for users, devices, and applications. It has a number of use-cases for securing communications, protecting data, and enabling access control, including:

• SSL/TLS certificates for web servers
• Device and endpoint certificates for computers, mobile devices, and IoT devices
• Code signing certificates including for DevOps workflows
• Digital signatures
• Secure access to APIs and web services
• Certificate-based VPNs

PKI is based on public key cryptography, which is a strong encryption mechanism that relies on a public key and private key pair to work. These two corresponding keys are used together to encrypt and decrypt a message; they are based on cryptographic algorithms to protect identities and data from unauthorized access or use, guarding against attacks from cybercriminals and other malicious actors.

Organizations that want to use PKI need to set up a Certificate Authority and/or use a trusted 3rd party CA, such as Sectigo. The CA is responsible for certificate issuance, validation, revocation, and renewal, and it vouches for the authenticity and trustworthiness of issued certificates within a system.

CA’s must build and maintain a very secure infrastructure to host the PKI environment. This infrastructure includes a root CA, secure storage of the CA’s root key in a hardware security module (HSM), and a certificate management server. The infrastructure must be well protected using comprehensive network and application security.

Being a CA is a big responsibility. If hackers are able to breach the PKI environment, they essentially have the “keys to the castle” and can impersonate trust in order to access critical business systems undetected. Given this, organizations often rely on trusted 3rd parties who specialize in PKI or they seek to control their own private PKI environment.

There are two main ways to host PKI infrastructure: in the cloud, which is known as cloud PKI, or in an organization’s own on-premise datacenters.

What is Cloud PKI?

This refers to PKI that is hosted and maintained in the cloud. With cloud PKI management, the cloud provider handles all of the resources required for PKI deployment, including the hardware, the software, and the security of the cloud environment. Not only does the provider set up and maintain the specialized PKI infrastructure, they also employ the necessary, dedicated experts on staff.

Cloud-based PKI eliminates the hidden costs of PKI deployments. In reality, software licensing, server hardware, and installation are often only a small component of the overall PKI environment. Consider the following additional critical elements:

• Scalable server deployment to maintain always-on availability and redundancy
• Root key generation to establish the root CA certificate
• Backup software and failover technology to ensure continuous operation and disaster recovery
• Regular security audits to maintain compliance and avoid fines
• Dedicated PKI experts to oversee everything (their salaries are much higher than entry-level administrators)

All cloud-based PKI solutions are not alike. Support for multiple digital identity use cases, application of Zero Trust Network Access principles, IT customization, certificate interoperability, and crypto-agility – all in an environment built for usability – are just some of the capabilities that characterize leading-edge deployment solutions that address current and future threats.

Alternatively, organizations have traditionally looked to on-premise PKI as a way to provide more control, but this requires more resources. Running deployment related processes, ongoing maintenance, and specialized staffing all lead to high capital costs and continuous operational expenses.

What Are the Benefits of Cloud PKI?

Let's take a closer look at each of the advantages of cloud PKI vs traditional on-premise PKI, including lower TCO, increased security, and easier certificate and key management.

Lower TCO: One of the biggest advantages of PKI in the cloud is that it can help reduce TCO. This is because it helps eliminate the need for expensive internal IT specialists and reduces the capital expenses associated with on-premise hardware, data center build-out, and software. Additionally, cloud-based environments reduce ongoing operating expenses through lower services, support, and maintenance costs, as well as eliminate indirect costs such as unplanned downtime.

Security: Today’s threat landscape has raised the cross-industry debate on the security of on-premise versus cloud security to new levels. While the conversation is certainly not new, several high-profile on-premise breaches, despite firewalls and other roadblocks, challenge the belief that data center proximity equals impenetrable protection. This concern also applies to reliance upon an on-premise architecture for public key infrastructure environments. Organizations who think PKI architecture is more secure because the root key and certificate management server are in their data center, and not in the cloud, maybe putting themselves at risk. Cloud PKI solutions leverage the highest degree of network and application security, must adhere to compliance regulations such as SOC2 and SOC3, and are subject to rigorous external audits.

Easier Certificate Management: One of the biggest cloud PKI benefits is that it can simplify certificate management. With a cloud-based service provider like Sectigo, all your certificates can be managed in one centralized location, whether they are private or public. This makes it easy to keep track of all your certificates, automate certificate provisioning and installation, ensure that they are valid and renewed before expiration, and maintain a central certificate revocation list (CRL).

Scalability: Another advantage of cloud PKI is that it can be easily scaled to meet business needs. With a cloud-based solution, you can easily add or remove hundreds, thousands, or even millions of certificates as needed, without having to purchase new hardware or scale it back. This flexibility makes it easy to keep your PKI solution up-to-date as your organization grows.

Do AWS and Azure Offer Cloud Solutions?

Amazon Web Services (AWS) and Microsoft Azure have widely used cloud environments for many different business applications. Both also offer digital certificate solutions for their environments. However, there are some important distinctions that organizations must consider.

AWS is a private, commercial CA. As it is not a member of the CA/Browser Forum, it is not currently considered a trusted public Certificate Authority, which is necessary for public-facing websites and applications. AWS customers can provision and deploy AWS Certificate Manager (ACM) certificates into various AWS services, including AWS Elastic Load Balancing, Amazon CloudFront, Amazon API Gateway, Amazon EC2 instance, and other integrated services that are managed by the AWS Management Console. Some additional considerations of AWS server certificates include:

• ACM does not provide extended validation or organization validation certificates, only domain validation
• ACM only provides certificates for the SSL/TLS protocols
• ACM cannot be used for email encryption

Likewise, Microsoft Azure offers a cloud version of managed PKI through Microsoft CA (MSCA), which is the built-in certificate authority for Microsoft products. While it's convenient for managing certificates for devices that use Microsoft operating systems, it doesn't cover all bases. For example, if you have devices that don't use Microsoft operating systems, you'll still need to provision and manage certificates through a different CA. This added complexity can easily expose an organization to the risk of outages and breaches if certificates expire.

Sectigo CLM Offers a Cloud PKI Solution

Clearly, a cloud Certificate Authority has a number of advantages over an on-premise CA. The Sectigo certificate lifecycle management platform (CLM) is purpose-built in the cloud for identity information and data protection to secure your users, devices, and apps. This Certificate Management platform provides a single pane of glass management environment that automates the end-to-end lifecycle of both public and private digital certificates. Plus, Sectigo CLM is CA agnostic, meaning it is a universal platform capable of managing public and private certificates from Sectigo and other leading CAs.

Perhaps the biggest benefit is that Sectigo’s cloud PKI is more secure than on-premise PKI. As a trusted public CA that offers decades of impenetrable trust, Sectigo protects cloud-based private roots at the same level applied to the hundreds of millions of public digital certificates we’ve issued worldwide. Enhanced network security, stringent dual controls for physical access permissions, sophisticated HSM management for key storage, high availability servers and disaster recovery, and dedicated security experts combine to provide best-in-class cloud protection.

The Sectigo CLM platform is also WebTrust certified and SOC3 compliant and subject to rigorous external audits. With direct connections with the Certification Authority Browser Forum and select government entities, Sectigo receives early alerts on any PKI security concerns, including concerns inherent to the evolution of quantum computing.

Learn more about how running PKI in a cloud environment is now the new norm by watching this webinar — Cloud or On-Premise: Updating Assumptions on Secure Certificate Management.