If you knew then what you know now, would you have built your organization’s PKI differently?
You’re not alone.
In Keyfactor’s 2024 PKI & Digital Trust Report, a staggering 98% of organizations indicated they would change their Public Key Infrastructure (PKI) if given the chance.
It’s no wonder. Think of how much has changed in the past decade. Automation and cloud computing have advanced significantly, and new innovations like IoT devices and DevOps methodologies have emerged to impose greater demand on the PKI infrastructure.
While no one can predict the future, PKI systems are often created without a long-term vision for security, scalability, or flexibility. As a result, the PKI is expanded in an ad-hoc manner, creating a complex, brittle solution. This creates a ripple effect that soon becomes a business-critical problem.
Respondents to the report gave myriad reasons for the changes they’d make to their PKI. Understanding the most common goals can inform your own PKI modernization process and point out future PKI challenges.
Could’ve, should’ve, would’ve — How organizations would have built their PKI differently
Preparing for scaling and organizational growth
About 48% of respondents in the report cited the need to adapt to changes—whether due to scaling, innovation, or emerging regulations—as a driving factor in their desire to rebuild their PKI.
PKI succeeds or fails based on the decisions made at the earliest stage of its design. Most organizations lack the necessary skill set to get PKI right from the beginning or have the foresight to improve its direction over time. To make matters worse, high turnover in IT leads to a loss of institutional knowledge of the ins and outs of an organization’s particular PKI.
For example, PKI systems rely on a root Certificate Authority (CA) that sits on top of the hierarchy of trust. Beneath the root CA sit several intermediate CAs (ICAs). Ideally, each intermediate CA has a designated function. One might be designated for use by the security team, another by the DevOps team, and so forth.
Smaller organizations may only need a couple of ICAs, while a full-blown enterprise uses an average of seven. As the smaller organization grows, it will need to distribute its services across more specialized ICAs. Mapping out this progression and migrating services to their respective CAs takes significant expertise and planning.
Other challenges of scaling PKI
- Certificate volumes: Gartner estimates some organizations to have as many as half a million certificates in play at any given time. That’s a lot to keep track of. As organizations scale, it becomes unfeasible to manage certificate lifecycles through homegrown solutions, spreadsheets, incomplete vendor solutions, or a combination of these.
- A lack of governance: If no one in the organization owns PKI policies, individual departments procure their own PKI assets and run them without oversight or thorough documentation. This makes it hard to gain visibility and control over the entire PKI and certificate landscape.
- Compliance and regulatory challenges: New markets or industries often come with their own ever-emerging set of compliance requirements. These regulations necessitate changes to the PKI architecture to ensure adherence to industry standards and regulations.
Centralizing certificate management is a huge first step. Drawing all certificates into a singular hub for management lays the groundwork for tracking, automation, and better PKI policies. With the visibility enabled by proactive certificate discovery, you can manage the technical aspects of certificate management and align PKI with business objectives.
Enabling more automation
Approximately 40% of organizations express a strong desire to empower their PKI systems with automation.
Just a few decades ago, PKI was a niche specialty that only touched a few select aspects of the broader IT function. But at today’s scale of certificate usage, automation is key to finding undocumented certificates and preventing certificate-related outages for good.
As the volume and complexity of certificate usage grow, so does the demand on security, IT, and infrastructure teams that manage those certificates. Without automation, the risks scale, too—the risks of a swelling maintenance burden and a propensity for human error.
Other challenges of automating certificates and PKI
- Low visibility: Many organizations struggle to compile an accurate inventory of cryptographic assets like certificates and CAs. Without the complete picture, it’s practically impossible to make meaningful automation progress.
- Tool sprawl: According to the report, 38% of organizations use homegrown tools and spreadsheets to manage certificates, while 30% rely on tools from certificate vendors. Homegrown tools rarely cover the full range of needs, while vendor tools typically only work for that vendor’s certificates. This leads to redundant tooling and makes automation harder to implement.
- Labor shortage: Few organizations have internal resources specifically dedicated to PKI. More often, PKI is entrusted to IT, security, or infrastructure teams — all of whom have their hands full with their primary responsibilities. As a result, they become so buried by the day-to-day work that they can’t step back and make broader improvements to their own workflows.
When maintenance is slow and manual, responses to certificate-related issues tend to be slow and manual. On average, it took report respondents nearly six hours to identify and remediate a certificate-related outage, which required eight staff members to drop their work and respond to the outage.
Automating PKI management improves operational efficiency by streamlining tasks like certificate issuance, renewal, and revocation. This lowers the effort and timeline of responding to an incident and makes it easier to implement compliance-mandated changes.
Perhaps most importantly, it lets the teams handling PKI devote more of their bandwidth to their primary responsibilities.
Moving to the cloud
About 35% of organizations would move their PKI to the cloud if they could. The usual cloud benefits of better security, cost efficiency, and scalability certainly apply to PKI.
However, this kind of transition is complex and requires substantial infrastructural changes. For many, designing a system from scratch specifically for cloud environments might be more practical.
Challenges of migrating to the cloud
- Integration with legacy systems: Many environments – particularly in the operational technology sector – rely on a few key pieces of legacy infrastructure that are all but impossible to integrate or modernize. Yet, these legacy systems are too costly or disruptive to replace.
- A lack of expertise: Technicians with PKI knowledge are hard to come by, but how many PKI experts are also well-versed in the cloud and cloud migrations? Very few.
- Protecting your data: Data integrity is a huge concern for any cloud migration. In its journey to the cloud, data passes through many hands, platforms, and pipelines. Along the way, there are many opportunities for errors and discrepancies. If sensitive data is exposed, that’s an incident all its own, and finding where the chain of data trust was broken can be costly and complicated.
That said, the benefits of a cloud-hosted PKI make the migration worth the effort. Cloud providers offer another layer of security and make the business more flexible.
Moving PKI to the cloud requires finding the right partner—PKI experts who have executed cloud migrations successfully. These partners can guide you through a phased migration approach and suggest consolidating infrastructure, implementing automation, and instilling a more trustable, flexible PKI.
Conclusion
Businesses and organizations increasingly rely on vendors to help correct course and future-proof their PKI systems.
To that end, PKI as a Service (PKIaaS) has emerged as a viable solution for many, offering the expertise and infrastructure needed to manage PKI efficiently and securely. Outsourcing PKI management to experienced providers will ensure your organization’s cryptographic needs are met without the overhead of maintaining and scaling an in-house system.
The role of PKI to establish digital trust and security will only become more prominent. The organizations that recognize this now and remain proactive in their PKI management are those most likely to stay secure.