Program Failures and How to Avoid Them

By Chris Hickman, chief security officer, Keyfactor

Public Key Infrastructure (PKI) has survived the test of time. Today, IT leaders and managers view PKI as a vital layer within the security framework, helping to authenticate and encrypt sensitive endpoints, software, and applications. Historically, managing PKI has been a manual, on-premises process. Despite its critical role within the cybersecurity framework, PKI has struggled to find a clear owner within the organization. Add to that, results from a recent survey where just 36% of respondents said their organizations have enough IT security staff members dedicated to PKI deployment.

With the industry’s skill shortage, shifting compliance requirements and competing for budget priorities, how can you sidestep deployment landmines and manage a program that’s right for your enterprise and its budget?

CISOs tackling their organization’s PKI program have two options: build or buy. Deploying DIY PKI on-premises requires significant investment while keeping the program running takes a dedicated team. Without appropriate resourcing and continuous care and feeding, PKI can degrade, leading to vulnerable keys, certificates, system outages or worse – a significant breach event. In addition to the added costs of network downtime, PKI events can create preventable network vulnerabilities.

Lessons Learned

Unlike newer processes, PKI and its long history give us countless real-life case studies of what has worked and what hasn’t. One recent case study followed a financial institution as they opted to build an application to manage its PKI and a growing number of certificates. While the company was able to leverage an existing data center and physical security, implementation alone took the company four months, requiring the dedication of multiple team members across development, engineering and IT.  In addition to resourcing, the project racked up significant hardware, licensing and integration costs.

On the other hand, like other security functions, a growing number of leaders see the advantages of outsourced or managed PKI and are opting to ‘buy’ PKI via cloud deployment. Here are 5 reasons why:

  1. Robust Security: If the root key or private keys within the network are compromised, it can result in significant disruption and downtime to PKI-dependent applications. In addition to specific tools used to protect keys, the facility housing critical PKI functions must be secure. PKI-as-a-Service (PKIaaS) vendors and their security policies and practices have been tested over time and at scale. If your enterprise falls under attack, you also have one less critical system to restore, as PKI is hosted safely in an isolated, off-premises cloud location.
  2. Reduced Cost & Complexity: Moving PKI to the cloud can alleviate multiple security controls, maintenance tasks, and infrastructure costs. Frankly, the capital expenditure and expertise needed to properly manage a solid internally run PKI is considerable, forcing many organizations to make critical PKI operations a secondary task. Adopting the right PKIaaS platform leads to greater productivity as IT and security teams can focus on core projects. Costs also become much more predictable, since the many hidden and traditional expenses of PKI are replaced with a flat-rate billing model.
  3. Scalability & Availability: A PKI that supports mission-critical applications must run 24/7 and have the ability to scale as the enterprise grows and adds new devices and identities. High availability and scalability built into cloud-delivered PKI models support growth demands, while 24/7 service monitoring ensures that critical components are always running. Most importantly, service level agreements (SLAs) guarantee response times and ensure that there is only “one throat to choke” should an incident occur.
  4. Business Continuity: Finding and retaining IT and security staff capable of running PKI is no simple task. Shifts in PKI ownership inevitably increase the risk of security gaps as inexperienced hands fall on mission-critical infrastructure. Lapses in regular maintenance tasks, such as signing and publishing certificate revocation lists (CRLs) and renewing CAs, can cause significant outages that take days or even weeks to remediate. Deploying cloud-based PKI ensures that regardless of personnel changes, the infrastructure can continue to operate at full capacity.
  5. Lifecycle Automation: Certificate-related issues are almost synonymous with PKI oversights. Manual scripts and spreadsheets simply cannot keep up with the thousands, or hundreds of thousands, of certificates in use within the average enterprise. Just one expired certificate can cause a serious network or application outage. Choosing the right PKIaaS provider can help manage and automate the lifecycle of keys and digital certificates issued from both cloud-hosted private PKI and any number of third-party public CAs, such as DigiCert, Entrust, Sectigo, and others.

Ultimately, teams must shift their perception of what PKI can help them and their enterprises achieve. Whether the choice is to build or buy, next-generation PKI is key in establishing a new approach to identity management that’s sustainable, scalable and secure.

About the Author

Chris Hickman is the chief security officer at Keyfactor, a leading provider of secure digital identity management solutions. As a member of the senior management team, Chris is responsible for establishing and maintaining Keyfactor’s leadership position as a world-class, technical organization with deep security industry expertise. He leads client success initiatives and helps integrate the voice of the customer directly into Keyfactor’s platform and capability set. For more information visit: or follow @Keyfactor on Twitter and LinkedIn.