PKI hosting: Cloud-based PKI vs. self managed
What are the differences between hosting (public key infrastructure) PKI workloads in the cloud versus on-premises?
Many organizations are leveraging SaaS solutions for public key infrastructure (PKI) to protect their workloads in the cloud. However, PKI running in self-managed environments also remains a popular choice, and is a requirement for some highly regulated industries.
There are important factors organizations need to consider before deciding which option is the best choice for their requirements, but the advantages of cloud-based PKI versus an on-premises approach are not always well understood. This blog explores the factors organizations should consider when deciding how to host their PKI environment.
» PKI explained
PKI is the standard process for provisioning and maintaining digital certificates for authentication and encryption of digital identities associated with users, devices, and applications. Common PKI use cases include:
- SSL and TLS certificates
- Device and endpoint certificates
- Code signing certificates
- Digital signatures
- Securing access to APIs
- Certificate-based VPNs
Below is a simplified illustration of the core PKI process:
Public key cryptography is the foundation of PKI. It is a strong encryption mechanism that relies on public and private key pairs. The keys are used together to encrypt and decrypt messages based on cryptographic algorithms, helping to protect identities and data from unauthorized use.
» Cloud PKI and HCP Vault
In the context of this post, cloud PKI refers to a service or hosting model in the cloud where a service provider hosts and manages the infrastructure and the customer is responsible for the certificate authority (CA), as well as the PKI environment for provisioning and managing certificates.
With self-managed PKI, workloads may be hosted in a cloud environment or a more traditional on-premises datacenter. With a self-managed approach, the organization is responsible for maintaining the PKI infrastructure and operations.
A look into the delivery models for HashiCorp Vault can help make it clear what options are available and which one might be best for your organization.
HashiCorp’s cloud PKI functionality resides in HashiCorp Cloud Platform (HCP) Vault. HCP Vault is a fully managed implementation of Vault operated by HashiCorp, allowing organizations to get up and running quickly.
If an organization chooses to allow a public connection, the HCP Vault cluster will have an associated public address where clients can directly connect to Vault. (Most organizations disable the public connection for security reasons.) The organization can then establish a peering connection between its cloud provider and a HashiCorp virtual network (HVN). This ensures that only trusted clients (users, applications, containers, etc.) running in the peered public cloud provider can connect to Vault and stops systems outside of the selected network from attempting to connect.
» Benefits of PKI on HCP Vault
Running PKI on HCP enables users to secure, store, and tightly control access to tokens, passwords, certificates, and encryption keys within one unified cloud-based platform.
Key benefits of running cloud PKI on HCP Vault include:
- Reduced operational overhead: Push-button deployment as well as fully managed upgrades and backups mean organizations can focus on adoption and integration instead of operational overhead.
- Increased security across clouds and machines: HCP Vault allows organizations to secure their globally diverse infrastructure and applications through a single management interface, to restrict access to sensitive data.
- Control costs: Reduced operating costs due to HashiCorp's engineers running and maintaining the underlying infrastructure for you.
- Reliability: HashiCorp has experience supporting thousands of commercial Vault clusters and HCP Vault brings that expertise directly to users.
- Ease of use: HCP Vault is built around making onboarding its cloud security automation simple.
» Benefits of self-managed PKI
A managed product like HCP Vault brings many benefits, but organizations should also consider their particular needs when choosing how and where to host their PKI environment. Frequently, those needs are driven by compliance and regulatory requirements associated with specific industries, where self-managed hosting may be appropriate. Self-managed Vault comes in two editions: A free community edition for small use cases, and Vault Enterprise for larger organizations or organizations with stricter security requirements.
The benefits of a running a self-managed PKI environment with Vault include:
- Control: The certificate provisioning, revocation, and rotation process is within your control, and you are not limited when accessing the cloud.
- Flexibility: On-premises management can be more flexible in terms of customization based on the requirements and capacity of the business.
- Self-reliance: Since critical data is kept in-house, configuration changes can be done on-premises and on your schedule.
- Security and compliance: Cloud service providers don’t always support the compliance and standards required for particular industries. Self-managed environments allow organizations to customize their environments for their specific compliance needs.
» HashiCorp and PKI
Clearly, both cloud-based and self-managed PKI solutions have their pros and cons. That’s why HashiCorp offers multiple ways to address your PKI needs.
Cloud PKI offers agility, ease of use, and reduced operational overhead, whereas self-managed PKI offers more options to customize and meet specific security and compliance requirements. HashiCorp can meet your organization’s needs for not only both types of PKI, but both cloud-based or self-managed certificate lifecycle management platforms (CLM), which is a broader effort to secure identity information and implement data protection to secure your users, devices, and applications.
Contact HashiCorp sales to learn more about how HCP Vault and Vault Enterprise can help with your PKI requirements.
Want to learn more about HashiCorp Vault PKI?
- What is PKI ACME: Learn about the ACME protocol for PKI, the common problems it solves, and why it should be part of your certificate management roadmap.
- X.509 certificate management with Vault: Al look at practical public key certificate management in HashiCorp Vault using dynamic secrets rotation.
- CIEPS availability with Vault 1.15: HashiCorp Vault 1.15 contains a range of updates from UI updates and PKI enhancements to betas for Vault Enterprise secrets sync, Vault Enterprise seal high availability, and event monitoring.
Sign up for the latest HashiCorp news
More blog posts like this one
Cracking the code to overcome developer and security team differences
Implementing the right consolidated internal development platform (IDP) can nudge your Dev and Sec cultures in the right direction — toward collaboration and away from conflict through tooling and automation.
5 ways to improve DevEx and security for infrastructure provisioning
Still using manual scripting and provisioning processes? Learn how to accelerate provisioning using five best practices for Infrastructure Lifecycle Management.
Fix the developers vs. security conflict by shifting further left
Resolve the friction between dev and security teams with platform-led workflows that make cloud security seamless and scalable.