<

Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

5 Reasons AD CS Is Not A Complete PKI

Credential-based authentication is the most common form of authentication that everyone is accustomed to. But with most decades-old technologies, credentials are woefully ill-equipped to face modern security threats.

https://cdn.pixabay.com/photo/2017/02/19/23/10/finger-2081169_1280.jpg

While multi-factor authentication (MFA) methods can be used to boost the viability of credentials, they will still be a weak point in any network’s security. In response, there has been huge growth in certificate-based authentication. Certificates outmatch credentials in every facet of authentication (security, user experience, speed of authentication, etc.).

The only area certificates come up short is in management, but with an effective management software, this downside is negated. Admins can easily maintain a certificate-based network if they are supported with management tools.

Many organizations are introduced to certificates for authentication through Active Directory Certificate Services (AD CS). AD CS is an excellent introduction to certificates and provides many of the services of a PKI, but it cannot be considered a complete PKI solution.

Click here to see the services provided by our Turnkey PKI Solution.

Below we have compiled some areas that AD CS lacks and why it should be considered only a partial certificate solution.

Lack Of Sufficient Management Software

A fundamental aspect of certificates is the need for comprehensive management throughout the certificate lifecycle. Certificates are much more involved from a management standpoint than credentials. To compensate, they should be backed up with powerful management software.

AD CS comes with limited management software, but it lacks the capability to manage the entire certificate lifecycle. For example, there is no built-in certificate revocation capability. If your organization has issued hundreds to thousands of certificates, finding the one that needs to be revoked is suddenly a time-consuming process.

Limited Automation

https://images.unsplash.com/photo-1567789884554-0b844b597180?ixid=MnwxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8&ixlib=rb-1.2.1&auto=format&fit=crop&w=1050&q=80

When considering the involvement needed in managing certificates, the fact that AD CS contains very little automation is a detriment. Typically in a cybersecurity system, the weakest link is the human component. Because AD CS requires IT to manage all certificates without automation tools, it inherently creates a security risk.

For comparison, SecureW2’s management solution provides automation tools like automatic revocation of certificates. If a certificate has not been used after a set amount of time, or if the management software detects a person is no longer a valid network user, it will revoke the certificate.

Heavily Tied To Active Directory Infrastructure

With the level of diversity in devices, network infrastructure, and software, a significant hurdle to overcome is how heavily tied AD CS is to Active Directory infrastructure. AD CS does not work well with non-Microsoft devices which will be extremely difficult to work around for any BYOD network.

Additionally, AD CS is an on-premise solution. As a result, it does not integrate easily with cloud environments, including Azure AD. If your organization is planning to migrate into the cloud and include certificates for users and devices that are not in your AD network, AD CS may not be able to accommodate.

Difficulty With High Availability

For any large organization with thousands of authentication events a day, it’s vital to have a high fault tolerance and availability. AD CS can only be active on one server with one datastore at a time. It can be configured with a failover server, but tying one datastore to two servers is an expert-level configuration that will require significant resources to complete. And AD CS is an on-premise solution, so another server requires more storage space, security, and costs to maintain.

In comparison, SecureW2 as a cloud-based certificate solution has near unlimited room for growth and comes with automatic redundancy. There’s no risk of a failover at no extra cost.

Lack Of Identity Context

The primary purpose of credentials or certificates is to provide context as to who is accessing the secure network. AD CS lacks the option to include both user and device information on a certificate. When someone is authenticated, they are still identified securely based on the certificate, but they can not be easily sorted by admins.

In a situation where a device is stolen, that certificate needs to be revoked. But with AD CS, that certificate does not contain all the information needed to revoke just one certificate. If the certificates only contain user information, that user will need to have every certificate revoked in order to guarantee an unauthorized user cannot access the network.

SecureW2 provides a management portal that allows admins to instantly find any certificate. Our certificates are tied to the identity of the device and user, so you simply have to search a user to find all their certificates on all their devices. Certificates can be deleted quickly and admins can rest assured that all loose ends are tied.

Certificates are a superior authentication solution to credentials, but they require a higher level of expertise and management to use effectively. Organizations without a complete PKI solution may find themselves spending far more resources managing their network than they anticipated.

SecureW2 provides a complete certificate solution with a PKI that offers efficient onboarding, comprehensive management portal, easy revocation, cloud solutions, and more. Check out our pricing page to see if our turnkey PKI can outfit your network.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

5 Reasons AD CS Is Not A Complete PKI