If you’ve decided to make the move to secure certificate-based authentication, one of the first things you need to figure out is whether you’re going to build your own Public Key Infrastructure (PKI) or use a managed PKI (MPKI). PKIs, like their name implies, give you the infrastructure you need to support the public-private key generation necessary for digital certificates in asymmetric cryptography. They have the components you need for creating and maintaining Certificate Authorities (CAs), revoking certificates, and storing public and private key pairs.
Is it better to build your own private PKI or use an MPKI, though? In this post, we’ll help you determine which of these options is best for your organization’s needs.
Who Uses PKIs?
Those who think PKIs are some obscure technical concept that’s inapplicable to most people couldn’t be more wrong. In fact, PKIs are an integral security component to numerous types of organizations and their networks. Here are just a few common types of organizations that often use PKIs:
PKIs offer a range of benefits for each type of organization. For example, a K-12 school with students learning remotely can issue certificates to BYODs. With SecureW2’s amazingly easy onboarding software, those same students can even enroll themselves in seconds.
Larger enterprises likely have many employees working from home. VPNs are particularly popular in businesses with a significant number of remote workers, and a PKI can be used to set up certificate-based authentication for the VPN.
For all types of businesses, role-based access is necessary. Schools don’t necessarily want students accessing the same resources as faculty, and businesses have separate departments with their own resources. PKIs make it simple for you to segment users based on their roles, granting access to different resources as necessary.
What is a Managed PKI (MPKI)?
A PKI is an essential element in secure certificate-based authentication used in public key cryptography. If you’re going to implement certificates in your organization, however, you’ll have to decide if a private PKI or managed PKI is better for you. To make that decision, it’s crucial to understand what an MPKI is.
One aspect that deters some organizations from implementing a PKI is the high degree of cybersecurity expertise involved in maintaining it. An MPKI takes the maintenance and construction factors out of the equation.
Managed PKIs are built by a third party. As a result, both the construction and maintenance of the PKI are handled for you, sparing your IT department a lot of headache in the process. You don’t need to hire additional staff to keep the PKI up and running.
What’s more, managed PKI services are generally hosted in the Cloud. They’re amazingly scalable because of this, and can be accessed from any location. There’s no need to build a physical PKI at each of your offices.
MPKI vs On-Site PKI: Is it Better to Build On-Site or Go With a Managed PKI?
Now that you understand what an MPKI is, it’s time to get to the nuts and bolts of the article: should you build a PKI on-site or use a managed one? There are advantages and disadvantages to either option. Let’s examine the advantages and disadvantages to help you determine which one better fits your organization’s unique needs.
On-Site PKI
Advantages
There’s really only one major advantage to building your own private PKI: you have total control over it. Provided you have staff with the requisite cybersecurity knowledge, you get the final say in how your PKI is built. For some businesses, this control is non-negotiable.
Disadvantages
In general, there are more disadvantages than advantages to building your own PKI. The most obvious one is the time and effort that goes into constructing it. A PKI isn’t simple to build, so you’d likely need to hire additional IT professionals to complete and run it for you.
On top of needing to hire more employees, the construction of the PKI will take time. If you’re on a schedule to Zero Trust maturity, the amount of time it can take to finish making your PKI can be a setback.
Time and additional staff aren’t the only ways private PKIs can cost you money. Because they generally are on-prem, they use physical hardware and need space in your office. Space and hardware, of course, cost even more money on top of the other expenses you’re already racking up. When all is said and done, an on-prem PKI can cost upwards of three times more than a managed PKI.
Aside from an increase in costs, on-prem PKIs come with the potential for increased security risks. You’ll need to account for providing a safe location for your PKI, somewhere that can be protected from power outages, fire hazards, and even potentially your own guests or employees.
Furthermore, knowing how to build a PKI using tools such as Active Directory Certificate Services (AD CS) takes knowledge and experience. If your current IT staff doesn’t have that experience, they could easily misconfigure part of the PKI, leaving your certificate authentication system vulnerable.
Finally, the fact that private PKIs are typically on-site can be an issue in and of itself. Your organization may have multiple locations, a problem that is compounded when you have departments filled with remote employees. It may not be feasible to have the hardware for your custom PKI installed at every location, and it’s totally impossible to do the same in individual employees’ home offices. In an increasingly Cloud-based environment, key components requiring physical hardware across a business can be a little like a virtual death knell.
Managed PKI
Advantages
All the disadvantages of an on-site PKI are advantages when it comes to an MPKI. One of the biggest advantages by far is the peace of mind you get from an MPKI’s security.
Managed PKIs aren’t as susceptible to physical weaknesses as private PKIs can be. Generally, their servers are kept in extremely secure and stable environments where they are sheltered from earthquakes, fires, and power outages. They’re also usually locked down, so you can be sure bad actors don’t have access to them.
Beyond the physical safety of the servers, there’s the automation and security elements baked into the design to consider. Experts build managed PKIs, so you can rest assured that nothing is overlooked – as opposed to what might happen if you relied on an IT professional who might only have a small amount of experience.
When you use a managed PKI, you’re also getting access to that same team of PKI experts that builds and maintains the PKI. With SecureW2, you get 24/5 access to these experts, so whenever you have an issue, it will be quickly resolved, ensuring seamless operation.
The next big benefit can be summed up into one word: savings. You don’t need to hire extra staff to implement an MPKI, nor do you have to invest in costly physical hardware. Additionally, you don’t need to find space in your office to keep the PKI safe.
A managed PKI can also be integrated into your organization much more quickly, since you’re not waiting for it to be built. In fact, many SecureW2 customers are able to begin using their PKI in a matter of hours.
MPKIs, as we discussed previously, are almost always located in the Cloud. All your office locations and remote employees will have access to the PKI. This makes an MPKI much more scalable in the long run, too. As your business grows and possibly requires more locations, you won’t need to worry about recreating a PKI over and over again at each one.
Disadvantages
As with all other things, there are some drawbacks to managed PKIs. The main one is that you don’t have the same degree of control over it as you would if you were building your own PKI from the ground up.
This isn’t as big an issue as you might expect. MPKIs like SecureW2’s managed PKI include a straightforward management GUI that makes customization a simple matter. You’re really not sacrificing much control, since MPKIs tend to be extremely flexible and customizable.
The second disadvantage to MPKIs is that you rely on the provider’s team for technical support. With reliable PKI service providers like SecureW2, though, your needs won’t get lost amidst a flood of other customers. SecureW2’s team has experience working with thousands of customer PKIs, so you can rest assured that you’re in efficient, expert hands.
The Verdict: MPKIs are More Convenient, Affordable, and Scalable
If you want a PKI you have total control over from the start and aren’t spread across multiple locations, an on-site PKI could be right for you. But in the majority of other situations, an MPKI is almost always the better choice.
The advantages of managed PKIs greatly outweigh the disadvantages. They’re affordable, scalable, and highly customizable. Chances are, an MPKI is the right choice for your organization, too. Click here to read about how one of our customers benefited from implementing our turnkey managed PKI services.