When you consider the varied components involved with a basic PKI-enabled system, it becomes apparent that public key infrastructure has gained a profound foothold in the IT world. From the certificate authority to the certificate revocation list to the registration authority, it's clear securing communications within a PKI environment is computationally expensive. Given this, costs can easily spin out of control, meaning moving all PKI to the cloud is worth exploring.
A public key infrastructure allows companies to securely exchange data across a public network such as the Internet by using private cryptographic key pair and authorizing security certificates to end users. The convenience involved with moving PKI to the cloud is profound to say the least. Many companies that shied away from PKI in the past due to cost may want to reconsider their position now that infrastructure as a service (IaaS) has become more economically feasible for a greater number of organizations.
The heart of a PKI-enabled system is the certificate authority (CA). The CA issues certificates to end users via a designated in-house server or cluster of servers. In large, global organizations, this process can be rather cumbersome. If a CA server is located at every site and the server is beefy enough to handle the daily CPU burden placed on it by the PKI environment, then network performance may not be much of an issue. Conversely, if the server is burdened by other processes or isn't up to the task performance-wise, then consider a different method of accessing the CA. In either case, a move to the cloud may be something to study further.
Ironically, one of the drawbacks of moving PKI to the cloud may be security related.
The above-mentioned scenarios are rendered obsolete by placing an organization's entire public key infrastructure within, for example, Amazon Web Services (AWS) or Google cloud. Therefore, not only is the certificate authority placed in the cloud, but also every other component -- i.e., the registration authority, certificate revocation lists, LDAP servers, etc. Suddenly, performance considerations are no longer an issue, assuming an organization is willing to purchase the requisite amount of performance from the provider.
For example, assume that a system administrator would like to set up basic PKI for his network within Amazon Web Services. The administrator need only configure and deploy the appropriate number of Amazon Machine Images (AMI); he or she can configure a CA, a certificate revocation list (CRL) server and a registration authority (RA) all within the same display. Then, the admin simply has to point all of the network traffic to this same set of AMIs for authentication. If for whatever reason the system administrator needs to add more infrastructure later, this can easily be done with a push of a button.
Security downfalls of moving PKI to the cloud
Moving public key infrastructure to the cloud may make sense economically and in terms of convenience, but what's the flip side of this coin? Ironically, one of the drawbacks of moving PKI to the cloud may be security related.
Once a company decides to move its public key infrastructure to the cloud, physical control of data no longer resides with the data owner. For example, if a cloud company has a lawsuit brought against it, the cloud provider may be forced to hand over data that belongs to a completely innocent third party -- namely, its customer. Given the legal ambiguities involved with who actually owns data once it resides in the cloud, this scenario is not that farfetched. Also, if a company is dissatisfied with its cloud provider, switching providers may not be a smooth transition.
While transitioning public key infrastructure to the cloud may make sense on many different levels, the decision should be made with great care and deliberation.
Companies, such as Gazzang Inc., have already delved into solving some of these security issues by separating the public keys inherent to PKI into another platform.
Despite these concerns, the transition of public key infrastructure to cloud-based platforms is a concept that will no doubt grow into an industry best practice.
About the author:
Brad Casey is a former SearchSecurity.com expert. He holds an MS in Information Assurance from the University of Texas at San Antonio and has extensive experience in the areas of penetration testing, public key infrastructure, VoIP and network packet analysis. He is also knowledgeable in the areas of system administration, Active Directory and Windows Server 2008. He spent five years doing security assessment testing in the U.S. Air Force, and in his spare time, you can find him looking at Wireshark captures and playing with various Linux distros in VMs.