2020-12-15

It is up in the Cloud – the how and why for EJBCA SaaS

The PrimeKey PKI approach continues to evolve as we bring EJBCA as a Service in the Cloud to the market.

The longevity and stability earned by PKI is not without its own challenges. PKI has been around a long time, and that’s because it is the best technology around that provides the type of logical security controls needed in the connected society and on the Internet, where there is no single controlling entity. With its fundamental principles sound, adopting new algorithms, standards, and improved deployment options are the only way to make PKI even better.

An on-premise PKI and a cloud-based PKI deployment share the same core benefits. However, the cloud or SaaS option reduces the CAPEX cost of deploying additional local hardware and software appliances while speeding up the time it takes to design and rollout a fully featured PKI solution. In addition, as an organization grows or adapts, a cloud or SaaS based PKI should scale capacity automatically as required and manage updates such as changes required of encryption schemas, as a part of the service or software.

Let’s be more specific and get to the interesting topic at hand: What is EJBCA SaaS?

To start with, I can say that EJBCA SaaS is not your traditional PKI SaaS offering. Traditional PKI SaaS solutions very often fit well if you only have a small PKI requirement and don’t require deep levels of integration or customizations. It is worth noting that SaaS based alternatives will tend to support many functions, but will not allow full customization, control or extensive automaton of the solution. As such, the solution tends to be more aimed at use cases such as web server certificates and similar simple use cases. For larger organizations with business applications that grow and where the need to continuously and quickly adapt is fundamental, the long-term cost-effectiveness and flexibly of traditional PKI services may fall short. This is where we believe that our new SaaS service adds value by offering full access to the EJBCA Enterprise software without the headache of managing and maintaining the underlying infrastructure and technology stack.

PKI deployment and reuse

At the core of PKI, there is a deep layer of encryption and detailed process for exchanging keys and certificates which requires a high level of technical expertise. But the universal nature of PKI means that once this knowledge barrier is reached, and the PKI is deployed in one area; the software, technology and processes should be replicated across many others. This is how you implement consistent security policies and stay in control.

So, take for example a large retailer. PKI will underpin the smart cards used by employees to gain access to its offices and stores. The certificates used for PKI will be used by remote staff access systems via the VPN and even for securely communicating with EPOS terminals at each retail premise. Any e-commerce infrastructure the retailer runs is likely to use PKI to secure web servers, load balancers, and web server farms including point-of-sale devices. Although different use cases, the secure infrastructure is often the same – and if correctly designed, can use just a single management platform such as EJBCA Enterprise.

When deploying their PKI via a public cloud and in conjunction with our new EJBCA SaaS services, the retailer can dramatically simplify the implementation process through the pre-integrated set of tools, with instant subscription through the AWS Marketplace and without any sales process required. They will also receive on-demand provisioning where everything is uniquely configured for them upon startup. This will shorten the deployment cycle from months to days without losing the ability to design a bespoke solution or solutions. In addition, customers and their private keys will not be dependent upon, or locked into, PrimeKey. Customer keys are provisioned in an isolated fashion to separate them from operational infrastructure and keep access controlled and secure. This also allows us, at PrimeKey, to detach any EJBCA SaaS account and deliver the AWS account holding the private keys back to customers to use within AWS if desired.

Communication in the IoT

The current digital security landscape is getting more complex each day as more legacy manual or analogue processes go through digital transformation. According to IDC, there will be 41 billion IP connected devices around the world by 2025, and the vast majority of these will not even have a screen or keyboard. Instead, millions of sensors and gateways that control everything from light bulbs to connected vehicles will reside within the Internet of Things concept.

As use cases evolve within IoT that require flexibility and the need to scale, organizations are increasingly looking for a solution that allows them to build and scale their public key infrastructure as quickly and flexibly as their cloud resources. Therefore, it makes sense to rely on having your PKI deployed in the Cloud and as EJBCA SaaS.


Author: Alex Gregory 

Alex Gregory is Senior Director Cloud & Managed, PKI Products and Services at PrimeKey based in San Mateo, Silicon Valley. He has over 20 years of experience in the IT Security and Product Management fields, providing senior systems, security and IT solutions to a diverse set of companies.

Contact Alex
alex.gregory@primekey.com


 

To learn more about EJBCA SaaS and see a demo, attend our complimentary webinar on December 17.
Sign up for the webinar

Read more about EJBCA SaaS

How can we help?

    I accept that PrimeKey stores my information, and I accept cookies for analysis and business identification. Read more about cookies and privacy policy here.
Contact us