What are the differences between hosting (public key infrastructure) PKI workloads in the cloud versus on-premises?
Many organizations are leveraging SaaS solutions for public key infrastructure (PKI) to protect their workloads in the cloud. However, PKI running in self-managed environments also remains a popular choice, and is a requirement for some highly regulated industries.
There are important factors organizations need to consider before deciding which option is the best choice for their requirements, but the advantages of cloud-based PKI versus an on-premises approach are not always well understood. This blog explores the factors organizations should consider when deciding how to host their PKI environment.
PKI is the standard process for provisioning and maintaining digital certificates for authentication and encryption of digital identities associated with users, devices, and applications. Common PKI use cases include:
Below is a simplified illustration of the core PKI process:
Public key cryptography is the foundation of PKI. It is a strong encryption mechanism that relies on public and private key pairs. The keys are used together to encrypt and decrypt messages based on cryptographic algorithms, helping to protect identities and data from unauthorized use.
In the context of this post, cloud PKI refers to a service or hosting model in the cloud where a service provider hosts and manages the infrastructure and the customer is responsible for the certificate authority (CA), as well as the PKI environment for provisioning and managing certificates.
With self-managed PKI, workloads may be hosted in a cloud environment or a more traditional on-premises datacenter. With a self-managed approach, the organization is responsible for maintaining the PKI infrastructure and operations.
A look into the delivery models for HashiCorp Vault can help make it clear what options are available and which one might be best for your organization.
HashiCorp’s cloud PKI functionality resides in HashiCorp Cloud Platform (HCP) Vault. HCP Vault is a fully managed implementation of Vault operated by HashiCorp, allowing organizations to get up and running quickly.
If an organization chooses to allow a public connection, the HCP Vault cluster will have an associated public address where clients can directly connect to Vault. (Most organizations disable the public connection for security reasons.) The organization can then establish a peering connection between its cloud provider and a HashiCorp virtual network (HVN). This ensures that only trusted clients (users, applications, containers, etc.) running in the peered public cloud provider can connect to Vault and stops systems outside of the selected network from attempting to connect.
Running PKI on HCP enables users to secure, store, and tightly control access to tokens, passwords, certificates, and encryption keys within one unified cloud-based platform.
Key benefits of running cloud PKI on HCP Vault include:
A managed product like HCP Vault brings many benefits, but organizations should also consider their particular needs when choosing how and where to host their PKI environment. Frequently, those needs are driven by compliance and regulatory requirements associated with specific industries, where self-managed hosting may be appropriate. Self-managed Vault comes in two editions: A free community edition for small use cases, and Vault Enterprise for larger organizations or organizations with stricter security requirements.
The benefits of a running a self-managed PKI environment with Vault include:
Clearly, both cloud-based and self-managed PKI solutions have their pros and cons. That’s why HashiCorp offers multiple ways to address your PKI needs.
Cloud PKI offers agility, ease of use, and reduced operational overhead, whereas self-managed PKI offers more options to customize and meet specific security and compliance requirements. HashiCorp can meet your organization’s needs for not only both types of PKI, but both cloud-based or self-managed certificate lifecycle management platforms (CLM), which is a broader effort to secure identity information and implement data protection to secure your users, devices, and applications.
Contact HashiCorp sales to learn more about how HCP Vault and Vault Enterprise can help with your PKI requirements.
Want to learn more about HashiCorp Vault PKI?
Do cloud right with The Infrastructure Cloud from HashiCorp. Unlock developer potential while controlling cloud costs and risk.
HCP Vault Radar conducts ongoing reconnaissance of unsecured secrets stored as plain text in code repositories as well as configuration, DevOps, and collaboration tools.
Secrets sync is a new feature in HashiCorp Vault that facilitates centralized management, governance, and control of secrets for multiple external secret managers.