In this guest blog post, Paul de Curnou, Senior Business Development Manager, Marketplaces at Keyfactor, explores the benefits of modernized PKI deployments on Microsoft Azure and how Keyfactor can help.
Organizations are embracing cloud services to drive more efficiency, enable automation, and scale their digital footprint to meet new business needs. Like the mainframes before them, datacenters are gradually becoming obsolete, replaced by increasingly reliable and scalable cloud-based solutions. In the HashiCorp 2022 State of Cloud Strategy Survey, 76 percent of survey respondents said their company employs a multi-cloud architecture. HashiCorp projects that number is likely to increase to 9 in 10 companies in two years. As a leading cloud services provider, Microsoft Azure has become a staple for hybrid and multi-cloud infrastructure in many organizations. Hybrid and multi-cloud strategies aren’t just inevitable, they’re already a reality for many organizations.
Whether your organization already has a cloud-first strategy or you’re migrating legacy applications to Azure, public key infrastructure (PKI) is an essential building block to establish digital trust and securely connect workloads and applications at scale. PKI consists of software and hardware elements used to manage public-key encryption to secure electronic data transfer. Everyone from security architects and network engineers to application and operations teams rely on PKI and digital certificates to secure machine-to-machine connections across hybrid cloud environments. However, the shift to dynamic workloads and infrastructure as code introduces new challenges for PKI deployments.
Identity and security challenges of moving to cloud infrastructure The transition from traditional datacenters to cloud infrastructure is complex and introduces several challenges for identity and security teams.
Dynamic workloads: The dynamic nature of cloud infrastructure increases the velocity of certificate issuance, deployment, and revocation.
More identities: The number of machines and workloads is growing exponentially, bringing many more machine identities into the mix.
IT complexity: Different teams often deploy multiple certificate authority (CA) and PKI technologies to support specialized use cases, increasing complexity and cost.
While migrating applications to the cloud, tools and processes once used to secure traditional on-premises environments become much less effective. These legacy tools can even become operational roadblocks to successful cloud migration. PKI and certificate management are no exception. Whether you’re just beginning your migration to Azure, or your organization already has a mature, multi-cloud strategy, the demands on PKI infrastructure are increasing. Legacy PKI deployments cannot provide sufficient support.
Migrating applications to or building new applications on Azure helps teams drive efficiency and value for their business. As a result, the number of workloads, such as virtual machines, containers, and microservices, grows exponentially. In this new environment, security is predicated on ensuring every connection is authenticated, encrypted, and authorized using unique and trusted identities.
Machine identities, such as X.509 certificates, are everywhere in the cloud. Developers and engineers running on Azure rely on certificates every day to securely develop and run their applications. A holistic approach to cloud migration, including PKI and certificate services, is therefore critical to ensure your teams can unlock the full advantages of Azure while staying secure.
It’s clear PKI and machine identities serve as the backbone of digital trust in the cloud, securing mission-critical services and enabling connectivity at massive scale. To realize the benefits of digital transformation and cloud migration, organizations must simplify and modernize their PKI infrastructure.
6 benefits of Keyfactor EJBCA for Microsoft Azure Keyfactor’s EJBCA is a powerful and flexible CA and PKI management platform to issue and provision certificates at cloud scale. It integrates seamlessly with Azure infrastructure, making it easy to issue certificates for any use case, whether on-premises or in the cloud. Even better, teams can deploy Keyfactor EJBCA directly from the Azure Marketplace. Built on open standards and an open-source platform, EJBCA brings the maturity and transparency expected from modern security infrastructure. It’s designed for the scalability and availability of the cloud, while ensuring robustness and compliance with industry best practices and standards such as Common Criteria.
Keyfactor is a Microsoft partner as well as a machine and IoT identity platform for modern enterprises. The company helps security teams manage cryptography as critical infrastructure by simplifying PKI, automating certificate lifecycle management, and enabling crypto-agility at scale. Here are some additional benefits of Keyfactor EJBCA for Microsoft Azure:
Azure integration: EJBCA integrates with Microsoft and Azure-native platforms via auto-enrollment, SCEP, and support for Intune. Authentication and authorization to manage EJBCA is done via certificate authentication or Azure OAuth, and the visibility and monitoring of your PKI can be handled via Azure Monitor Insights.
Multiple use cases: EJBCA supports all certificate use cases and certificate formats in one platform. Thanks to extensive integration and automation support via standard protocols and APIs, such as EST, SCEP, CMP, ACME, REST, and web services, EJBCA is easily extensible.
Infinite scalability: EJBCA can host multiple CA and PKI infrastructures in a single installation. Multi-domain and multi-forest deployment is supported, enabling you to consolidate PKI use cases into one platform — and you pay only for what you use.
Built-in HSM support: Using a hardware security module (HSM) brings enterprise-grade security and compliance and keeps all cryptographic keys secure. EJBCA integrates with all HSMs, including Azure Key Vault and Azure Key Vault Managed HSM, as well as Thales DPoD and most FIPS and CC-certified HSMs on the market.
Flexible deployment: To meet the unique business challenges of your organization, you can deploy EJBCA however you need it. It is available on Azure cloud as a hosted and managed service or as infrastructure as a service (IaaS), as well as hardware or software appliances for specific compliance or other requirements.
Certificate lifecycle automation: By adding Keyfactor Command, you can combine highly scalable PKI with full certificate lifecycle automation. Keyfactor Command provides visibility and control of all certificates across your environment, whether issued from EJBCA or any other public, private, or cloud-based CA service.
Find the most secure and efficient way for your organization to modernize PKI on Azure The stakes are high when migrating or consolidating enterprise PKI infrastructure. It is imperative that current solutions enabled by existing certificate services continue to work with limited interruption, that the migration project manages existing interfaces and integrations to external systems, and that the robustness of the infrastructure is maintained — or improved — with the migration. With EJBCA, you can choose the migration strategy that works best for your situation. Here are three common migration options:
Migrate: Simplify and consolidate your PKI infrastructure with a full cut-cover to EJBCA and migrating all existing use cases now.
Start fresh. Start a fresh EJBCA deployment for new use cases and migrate existing certificate services down the line.
Extend. Keep your Microsoft CA but implement EJBCA for modern use cases that require more flexibility and scale.
One Keyfactor customer, after implementing EJBCA, has been able to decommission more than 30 Microsoft CA servers, with hundreds more in the queue. This dramatically reduced the complexity of its internal PKI infrastructure. The PKI team would rely on IT to manage hundreds of existing servers and roll out new servers to keep up with use cases. Now, with EJBCA, IT can focus on other parts of the business while the PKI team leverages EJBCA SaaS to dynamically scale in the cloud and leverage EJBCA flexibility to run multiple CAs in one cluster. This results in better resource allocation, substantial savings, and the ability to upgrade with no downtime.