On April 4th, Amazon Web Services announced a sweeping set of new security tools. The new products included AWS Secrets Managerand Firewall Manager, which aim to grant users more control over database credentials and security policies. One of AWS’s most interesting new features was for the AWS Certificate Manager (ACM) called Private Certificate Authority (CA).
“This lets customers securely manage the lifecycle of private certificates with pay-as-you-go pricing,” writes Stephanie Condon, security reporter for ZDNet. “Previously, private certificates required expensive, specialized infrastructure and security expertise. The new feature lets developers provision private certificates with a few API calls, and it gives administrators a central CA management console and fine-grained access control through IAM policies.”
So, what does Amazon’s Private CA service mean for enterprises? According to our experts at Venafi, this feature will simplify PKI for users that exclusively operate AWS. However, organizations that use AWS alongside of an on-premise PKI may not see the same advantages. The new service also complicates multi-cloud deployments because it adds another touch-point to manage.
“Amazon’s continued focus on simplifying the security of cloud infrastructure is very good news,” says Broderick Perelli-Harris, senior director of professional services for Venafi. “The industry needs stronger and easier security to guarantee the integrity of sensitive data. Overall, these new features will help smaller-to-medium sized enterprises that cannot maintain their own PKI infrastructure and only operate within the AWS Cloud environment. However, larger enterprises, who may already be operating their own internal PKIs will find less value here.”
Heather Robertson, senior product marketing manager for Venafi, offers her thoughts: “Amazon’s ‘easy’ service is good for their customers because PKI is traditionally difficult to stand up and manage. But the reality is that many enterprises exist in hybrid environments that are shifting workloads into the cloud, but still maintain traditional datacenters. If every device, and machine requires its own private keys and certificates – well, that’s a lot of spaghetti to untangle.”
“This service is exclusive to AWS customers, but won’t significantly help high-end enterprises with their management problem,” Robertson concludes. “Those organizations will need to find additional help elsewhere. A Certificate Authority-agnostic management platform will give them global intelligence across physical, virtual, cloud and mobile environments.”