PKI is kind of like death and taxes. It’s something you neither want to think too much about nor can avoid. But most organizations have to contend with it in some form or another. And more than a few use Windows internal Certificate Authorities (CAs) to manage internal PKIs, even though they frequently need to be updated and treated as if they were glass animals.
But what do you do when the animals break, and the zookeeper up and leaves you?
'I'm out of here' — PKI lead
That’s the situation a healthcare company found themselves in when their PKI lead—who had already warned that constantly patching and updating these Windows PKIs was too much work for him to manage—stumbled on a group of TLS certificates with their matching private keys sitting exposed on a server.
Explained the company’s director of InfoSec:
The PKI lead basically said, “I’m out of here.” [It] was a wakeup call to us that our machine identity management program needed a complete overhaul. No one even knew how to quantify the security and availability risks, let alone how much money and time we were wasting.
The company ruled out hiring a replacement PKI admin because it would have been too pricey. And they couldn’t spend a year or so to refresh their current PKI, which was how long they would need to fix the problem on their own. Instead, they needed a solution that they could get up and running quickly and leverage automation to scale for multiple digital transformation initiatives.
The company’s primary CA pushed their branded solution to manage the internal PKI, but its user interface looked like something from the Y2K era. And putting aside the overwhelming number of steps needed to onboard anyone, it didn’t work natively with Active Directory, which meant deployment would take too long. “We were in a bad place, if I’m being honest,” the director admitted.
Venafi solution: Zero Touch PKI
Fortunately, Venafi, the company’s TLS machine identity solution provider, learned of their PKI emergency and suggested they check out Zero Touch PKI. This solution would enable the company to replace their Microsoft PKIs with a managed “PKI-as-a-Service” that would cost a fraction of what replacing those PKIs would cost. Even better, end users wouldn’t notice any change with a solution that was 100% compatible with Active Directory, Windows desktops and laptops, Microsoft Intune and more.
When Venafi told them the SLA (service-level-agreement) from purchase order to production was three weeks, the company decided to try it—although the director admitted it seemed “too good to be true.”
And yet it wasn’t. If anything, he felt that Venafi had undersold the benefits. The managed PKI solution was deployed on the company’s system in 19 days and delivered an immediate improvement in security while reducing all the complexity they used to have to contend with.
Said the director:
“Zero Touch PKI didn’t change anything in our current environment, except of course eliminate the cost, headaches and risk. The auto-enrollment proxy took a half hour to configure and prove out, and then Zero Touch PKI was issuing certificates easy-peasy. We eliminated enormous security risks and were immediately able to automate everything that used to be a pain.”
In addition, the solution provided instant scalability, no additional load balancers or servers needed, as well as reduced the overall risk of compromise, a constant worry in the old Microsoft PKI setup.
Want to learn more? Click here to read the case study. But before you go, here’s one more comment from the director of InfoSec:
“I feel like a huge weight has been lifted, and I can’t quite believe it. Zero Touch PKI did everything we needed almost instantly and then some!”