Traditionally, IT infrastructure has typically been housed on-premise, within company offices or dedicated datacentres. Managing these devices and endpoints was straightforward because IT had direct access to all of them, and users were primarily office-based. IT departments maintained comprehensive records of all devices within their infrastructure, ensuring that they knew the exact location and status of each. The primary challenges involved were keeping these devices patched and updated, a task that could be efficiently managed with basic management solutions.
In this scenario, provisioning and managing digital certificates also followed a relatively simple path. The main challenges arose from the number of domains and the geographical distribution of the organization. Complex organizations might require multiple teams and procedures to ensure proper certificate management across all users and devices. However, with most users working in a centralized office environment, provisioning user certificates remained a manageable task.
A Brave New World
However, for the last 10-15 years, the world has evolved, and with the widespread availability of cost-effective private and public cloud services, there has been a definite step away from the legacy 100% on-premise infrastructures. What we have is a wide spectrum of adoption, with organizations having a mixture of on-premise, public cloud, private cloud (cloud infrastructure operated solely for a single organization) and community cloud provisioning services, applications and supporting office-based and remote workers. This mixture of infrastructure is referred to as a hybrid cloud model – though many seem to ignore that on-premise services are still an integral part of the solution.
Challenges in Managing Virtual Machines and Certificates in Cloud Computing
Traditional on-premise hardware, although it can be costly to purchase, implement, and maintain, has also provided organizations with direct access for customization, management, security, and overall control. Previously, it was easy to know the exact location of servers and applications, making it unlikely to lose track of them. While cloud computing is highly cost-effective and flexible, its quick facilitation of creating virtual machines through various providers has led to virtual machine and resource sprawl, making it challenging to track and maintain them. The rapid creation and deletion of virtual machines by different departments, contractors, and active production applications exacerbate this issue. Consequently, it becomes easy to lose track of the number of virtual machines or containers, their providers, the services they run, and their security status.
Managing digital certificates in cloud computing infrastructure, although common, presents some challenges. Identifying the location of virtual machines is complicated by the increasing use of containerization over traditional Infrastructure as a Service (IaaS). Containerization introduces unforeseen management issues related to the requesting, provisioning, and renewing of certificates due to the complexity of pods, services, and nodes. Containers are created and deleted quickly as needed, and with many teams and containers in use, securing private keys and managing the constant demand for certificate provisioning, expirations, and configurations in a dynamic environment is a significant concern.
Understanding the Risks of a Hybrid Cloud Environment
When considering the management of digital certificates in a pure or hybrid cloud environment, it is important to understand the following potential issues:
- Fragmented and Duplicated Services: Typically, applications and services are deployed to the cloud as part of migrating existing services or creating greenfield projects over a long period of time. However, over time, new services or load balanced instances are likely to be distributed by various teams over several cloud providers in different regions and zones by either software providers, integrators, or professional service contractors. Many of these will have their own preferred cloud providers, cloud technology and processes leading to an unmanageable fragmented environment. As a result, it is essential that, to maintain a high security posture, there needs to be a mechanism in place to automatically monitor and manage all these instances regardless as to their location.
- Siloed Teams and Contractors: With multiple teams and short-term contractors creating cloud-based applications without any common practice or recording, certificates can be created and provisioned from various Certificate Authorities (CAs), including self-signed certificates, with no way to manage and monitor them. Even worse, with no standard process and various manual actions being performed, there is a significant risk of unsecured endpoints or expired certificates.
- Delays to Automated Cloud Scaling: In many cloud environments, most virtual machines and certainly all containers are created and deleted programmatically, as is required as part of a flexible and scalable solution. However, the manual request and provisioning of certificates would seriously delay the process and effectively eliminate any benefits of automated cloud scaling. The delays of manual procedures often result in developers bypassing essential certificate management practices and using untrusted CAs or self-signed certificates in pursuit of agility, thereby magnifying cybersecurity vulnerabilities, including the risk of misconfigurations.
- Lack of Visibility: Even in a single cloud provider scenario, with the high number of virtual machines and containers being created and deleted daily, it is virtually impossible to keep track of where certificates are required, have been provisioned, who the originating CA is, and their expiry dates. This leads to unsecured applications, outages, security flaws, and service interruptions. Compliance will be unable to audit and log certificates to ensure that they are trusted and valid, leading to non-compliance issues such as weak crypto standards, the use of vulnerable self-signed certificates and certificates obtained from unapproved CAs.
Learn more about the risks of in-house Certificate Authority management
Managing Certificates on a Hybrid Cloud Environment
GlobalSign considers the solution to resolving the issues of managing certificates in a hybrid cloud environment no different to managing them in an on-premise environment.
Our Certificate Automation Manager solution not only allows organizations to automatically receive requests and provision certificates on any connected domain, but also track them, ensuring they are renewed, revoked or replaced when required.
It is designed to be fully flexible to fit the needs of each individual customer whether they are on-premise with a single domain, or have a fully developed hybrid cloud infrastructure using multiple providers, cloud technologies over multiple domains and time-zones.
Although currently not available as SaaS, Certificate Automation Manager can be installed on virtual machines and does not even need to be on-premise, or installed on the same physical environment as the Active Directory to function. In fact, to be as customizable as possible, the solution can be implemented as either on-premises, hybrid or full cloud depending on where you are on your cloud journey.
But don’t worry if you have not yet migrated to the cloud, Certificate Automation Manager can be installed on pure on-premise and can be migrated to a hybrid or full cloud implementation when you are ready.
This results in the ability to provision applications and projects on cloud platforms, and still secure them with GlobalSign certificates quickly and efficiently without the risk of downtime or security breaches.
Certificate Automation Manager can monitor and manage devices and servers regardless as to whether they are physical or virtual. As from a fully automated certificate management solution, our solution:
- Automatically provisions certificates for new devices, servers, containers or users without manual intervention using established policies
- Ensures that they are constantly monitored
- Allows the creation of scheduled reports for overall certificate visibility
- Ensures that key actions are undertaken including renewing and revoking of certificates
- Manages certificates in a rapidly changing environment such as an active IaaS or container-based infrastructure where the number of virtual machines or containers, and their need for certificates, is constantly changing
