What is Cloud-based PKI Architecture?
Public Key Infrastructure (PKI) is mostly about managing secure digital identities that enable ways to protect data and know the subject’s (a subject could be anything such as a computer, a person, a router or a service) identity when sharing information
over untrusted networks. PKI is essential to most businesses and their applications today.
What is Public Key Infrastructure (PKI)?
- Confidentiality
It refers to the process to ensure that information sent between two parties is confidential between them only and not viewed or disclosed by/to anyone else.
- Integrity
It refers to the process to ensure that the message in transit must maintain its integrity, i.e., the message’s content must not be changed. The Integration of data is secured by hashing.
- Availability
Availability is the final component of the CIA Triad and refers to the actual availability of your data. Authentication mechanisms, access channels, and systems all have to work correctly for the information they protect and ensure it’s available when it is needed.
Along with these, there are some important parameters which are described below:
- Authentication
The process of confirming someone’s identity with the supplied parameters like username and password. PKI offers this through digital certificates.
- Authorization
The process of granting access to a resource to the confirmed identity based on their permissions.
- Non-Repudiation
A process to make sure that only the intended endpoint has sent the message and later cannot deny it. PKI offers non-repudiation through digital signature.
Challenges when adopting a cloud-based PKI model
- Lack of understanding of PKI concepts and design aspects. Also, meeting compliance requirement such as NIST-800-57 (provides recommendation for cryptographic key management) post-deployment is important.
- Ignoring the importance of HSMs . When the use of HSMs is ignored, know that your PKI will not be FIPS-140 Level 3 compliant.
- Knowing and understanding cloud providers (AWS, Azure, GCP etc.) which cloud provider can fulfil all the requirements, as per your business needs, is something that needs to be taken care of.
- Integration with your existing PKI infrastructure. Choosing the right model for your organization is a must.
- Choosing the right tools and processes for your certificate lifecycle management.
Considering Cloud-based PKI
Options for Cloud-based PKI models
- Simple Model
- Two Tier hybrid Model
- Three Tier Model
- Three Tier Hybrid Model
Simple Model
This is the simplest model for cloud-based PKI to deploy and can be useful for small scale business models. In this approach Root CA is placed on-prem and offline the same way it is done for the traditional PKI. Issuing CA is kept on the cloud and acts
as a primary enterprise CA which issues certificates to the end-entities. Here, we leverage the cloud providers to provide management and availability for the virtual machines and certificate authorities.
For example: If your issuing CA is on AWS Certificate management private CA (ACM PCA) then to store the private keys, AWS cloud HSMs will be used.

Two Tier hybrid Model

Three Tier Model

Three Tier Hybrid Model

The cost of a cloud-based PKI
Conclusion
Author
Parnashree Saha is a data protection senior consultant at Encryption Consulting LLC working with PKI, AWS cryptographic services, GCP cryptographic services, and other data protection solutions.