A Hybrid Approach to PKI Deployment for Modern Manufacturers
Manufacturing is one of the most attacked industries, facing a range of cybersecurity challenges. The proliferation of DevOps and distributed IoT devices, as well as the need to secure the digital identities of these applications and devices, calls for innovative approaches to PKI deployment.
Thales and PrimeKey are partnering to offer a hybrid approach to securing PKI key management which can assist modern industries that are looking for a unified PKI governance solution. The joint solution leverages the power of PrimeKey’s EJBCA PKI solution together with Thales’ on-premises Luna Hardware Security Modules (HSMs) and cloud-based Data Protection on Demand (DPoD).
To understand why we need this kind of hybrid approach, let us examine the use case of a manufacturing enterprise who put trust inthe added value of the joint Thales and PrimeKey solution.
Use case: manufacturing enterprise
A large manufacturer of commercial vehicles, such as trucks and buses, required an on-demand security solution for their fleet management as they were expanding their portfolio to include more electric and self-driving trucks. In accordance with security protocols, the company needed to deploy digital certificates in the vehicles and therefore was looking for a dependable and flexible PKI environment.
The manufacturer needed a certificate-based solution that would provide secure identity to every vehicle. The organization’s IT department was to be responsible for managing and hosting the PKI for their development department, which would make it easy for developers to request certificates from their IT department.
One of the requirements of the manufacturer was to have the ability to do over-the-air (OTA) updates. While most vehicles are brought into centralized locations for software updates, the manufacturer wanted to enable updates to vehicles in the field. As they would be connecting to the vehicles long-range, having a secure identity for each vehicle is imperative.
To satisfy all these operational and security requirements, the manufacturer chose the combined solution offered by PrimeKey and Thales. PrimeKey’s EJBCA Cloud acts as the in-house certificate authority (CA) for provisioning of all certificates required for ensuring the integrity and authenticity of OTA updates. Thales on-premises Luna HSM and Luna Cloud HSM, part of the Data Protection on Demand platform, serve as the root of trust for the PKI, protecting the private keys either on-premises in the factory or onboard the vehicles out in the field.
In the illustration below we put the joint PrimeKey and Thales solution into context displaying how a flexible implementation of PKI can support both “silos” and “centralized” models or deployments.
Why would you need a hybrid PKI offering?
PKI is a well-established technology that businesses leverage across various use cases, including:
- Access control and endpoint protection.
- Communication verification and integrity, such as email encryption, digital signatures, and invoicing.
- Software supply chain security with code signing certificates.
- Operational Technology (OT) safety and reliability, such as securing smart grids.
- Information Technology (IT) integrity and availability, such as DNS server security.
However, PKI is only as strong as the security of the associated keys. The compromise of the PKI root key by a malicious actor, inadvertent errors, or system failures can have catastrophic consequences, affecting the trust of all components and services that rely on it. It is therefore critical to secure PKI key management to prevent threats, ensure regulation compliance, and audit key usage and lifecycle. The use of tamper proof hardware as a root of trust is an industry best practice for strong protection and secure access to PKI keys.
The problem is that many enterprises have deployed “siloed” non-connected PKIs to accommodate specific, disconnected use cases, which most of the times link back to the corporate root CA. This fragmented infrastructure results in a lack of centralized control and increases governance risks.
As cyber threats are increasingly becoming top business risks, enterprises need to establish and benefit from a centralized PKI governance and secure key management to:
- Scale and adapt to an evolving business and technology environment.
- Support new use cases and distributed operations in the field.
- Minimize cybersecurity vulnerabilities and ensure compliance.
Manufacturers want to assure that production processes are not interrupted if the internet connectivity is temporarily disrupted. This is a classical Operational Technology (OT)-Information Technology (IT) conundrum, meaning that some parts of security infrastructure must be on-premises, semi-autonomous, and resilient to disruptions. Other parts of infrastructure are better suited in cloud, bringing benefits of scalability and geographic service coverage such as the IoT solution and the DevOps environment.
To address these operational requirements, enterprises can leverage the combination of on-premises and cloud deployments to support their use cases. This concerns both PKI and HSMs. A hybrid approach – mixing benefits of on-prem and cloud, is arguably the best choice for securing your PKI and gives you the flexibility that you need over time.
The benefits of the joint PrimeKey and Thales solution
The main drivers that pushed the manufacturer in this use case to have a certificate authority in-house were cost and convenience. Having the CA in-house made more sense when they evaluated the volume of certificates they would need. Also, having the IT department issue certificates made the process faster and easier. With Luna HSMs as the root of trust, either on-premises or in the cloud, or as a hybrid combination, the security of the PKI is hardened. Luna Cloud HSMs, on DPoD, provide FIPS-certified hardware-based security with the benefits of cloud services, making security simpler, more cost effective, and easier to manage because there is no hardware to buy, deploy, and maintain.
Overall, the joint PrimeKey and Thales solution offers many benefits to enterprises looking for a centralized PKI governance across a distributed operational environment:
- Robust PKI security using FIPS 140-2 certified HSMs.
- Simplified cloud solution that can be quickly implemented.
- Predictable costs, high availability, and quick time to market.
- Eliminates the need for costly upfront investments and hardware management.
- Seamless experience avoiding the friction of having to work with multiple vendors. One supplier, one comprehensive and future-proof joint solution.