Hosted Versus On-Premise Solutions
As IoT deployments are designed and architected, the IoT provider or organization must address the Certificate Authority (CA) infrastructure requirement and decide whether to use in internal CA or a publicly trusted CA. While using an internal or private CA might seem ideal and even a more cost-effective solution at first, it is important to understand the role of the CA infrastructure and the benefits of using a publicly trusted CA.
For instance, an internal CA is not automatically trusted by external systems and devices. Also, an on-premise CA infrastructure places the burden of hosting and managing the entire PKI framework on the shoulders of the IoT provider or organization. Conversely, a hosted CA infrastructure places the responsibility of hosting and managing the entire PKI framework on the shoulders of the publicly trusted CA, something the CA already knows how to do and is equipped to handle. The expertise and trust that a publicly trusted CA brings is invaluable and, in most situations, is crucial to a successful IoT deployment.
To talk to an expert, call 1-801-877-2119 »Let Us Contact You
Reasons to Use a Publicly Trusted CA
An internal CA will never be able to be used in a way that is trusted automatically be external services or relying parties, resulting in warning and errors for users and devices. While private CA implementations may be appropriate for some implementations, publicly trusted certificates are often critical to ensuring trusted access to systems and devices.
Certificates are used to secure sensitive and valuable information. Investing in servers and infrastructure needed to handle mass issuance, reissuance, and/or revocation events is necessary to ensure integrity of the PKI systems. Those events are rare, but the cost involved in such an investment can be large, especially when dealing with tens of thousands or hundreds of millions of certificates.
The security requirements of running a CA are substantial. Your Root CA needs to be secured to the absolute highest level, which requires investment in hardware, CA software, infrastructure, PKI architects, consulting services, and training.
Cryptography is constantly changing. What was considered completely secure and safe to use three or four years ago is now deprecated. There are aspects of certificates which may require an even quicker turn-around of switching substantial infrastructure to new or different cryptographic properties. As a publicly trusted CA, DigiCert is able to support upcoming curves, algorithms, and hashes years before they become mainstream. When vulnerabilities are found or deprecation occurs, we can immediately switch to a secure alternative.
Understanding PKI is difficult, complex, and typically isn't an IoT provider’s full-time job. However, it is DigiCert’s job to understand FIPS 140-2 level 2, ECDHE cipher suites, PKCS #11 cryptographic interfaces, root ubiquity compliance, and X.509 OIDs. As trusted PKI experts, DigiCert helps implement security best practices and manage compliance and risk management.
All core DigiCert services offer exceptional uptime and availability. When dealing with globally disparate certificate provisioning, verification, and revocation, deploying a brand new infrastructure to support the many needs of such systems is not logistically feasible for most organizations and is almost never economically feasible when compared to using systems already in place.
DigiCert offers incredibly competitive pricing which can automatically scale with certificate issuance, allowing your investment to start at an already financially viable position and grow to ever more affordable levels as your certificate issuance increases.
If an internal CA is compromised and enables access to privileged data, the damage to a company's reputation is often detrimental, not to mention the resulting monetary loss can be significant. Separating management of some parts of an organization's security solution can not only increase the overall security of that solution, but also help to minimize damages in worst-case scenarios.
Talk to an IoT PKI Expert
If you have specific questions about our PKI solution for securing IoT devices, please enter your information in the form below, and an IoT security expert will contact you for a personal consultation.
|Request More Information|
|Fill out this form to request more information or call an expert at 1-801-877-2119|