How to Maintain PKI High Assurance in the Cloud, for the First Time

Last updated: 14 November 2018

Cyber security adoption is booming, with record IT spending on security solutions for enterprises using on-premises as well as cloud and web-based services. Along with the proliferation of vendors and solutions is also a rise in security breaches. Even though there is a lot of noise around digital transformation, 451 research claims that we may never reach ‘cloud nirvana’.

Cloud access management needs to be more secure

Despite the advantages of the cloud to On-premises (on-prem) IT, not all workloads will move to the cloud. “It’s simply not suited for every use case” says Garret Bekker, Senior Security Analyst at 451 Research.

Cloud Transformation

What does that mean for security vendors and enterprises? With identity theft being the most prevalent data breach type, according to the H1 2018 Breach Level Index report, this is still a serious problem for organizations to tackle. Enterprises need products that will let them maintain their current investments – but at the same time ensure that they can move to the cloud and carry out digital transformation initiatives securely.

PKI MFA limited to on-prem Identity Providers?

One of the most successful ways of stepping up on enterprise security has been through PKI-based authentication: Public Key Infrastructure is a high assurance security framework used by many enterprises, defense departments and governments. Due to global demand to comply with security regulations, and the awareness of multifactor authentication, PKI adoption is increasing as well. The global PKI infrastructure market is expected to result in a market value of USD 1,987.1 Million by the end of 2023, according to a November, 2018 press release.

Until now, PKI authentication suited companies with resources and services on-prem, but could not adopt cloud and mobility ventures without having to completely ‘rip and replace’ their current security framework. Enterprise employees have been using smart cards and tokens to authenticate themselves while accessing corporate resources. However, the PKI perimeter has been limited to activities within the enterprise. Authenticating with PKI for business use cases such as email encryption and digital signing have also been limited to on-premises environment.

Identity Management Strategy: PKI plus Smart Single Sign On Solutions

With the mix of private cloud, public cloud, on-prem and hybrid environments, enterprises need a solution that offers the high security of PKI, making it easier and more secure for groups of users to access cloud and web-based apps and resources from any device and anywhere.
How can this be done? The new reality has left enterprises faced with multiple untrusted devices, different identities, distributed enterprise and cloud resources, and diverse applications. Now, with an identity and access management solution such as SafeNet Trusted Access, enterprises can extend PKI credentials to access policies, restricting or alleviating access according to resource, app, device or other contextual factors.

PKI Smart Cards
Source: 451 Research’s Voice of the Enterprise: Cloud Transformation Organizational Dynamics 2017

Extending PKI credentials to your web and cloud-based applications through an Access Management Solution means that you can bridge the gap between on-prem and cloud-based business cases while still maintaining high assurance security.

PKI Authentication with Access Management

For example, let’s say an employee needs to access Amazon Web Services. He or she can log into the Web service with a smart card or soft certificate. An Access Management Solution such as SafeNet Trusted Access will apply the appropriate access policy, and prompt the user for his or her smart card PIN. SafeNet Trusted Access will then validate the certificate and the PIN and grant access to the user. The same policy can be applied to multiple applications, creating a single-sign on experience for the user.


This type of Smart Single Sign On does not grant the users the keys to the kingdom. You could establish a policy where users are asked to reauthenticate if logging in from outside a trusted network. The policy could also block users completely from certain applications or alleviate access for employees working on-prem. With conditional access, the PKI credentials are not being used to access everything. Smart SSO, combined with high assurance PKI helps enterprises facilitate easier, secure access to their apps.

Cloudy about Smart SSO in your enterprise? Learn about your identity and access management options today: Watch the Webinar Turning PKI Smart Cards into Cloud SSO Gold, read the ‘Extending PKI Smart Cards to Cloud and Web Access Management’ solution brief or download the Access Management Handbook.

Leave a Reply

Your email address will not be published. Required fields are marked *