New whitepaper: Scaling certificate management with Certificate Authority Service
Anton Chuvakin
Security Advisor, Office of the CISO, Google Cloud
Anoosh Saboori
Group Product Management Lead
As Google Cloud’s Certificate Authority Service (CAS) approaches general availability, we want to help customers understand the service better. Customers have asked us how CAS fits into our larger security story and how CAS works for various use cases; today we are releasing a white paper about CAS to answer those questions and more.
“Scaling certificate management with Google Certificate Authority Service”, written by Andrew Lance of Sidechain and Anton Chuvakin and Anoosh Saboori of Google Cloud, focuses on CAS as a modern certificate authority service and showcases key use cases for CAS.
The digital world has experienced unprecedented growth and interconnectivity over the past few years. A perfect storm of new conditions has achieved almost a flywheel effect, with the advent of many technological innovations. The concurrent rise of cloud computing, emergence of 5G, and proliferation of Internet-of-things (IoT) smart devices has created immense market opportunities for digital products that interconnect our lives and workplaces. Critical to this explosion of connected devices and software-defined-everything is the ability for these interconnected devices to verify their identity with each other.
Google has introduced Certificate Authority Service (CAS) to address these and many other challenges that organizations face as they use digital certificates in this new age. CAS is not only a cloud-ready platform for hyperscaling certificate management; it is also aligned with the development methodologies of cloud-native applications, as well as fully API-enabled.
Here are our favorite quotes from the paper:
“The hyperscale growth of digital infrastructures have expanded not only from the data center to the cloud, but have embraced sophisticated multi-cloud strategies, and hybrid strategies that seamlessly integrate clouds and on-premise workloads. Digital certificates underlie the system integrity of all of it, the scale of which has become frighteningly massive.”
This reminds us that digital certificates are not about “IT plumbing”; they underpin the entire digital economy.
“Traditional certificate management systems - often referred to as Certificate Authorities (CA’s) - are not equipped to handle these new demands. [...] It is very typical that certificate requests are manual, often requiring days if not weeks turnaround time. [...] New demands being placed on digital certificates and PKI systems are often at-odds with these traditional deployments.”
This means that both legacy tools and traditional processes around certificates do not fit today’s demands.
“As more organizations are developing applications and technology infrastructure cloud-first, it simply doesn’t make sense to keep tying back to on-premise infrastructure like certificate authorities.”
“Containers make deploying application components easy and fast. [...] Things get complicated when adding certificates. Certificate renewal usually happens at a different cadence than application updates, and traditional CA systems are managed by completely different teams requiring lengthy manual requests to fulfill certificate issuance. [Google] CAS, on the other hand, can enable developers to securely manage certificates within their containerized applications through automation and standardized API’s.”
Containers are one of the best example environments where Google CAS shines.
“Many smaller vendors in the IoT space are now seeing the need for PKI and certificate management as standards body’s such as the Wireless Power Consortium now require authentication frameworks that involve certificate-based identities and other security requirements. Many smaller companies do not have the skillsets or other resources to manage their own traditional PKI infrastructure. CAS is a service that enables smaller engineering-centric organizations to manage certificates much easier than traditional CA’s would be.”
As we said in our blogs, IoT is another area where Google CAS works well.
“Many IT organizations are also establishing a “zero trust” model for network-based security, all of which relies on the concept of trusted identity rooted in digital certificates. IT teams are now establishing trusted identities for applications, operating systems, smartphones and other BYOD devices, and workstations. [...] CAS offers an intuitive service for IT teams to scale their efforts with zero trust models.”
Read “Scaling certificate management with Google Certificate Authority Service”, and sign up for CAS here.