Blog
​​​Enhancing PKI with Hybrid Cloud Deployment using Infrastructure-as-Code​

​​​Enhancing PKI with Hybrid Cloud Deployment using Infrastructure-as-Code​

Andrew Dunn
Andrew Dunn
5  min read
​​​Enhancing PKI with Hybrid Cloud Deployment using Infrastructure-as-Code​

Table of contents

In this blog post we’ll explore how a hybrid PKI deployment – integrating on-premise Hardware Security Modules (HSMs) with cloud-based PKI infrastructure using IaC – provides enhanced security, consistency, scalability and cost efficiency. We’ll also delve into IaC for those unfamiliar with the concept, demonstrating its value in auditing.

Understanding Infrastructure-as-Code (IaC)

IaC revolutionises the way we manage and provision computing infrastructure. Instead of manually configuring servers, networks, load-balancers, firewalls and other components, IaC allows you to define these elements in code. This code can be version-controlled, audited and automated, ensuring consistency and reducing human error.

In essence, IaC brings software engineering principles to infrastructure management, enabling teams to deploy, manage, and scale applications with the same rigor and reliability as code.

Key benefits of IaC:

  • Automation: A new environment can be created from scratch in minutes rather than days or weeks.
  • Scalability: Define in code how resources should be scaled up and down to handle varying workloads.
  • Reproducibility: Setups are uniform across different environments (development, staging, production), reducing environment-specific bugs and configuration drift.
  • Auditability: Every single change made to infrastructure is recorded in a version control system. Feedback from audit and security assessments are tied precisely to issue trackers and commits in Git.
  • Security: Automated scanning of IaC based around constantly updating security standards and best practices.
  • Disaster Recovery: Quickly recreate infrastructure, minimising downtime.

These are clearly of general benefit across the board, but to a security conscious and heavily audited system such as PKI, the impact is even more significant. Which changes in our system took place between two dates? Not only can we easily get each line of IaC that was altered, we can also see in CI/CD pipelines exactly when it was deployed. Not only that, but given the right controls and access logging, we can say with confidence that no human intervention outside of our IaC was responsible for a change in the infrastructure.

Let’s look at an example deployment.

Hybrid PKI Deployment

Here we combine the strength of on-premise and cloud environments. Organisations can maintain physical control over cryptographic keys while benefiting from the cloud’s scalability and flexibility.

First let’s take high level view of the different pieces and where they might reside and what IaC creates for us.

A diagram of a cloudDescription automatically generated

It’s worth first mentioning some of what is not in the diagram but is also managed using IaC.

  • Network Topology, Firewalls, Load balancers, VPN, Databases.
  • Audit Logging / archival.
  • Secrets management.
  • Redundancy, multi-region deployment.
  • Application log monitoring / SIEM.

It’s important to mention what cannot be managed by IaC, namely the initial setup of a Data Centre for the Online Issuing CA, such the physical access controls dictated by audit requirements. Here we also get into the world of cages, racks, safes, access cards, air gaps, key ceremonies, chain of custody and more, a topic for another blog post!

Having said that, at the earliest possible moment that prudence allows, infrastructure necessary for this setup is defined in IaC.

Given the parts of the diagram which are automated and defined programmatically, a number of different scenarios become possible with a minimal amount of work.

Deploy a disposable test environment entirely in the cloud.

A screenshot of a computerDescription automatically generated

Deploy multiple Single-Tenant CAs split between cloud and data centre.

A diagram of a computerDescription automatically generated

Fork the IaC Git repositories and allow 3rd parties to create and manage their own infrastructure, while still receiving updates from the upstream repositories.

A screenshot of a computerDescription automatically generated

Those are just a few of the options available but hopefully it gets across the general idea - once it’s in code, given the right amount of configurability and flexibility in the IaC itself, a whole new of automation opens up. This transformation not only slashes the potential for human error but also guarantees consistency across all environments, making infrastructure management a breeze.