Richard Hicks, an expert in Microsoft Cloud PKI and certificate management, shares insights on moving device certificate authority to the cloud. He discusses the current state of Cloud PKI, emphasizing its early development and the reliance on Intune for device certificates. Richard explains how it can streamline on-premises infrastructure while enhancing security. He highlights challenges in managing server certificates and the need for automation in certificate management within cloud environments. The conversation reveals the future potential of Cloud PKI landscape.
Microsoft Cloud PKI simplifies certificate management for Intune devices, streamlining issuance and renewal processes while enhancing security through hardware binding.
Despite its advantages, the current limitations of Microsoft Cloud PKI include the inability to issue server certificates, necessitating continued reliance on traditional ADCS for certain infrastructure needs.
Deep dives
Introduction to Microsoft Cloud PKI
Microsoft Cloud PKI offers a cloud-based solution for managing public key infrastructure (PKI) through Intune, enabling organizations to issue, manage, and revoke certificates for remote devices. This service caters specifically to Intune-managed devices, creating a streamlined process for certificate deployment without the need for on-premises infrastructure. As organizations move towards more remote and cloud-native environments, adopting this service can simplify their PKI management by eliminating the complexities associated with traditional Active Directory Certificate Services (ADCS). However, it is important to note that this initial version comes with limitations, particularly in its ability to issue certificates to non-Intune managed devices.
Simplifying Certificate Management
The introduction of Cloud PKI through Intune significantly simplifies the deployment and management of certificates. With capabilities such as automated issuance, renewal, and revocation, the cloud service aims to address common administrative hurdles that arise with traditional PKI systems. By binding certificates to the device hardware, specifically through Trusted Platform Modules (TPM), the system ensures a higher level of security and reduces the risk of credential theft. The quick setup time reported by users—often within minutes—further illustrates the efficiency of moving certificate management to the cloud.
Limitations and Future Developments
While Cloud PKI for Intune presents a compelling solution, it currently lacks functionalities for server certificate issuance, limiting its use to certain endpoint scenarios. The service is geared towards user and device authentication for functions such as VPN or Wi-Fi but does not yet facilitate server certificates necessary for network infrastructure. This gap suggests that organizations may still need to rely on traditional ADCS or other third-party providers for these functionalities. Nonetheless, ongoing development is expected to enhance the service's feature set and capabilities, making it an attractive option for users wishing to maintain modern cloud infrastructure.
Cost Considerations and Competitive Landscape
The cost of deploying Microsoft Cloud PKI is bundled within the Intune suite, requiring a per-user or per-device subscription, which could accumulate significantly in larger organizations. While this pricing model offers simplicity without charging per certificate, organizations must weigh these costs against the operational benefits and potential risks of certificate mismanagement in traditional setups. With the emergence of other cloud-based certificate providers, the competitive landscape is evolving, compelling existing solutions to adapt and offer richer feature sets. Clients will need to assess their specific requirements alongside cost considerations to determine the best fit for their PKI management needs.
Ready to move your device certificate authority to the cloud? Richard chats with Richard Hicks about Microsoft Cloud PKI - certificate management for devices and people as part of the Intune Suite. Richard talks about it being early days for Cloud PKI, so not everything you want is there yet. The only way to get a certificate onto a device is through Intune, so some devices, like servers, don't have a way to play yet. However, there is a bridge between Active Directory certificates and Cloud PKI, so you can bring your new devices in through Intune and ultimately unload a lot of your on-premises certificate infrastructure. And that will make everyone's lives easier and more secure!