This is the first part of a four-part series covering twelve fundamentals for choosing a managed PKI solution, and questions to ask in the buying process.
When it comes to Public Key Infrastructure (PKI), organizations have two deployment options: 1) they can opt for an in-house on-premise solution, or 2) a cloud-based service (Symantec, GlobalSign, Entrust). There are many benefits to a Managed PKI Service, including faster time to deployment, lower total cost of ownership, and leveraging operational excellence.
The purpose of this week’s blog post is to make you aware that not all Managed PKI providers are the same. In fact, there are some pretty significant differences between Symantec’s offerings relative to the competition that you wouldn’t see by comparing data sheets. Symantec’s key advantage is that our Managed PKI was designed as a service from the ground up as opposed to the competition, that have built their service from legacy on premise software. While the data sheets might look similar, over the next few weeks, we will highlight some of the fundamental advantages of Symantec’s Managed PKI.
1. Shared vs. Dedicated customer PKI roots
Symantec performs an independent 3rd party audited Root Key Generation Ceremony (RKGC) for every customer we bring on to the service. In fact, Symantec performs over 1000 key signing ceremonies every year; more than any other Managed PKI provider in the world. Providers like Entrust will “partition” their PKI, and host multiple customers under the same Root. The Root CA is your trust anchor; and it shouldn’t be shared.
One of the key benefits of a Managed Service is that your CA can be operational much faster than trying to set one up on premise. Symantec can bring a new customer on to our Managed Service in as few as 10 days from the processing of your Purchase Order. Under special circumstances, we can have it operational even sooner. Competing service providers are typically operational in 8-12 weeks, and don’t always meet that deadline.
3. Access to Public trust
In addition to your own private root of trust, Symantec’s standard offering also provides you with access to a public root, and an Adobe root, all accessible and managed from the same web based Administrative portal. Access to these additional roots enables organizations to meet a variety of additional Enterprise use cases that require external trust. For example, trusted e-mail digital signatures, Adobe document signing, etc. Competing solutions typically only offer private roots of trust, or require you to issue publicly trusted user certificates from a separate portal.
4. Broad revocation support
Symantec supports both Online Certificate Status Protocol (OCSP) and traditional Certificate Revocation Lists (CRL) as part of our standard service. Some of the competing solutions will only offer CRL based checking, and charge extra for OCSP.
Question to Ask
Here are some questions to ask your potential Managed PKI service provider.
- Do you offer you a shared “partitioned” PKI root, or do you only offer dedicated PKI roots?
- Do you perform a root key generation ceremony for every customer you bring on to your service?
- How quickly is the service operational from the time you process my purchase order?
- Do you have a proven track record of meeting your stated timelines?
- Can you offer me different roots of trust for all of my Enterprise use cases from a single Administrative portal?
- Do you include both OCSP and CRL based revocation checking capabilities as part of your service, or is it an additional charge?
Part 2 in this series will cover some of the Symantec advantages around Administration and Deployment. Would you believe the competition makes you open a support ticket every time you need to make an Administrative change to the CA? I'll cover this and two other fundamentals for choosing a PKI provider in the next post.