We recently had the opportunity to revise and launch our monthly webinar series focused on PKI technologies. Our new program “PKI Insights” will be held each month and cover timely topics that are affecting enterprises around the world as it relates to PKI. Over the last many years, we have had a large amount of interest in these monthly webinars, and I am particularly proud that we have always focused on technology, and not sales, as the purpose of these events.
On January 17, I spoke with Nick Sirikulbut about the imminent launch of Microsoft’s new Intune Cloud PKI. We covered not only the Intune use case and why organizations are issuing certificates in these scenarios but also some of the historical challenges with deploying the infrastructure and security protections needed to achieve it.
More importantly, we discussed what we do and don’t know so far about this approach. It is clear that it is designed to address one very specific use case and to call it PKI is a stretch. I used the term “Certificate Manufacturing” as the service that is deployed is more focused on signing certificates than actually implementing policies and controls around issuance. It is a tool that will provide some organizations with an easier onboarding option for Intune-based certificate issuance. It, however, is not designed to provide any of the normal processes we would expect to see in a PKI.
We listed several unknown security-related concerns as well as lifecycle issues that we were able to discern from the little bit of information Microsoft has released. A popular question that came up was “Why should an organization consider this approach?” A valid question and one that I was glad was asked. For organizations that would struggle with properly deploying NDES and associated security protections to integrate Intune with their existing enterprise PKI, the Intune Cloud PKI can provide a hybrid approach to this use case issuance need. But it will take configuring your environment to trust an external certificate signing platform for authentication certificates. This leaves many potential security concerns on the table.
At the end of the webinar, we covered 10 specific areas of risk that organizations should be aware of with this new approach. While some of these will be easier to address once the service is launched, the list represents just the tip of the iceberg of items we advise customers to review closely to determine if this solution is right for them.
It is clear that Intune Cloud PKI isn’t designed to replace your existing enterprise PKI, but it can be potentially an effective tool if properly managed and monitored in a hybrid PKI environment. However, for organizations that have already implemented NDES and security controls – there is little to no value to be had by replacing it with this approach.