The sheer volume of smart locks, lock management systems, connected readers and an increasing array of Internet of Things (IoT) devices complicates the issuance and management of certificates that are foundational to establishing trust between a device and the credential used to access it.
That’s why more companies are turning to PKIaaS for IoT devices. But there’s another reason to consider PKIaaS: the rise of quantum computing.
Secure digital communications
Gartner predicts that the pace of quantum computing will render asymmetric cryptography systems
PKI certificates form the backbone of secure digital communications, but Gartner predicts that the pace of quantum computing will render asymmetric cryptography systems unsafe by 2029 and could render all current cryptography unsafe by 2034.
As with any software implementation, there are pitfalls to avoid, including vendors that use proprietary technology that’s incompatible with other systems and “gotcha” pricing tactics where a slight increase in certificate usage triggers a massive increase in pricing. However, the time to implement PKIaaS is now.
Physical security faces growing cyber threats
Although ransomware attacks directly on computing infrastructure dominate business headlines, physical security systems are also under threat. An HID survey of over 1,200 security professionals, end-users and executives shows that 75% reported threats to their physical security systems in the past year, as these systems are more tightly integrated with company IT networks.
Until recently, most physical access control systems (PACS) were proprietary and worked only on the specific systems they were designed to interact with. However, the movement toward open supervised device protocol (OSDP) revolutionised the field, allowing companies to integrate and control devices from different vendors while improving compatibility and security.
PACS and IoT devices
PKIaaS makes sense as the number of digital certificates needed to power PACS and IoT devices
As a result, 40% of companies plan to either update or change access control systems in the next year, with 21% emphasising the need for open standards like OSDP to both improve interoperability and future-proof their systems. When asked about reasons for a proposed upgrade, more than half cited convenience, while another 40% sought to improve their overall security posture.
PKIaaS makes sense as the number of digital certificates needed to power PACS and IoT devices continues to increase, promoting security and reducing manual processes related to tracking certificates.
Regulatory compliance demands automation and agility
Companies also face increased regulatory pressures regarding technology in general — and certificates in particular. The European Union’s Cyber Resilience Act sets mandatory cybersecurity standards for manufacturers and retailers, covering the planning, design, development and maintenance of products throughout the entire value chain. Certain high-risk products must undergo third-party evaluation by an authorised body before being approved for sale in the EU.
EU Cybersecurity Act shows a unified certificate framework for ICT products, services and processes
More specifically, the EU Cybersecurity Act establishes a unified certification framework for information and communications technology (ICT) products, services and processes. Businesses operating in the EU will benefit from a “certify once, recognised everywhere” approach, meaning that approved ICT offerings will be accepted across all EU member states.
Given the global nature of PACS, these regulations likely will impact companies well beyond the EU, much like the general data protection regulation on websites has. These changes, when considered together with rapid advancements in quantum computing, underscore the need for a unified certification solution such as PKIaaS to handle increased — and increasingly complex — certificate compliance.
A path to PKI modernisation
Modernising PKI through a PKIaaS model doesn’t have to be difficult. With a clear and phased approach, most organisations can transition smoothly while reducing risk and improving efficiency. It starts with a quick assessment of current certificate usage to understand where certificates are issued, how they’re renewed and any gaps in coverage.
From there, it's about defining what you need and selecting a trusted partner. Look for a solution that integrates well with your existing systems, supports automation and scales as your needs grow. In terms of partners, not all PKIaaS vendors are the same. Look for one with a strong security track record and predictable pricing, which will simplify both onboarding and long-term management.
When it comes to vetting vendors, ask the following questions:
- Is the solution scalable? The trend toward future-proof installations has never been greater. As the number of certificates increases, any PKIaaS solution must be able to grow in concert.
- How will pricing change as certificate volume grows? Some solutions are priced in tiers by the number of certificates. If a company exceeds that maximum by even a single certificate, it owes not only the price difference between tiers, but it will also be expected to pay for that tier the following year, which can bring a significant financial surprise.
- How are CAs accessed and stored? Look for companies that can provide long-term offline secure storage of certificates that can also track when CA keys are accessed.
- What support is included in the PKIaaS? Specifically ask vendors about up-front costs for implementation and onboarding to get a real apples-to-apples comparison among partners.
Step-by-step replacement of manual processes
A pragmatic approach allows corps to move quickly and confidently from legacy PKI to a scalable
Once a vendor in place, start with a focused rollout, e.g., automating certificate renewals for internal systems or a specific business unit. Once the pilot is complete, expand automation with a step-by-step replacement of manual processes to limit operational disruptions.
Finally, as PKIaaS becomes embedded in day-to-day operations, it’s important to align it with broader security governance. Establishing regular reporting and clear policies, as well as future-proofing for quantum-safe cryptography to ensure long-term resilience and compliance without adding complexity.
This phased, pragmatic approach allows organisations to move quickly and confidently from legacy PKI to a scalable, secure and future-ready solution.
A necessary upgrade
According to an analyst report, manual certificate management can cost organisations up to $2.5 million annually in labour and outage-related expenses. While automation reduces these costs by up to 65%, the real challenge in IoT environments lies in managing scale.
With device lifecycles often spanning decades and certificate volumes reaching millions — especially across distributed, resource-constrained endpoints — manual PKI processes and legacy infrastructure simply can't keep up.
The convergence of regulatory mandates, quantum computing threats and rising cyber risks to connected physical systems makes scalable, cloud-based PKIaaS not just a strategic advantage, but a foundational requirement for secure IoT deployments.
