Cluster Deployment

Details on the Shield component and how PKI is managed by Cloud Secure Edge

  • Updated on Oct 17, 2024

Every organization in SonicWall Cloud Secure Edge (CSE) has a Cluster that represents a logical grouping of Access Tiers that are managed together. The specific component the defines a Cluster is internally referred to as Shield. While the Shield is conceptually part of the Command Center, it is deployed and managed on a per-organization basis.

Shield distributes security policies to, and aggregates network data from, CSE’s enforcement component, Netagent. In addition, Shield manages a Private PKI (Public Key Infrastructure), also known as an Internal CA (Certificate Authority), to distribute cryptographic identities (X.509 Certificates) to clients and services in your organization.

Internal Certificate Authority (CA)

Certificates issued to your organization’s clients and services are signed by your Internal Certificate Authority (CA). Your Internal CA is, by default, named {orgname} Banyan Private Root CA.

CSE uses the same Internal CA key-pair to issue both SSH and X.509 certificates. For more information about the specific types of certificates CSE issues, see our article on managing cryptographic tokens and certificates.

Security and Availability

Your CSE-managed Internal CA is secured at a level commensurate with public trust anchors while giving you oversight over its properties and the names on those certificates.

CSE leverages our cloud infrastructure provider’s native key management security tooling, that is purpose-built to manage cryptographic keys, to secure your Internal CA. An organization’s Internal CA private key is encrypted with an organization-specific password and stored in a key vault. At runtime, the Internal CA itself is deployed in an isolated and dedicated Kubernetes pod we create for each organization.

Access to the accounts which host the key vault and the Kubernetes clusters are controlled in accordance with the CSE’s Information Security program and SOC2 controls, which establish rigorous practices for production access, audit logging, and compliance. Read more about our security practices in our security statement.

Your Internal CA is also deployed in a high-availability configuration using our cloud infrastructure provider’s global Kubernetes service.

Custom Managed PKI Capabilities

For large, global deployments, CSE can provide additional capabilities.

To leverage an organization’s existing PKI tools, CSE can use an Intermediate CA certificate signed by the organization’s Root CA. This allows a customer to continue to be responsible for protecting their Root CA, while CSe can manage the issuance of certificates for its clients and services. The customer retains overall control since it can revoke the Intermediate CA at any time.