๐Ÿข 5 DEPLOYMENT MODELS โ€” ON-PREMISE TO CLOUD ๐Ÿญ AIR-GAP READY FOR OFFLINE OT ENVIRONMENTS โ˜๏ธ CLOUD NATIVE โ€” AWS ยท AZURE ยท GCP ๐Ÿ”€ HYBRID HIGH SECURITY โ€” DUAL CA MODEL ๐Ÿข 5 DEPLOYMENT MODELS โ€” ON-PREMISE TO CLOUD ๐Ÿญ AIR-GAP READY FOR OFFLINE OT ENVIRONMENTS โ˜๏ธ CLOUD NATIVE โ€” AWS ยท AZURE ยท GCP ๐Ÿ”€ HYBRID HIGH SECURITY โ€” DUAL CA MODEL
DEPLOYMENT

Five Models.
One Platform.

From fully air-gapped on-premise to cloud-native โ€” the Cognisec Trust Engine deploys wherever your environment, security posture, and compliance requirements demand.

11 | DEPLOYMENT MODELS

Choose Your Deployment Model

Every model runs the same platform. The difference is infrastructure ownership, CA trust, and connectivity requirements.

A
๐Ÿญ Air-Gap Ready ยท Full Data Sovereignty

On-Premise โ€” Customer Infrastructure

Full on-premise deployment on customer-owned hardware. The customer controls all virtual machines, CA private keys, certificate data, and audit logs. No data leaves the customer environment. Ideal for the most security-sensitive and air-gapped OT environments.

Specifications

Hardware
Customer-owned servers / VMs
Root CA
Internal self-signed
Connectivity
Air-gapped or isolated network
Data
100% on customer premises
Ideal For

Defence, critical infrastructure, highly regulated OT environments, government agencies

B
๐Ÿ”ง Managed Service ยท No Infrastructure Investment

Cognisec Managed โ€” Managed Hardware

Cognisec provides and manages the server hardware. The Root CA is internally self-signed and privately managed. The customer gets full PKI governance without the burden of owning and maintaining infrastructure. Ideal for organisations that want managed PKI without capital expenditure.

Specifications

Hardware
Cognisec-provided & managed
Root CA
Internal self-signed
Connectivity
Secure private network
Data
Cognisec managed environment
Ideal For

Mid-market enterprises, organisations without dedicated PKI teams, managed security service consumers

C
๐ŸŒ Globally Trusted ยท Enterprise Web PKI

Commercial Trust โ€” Globally Trusted CA

Cognisec hardware with a globally trusted Root CA from a commercial Certificate Authority such as Amazon Trust Services or DigiCert. Certificates issued are trusted by all browsers, operating systems, and enterprise platforms worldwide. Ideal for enterprise web PKI and public-facing services.

Specifications

Hardware
Cognisec-provided & managed
Root CA
Commercial (Amazon / DigiCert)
Trust
Globally trusted by all browsers
Use Case
Enterprise web PKI, public services
Ideal For

Enterprise IT PKI, TLS for web services, client authentication, public-facing digital identity

D
๐Ÿ”€ Dual CA ยท Maximum Flexibility

Hybrid High Security โ€” Dual CA Model

The most sophisticated deployment model โ€” dual CA architecture combining an internal Root CA for OT and classified environments with a commercial Root CA for public-facing and enterprise IT services. Maximum flexibility for complex organisations operating across both regulated OT and public IT environments.

Specifications

Hardware
Cognisec-provided & managed
Root CA
Internal + Commercial (dual)
OT CA
Internal for classified / air-gap
IT CA
Commercial for public services
Ideal For

Large enterprises with both OT and IT PKI needs, energy companies, transport operators, defence contractors

E
โ˜๏ธ Cloud Native ยท Zero On-Premise Hardware

Cloud Native โ€” AWS / Azure / GCP

Fully cloud-hosted deployment on AWS, Azure, or GCP with a commercial Root CA. Zero on-premise hardware required. Rapid deployment for cloud-first organisations. All Trust Engine capabilities available in a fully managed cloud environment with the scalability and reliability of major cloud providers.

Specifications

Infrastructure
AWS / Azure / GCP
Root CA
Commercial globally trusted
Hardware
Zero on-premise required
Deployment
Rapid โ€” cloud-native speed
Ideal For

Cloud-first organisations, SaaS companies, digital-native enterprises, rapid PKI deployment

07 | USE CASES

Where the Trust Engine Deploys

Purpose-built for the most demanding environments โ€” from offshore oil platforms to cloud-native SaaS companies.

๐Ÿญ

Industrial Control Systems & SCADA

  • Certificate provisioning for PLCs, RTUs, HMIs, and field devices
  • Air-gapped CA workflows for OT networks without external connectivity
  • Bulk certificate issuance for thousands of industrial endpoints
  • Governance-enforced cert management aligned with IEC 62443 & NERC CIP
๐Ÿข

Enterprise IT & Hybrid IT-OT

  • Structured certificate lifecycle for servers, applications, and VPN endpoints
  • Integration with enterprise identity platforms and NAC systems
  • Compliance-ready audit logging for ISO 27001, SOC 2, and GDPR frameworks
  • Role-based PKI governance aligned with organizational security policies
๐Ÿš†

Transportation & Critical Infrastructure

  • Secure identity provisioning for interconnected infrastructure systems
  • Policy-driven cert issuance preventing unauthorized trust establishment
  • Comprehensive audit trails for regulatory compliance & incident investigation
  • Hierarchical CA enabling transition to publicly trusted PKI architectures
12 | SCALABILITY

Highly Scalable. Infinitely Flexible.

From a single endpoint to thousands of industrial devices โ€” the Trust Engine scales without redesign.

โšก Scale Without Limits

Single endpoint to thousands of devices โ€” same platform
Bulk CSR processing for large OT deployments in one operation
Single and bulk certificate workflows running in parallel
Database-backed architecture โ€” no file system bottlenecks
OCSP responder scales independently from the core platform

๐Ÿ”ง Modular Architecture

Add new CA servers without platform redesign
Multiple Intermediate CAs supported simultaneously
Certificate templates fully configurable by Admin role
New certificate types via template โ€” no code changes required
API-ready architecture for IAM and SIEM integration

๐ŸŒ Enterprise Integration Ready

API-based integration with enterprise IAM platforms (roadmap)
NAC integration for certificate-driven network admission (roadmap)
HSM integration for FIPS 140-2/3 key protection (near-term)
SIEM integration for security event correlation (roadmap)
Multi-tenant capable for managed security service providers

๐Ÿ›ก๏ธ Future-Proof Design

Post-Quantum Cryptography roadmap โ€” CRYSTALS-Dilithium, FALCON
Commercial Root CA integration for public trust architectures
Zero Trust continuous verification integration
Behavioural analytics & ML anomaly detection (mid-term)
Patent submitted โ€” #202621037440

Not Sure Which Model Fits?

Our team will assess your environment and recommend the right deployment model for your security requirements, compliance obligations, and infrastructure constraints.

๐Ÿ” Discuss Your Requirements ๐Ÿ“ง Email Us ๐Ÿ’ฌ WhatsApp
Chat on WhatsApp