Name: Five Critical Steps to Ensure your CLM Protects You from Outages and Breaches
Uploaded: 2024-12-17T22:09:44.876Z
Duration: 37 min 32 s
Description: Five Critical Steps to Ensure your CLM Protects You from Outages and Breaches

Transcript for "Five Critical Steps to Ensure your CLM Protects You from Outages and Breaches": We will give it one more minute, and then we will respect your time and go ahead and get started. So thank you. Alright then. Let's be respectful of those of you that have jumped in and, anyone else can, catch up. Thank you for taking the time today. My name is Tom Cline. I am what is called a digital trust specialist here at DigiCert. There's a team of about 5 or 6 of us that, have some responsibilities around the globe to try and, provide some insights into, the products that DigiCert brings to market. I am, pretty knowledgeable, so will help as much as I can. And, if there's any question that I can't answer, we'll get, the really smart people to follow-up with you. So, appreciate your time. We'll talk, some today about, what we see are some of the critical actions around, certificate life cycle management. I'm not gonna do a specific product demonstration, and I am not gonna go too far into the weeds. But one of the things I like to do is talk a little bit about, why thing we believe things are the way they are in the market today, and what's maybe affecting you and your roles and your businesses, and then talk some about how we address that, and and leave you with a few parting thoughts. So we will get after it. I think most of us are, probably here because in some way, we're responsible for digital trust. Digital trust is clearly, using, certificates, PKI, photography, and other assets to make sure that, people are, devices are, and software is what we think they are. And this has been a good and known practice for a very long time, and it seems to be doing nothing but, but gaining speed. So, we'll live in that dirt digital trust space with you, and talk about some of the things that are potentially leveraging your business. I'm gonna start with, the public PKI ecosystem. So as we all know, there's a a number of organizations out there that represent, the best on browsers, and I think you see, you know, Safari and Chrome and Edge and Firefox, and those organizations. And, they, the the organizations themselves, really set the rules for, how their browsers are going to be secure in the marketplace so that their customers trust them and and use their product to do their do their browsing, and organizations wanna be, able to do that. There is a group called the CA Browser Forum or CAM Forum, that is made up of independent companies. We happen to be on it. Many of your organizations may or may not be on it, but it's a pretty big group. And the CAM forum, can actually recommend, or be the filter between a business and, the browsers, to be able to say, hey. Here's what we think should happen or here's what we wanna have happen. And it's very much a bidirectional thing. And, for we just served this year. We actually are the chairperson of the cap form, at actually for the next 2 years. So we help, organize and and bring this together along with other member companies. You may have heard, about rotation of public certificates, which identify, your organization to a browser, as safe to work with and, and valid to work with and authentic. Looking at shortening their rotation, which today is 1 year, to potentially 90 as suggested by Google and 45 or less, that's been suggested by Apple. And, couple interesting things about this. When you look at these validated, certificates, it's not just that you're rotating the actual crypto in there getting a new certificate, but the organization itself has to be validated. So we would go to, for example, IBM and say, IBM, if you want a bunch of certificates, we need to make sure your IBM dot, you are IBM itself and that you are a valid representative. So there's this validation process that goes on, then you get the certificate, then you gotta take the certificate, get it to where it goes. It's hard enough to do once a year and it's time consuming, but they're looking at, a shorter rotation on those certificates down to 45 days and who knows, maybe less. And so, when this happens, the cap forum gets involved from the standpoint they can have balance and initiatives that say, hey. We talked to our members and our members think this. But all they can do is provide a recommendation. The CanForm doesn't set the rules. The rules are set by the browsers themselves. So on March 1st, if, Apple says it's 45 days starting April 1st, that's the rule and that's what it does regardless of what the cap form does. Now there's good communications and good relationship, and they put these things on the ballot. Based on our knowledge or our perception of what's gonna go on, we do think that a shorter rotation period is gonna get on the ballot sometime in, in the first half of twenty twenty five, and members will talk about it. And then, based on, its passage, we'll may or may not be instituted at some time, after that. And so this is kind of a give and take of public certificates out of the domain and what goes on. A little bit of our view into it, but it puts you in a position where you gotta change out your certificates. Some folks have 1 or 2 or 5. Some folks have a 100 or or even a1000. And so, this can be a very cumbersome process. And as it gets rolling downhill, more is gonna happen. There's another angle to this and some of you may be aware of that. There can be something called a distrust. So what's a distrust? A browser sees something that happens inside of the certificates that are that are, provisioned by publicly trusted companies. And in that, they, say you need to go fix this in 1, 3, or 5 days depending on the severity of the issues that that that is there. And, hey, DigiCert, we've had our issues and the and the browsers have said, hey. You gotta go go fix this. But if you don't, respond effectively and consistently, the browsers can say, you know what? We're just not gonna trust your certificates anymore. And that happened this year. This happened to Intrust earlier in the year, and Intrust is still there as an entity and does does what they do. But their certificates are now undersigned by a company called ssl.com. A lot of folks have moved off of Intrust. Some folks have remained. But but this distrust, again, has the potential to enter into the process outside of standard rotation. Sorry, but we're not gonna trust that group of certificates anymore. You all are gonna have to do something. And again, this gets into that idea of how we do in certificate life cycle management and our and our we, as a collective with companies, you know, good at. Then there's regulations. We've got a bunch of government entities here abroad, that on the best, on behalf of their constituents, are instituting a lot of rules, that have to do with the integrity of services, goods, devices, products that are put into the marketplace. And a lot of these are device oriented. However, almost all devices are software oriented, and almost all software devices, have software that is signed by some, certificate or cryptographic function. And so, with this onslaught of that, it provides yet another pivot What do you have to do to keep a valid, consistent, ongoing certificate inventory and potentially change things? Because most of these regulations say, if something goes wrong, you have to notify the public, then you have to, make a fix for it, and then you have to remediate it. And you have to divulge everything that's in your, product or service. And so this thing really gets to, going, with additional, overhead in managing cryptographic assets. And it's not just here, but it's around the world. It's a very complex, set of countries and organizations. I've actually worked with 3 or 4 of these, to be able to get these to move forward. So everybody is trying to protect, their constituents, their consumers, so on and so forth. So you can see this ongoing, type of war. Terry, I noticed your, comment about, the 45 day expiry. It it is really hard for large organizations to do that. Part of why we're we and others are nudging them on this crypto agility part to get there. But as you say, it's not that easy. I've got a couple of more insights that I'll share with you a little bit later on. So thank you for the for the comment. So if you look at the backbone of cryptography and everything that it does, those top four tiers on the pyramid are where all the breaches, all the outages, all the everything comes from. It's from the platform, the architecture, the administration of it, and the users. It is it has not ever been the cryptography. There was a rush to move out MD 5 certificates. We've moved Shell 1 certificates because of the potential to have a breach. But to my knowledge, if someone has other, go ahead. But I've never seen anyone reverse engineer out a set of private keys and be able to unlock these things. However, we have PQC on the horizon. And, consistently across, academics and other, agencies, they have said this is going to be a problem. So for the first time in this backbone, crypto has the chance to be exposed, as something that will insert, challenges into the organization. And if in fact, your organization, is going to be in a position where it has to change out all of its certificates or quantum resistance certificates, then you're gonna, be in a position where you're gonna have to do, an awful lot. And a good question is, is this 3 years, 5 years, 7 years, 10 years? I'll be honest and say 7 years ago. I said it was gonna be 7 years. Part of, you know, what we have to, do for a living is prognosticate. But believe it or not, there are commercial timelines on this. And this is coming from, respected agencies that are saying, from a from a transition standpoint, because this is not an overnight thing. Here are the areas in which, y'all need to, be ready to go and actually recommend that you, start transitioning. I don't believe that every single certificate in an organization is gonna have to be swapped out. There will be other ways to mitigate. In other words, you might air gap a set of encrypted data. You can make access to the data quantum resistant in order to get to it, but you don't have to redo encryption on all of those. Same could be true true for programs, same could be true for assets. But PQC, if the industry is considered real, it's coming, and it's gonna be another, driver for, cryptographic agility that I'm gonna talk to here in a bit. This is a complex environment. It's a very complex environment. And in in these modern environments, there's a lot of things going on. There are backbones and cloud vendors. There's the devices that you already know about pretty well and servers. You know, there's, the certificate authorities themselves like ourselves and other private ones like Microsoft. Everybody, is probably somewhat familiar with Microsoft ADCS activity, Active Directory Certificate Services. And so they're out there. Even AWS has gotten into the CA game, and some of their tools are very much oriented towards watching their own today and what they do. But all of these things, represent this ecosystem for which, many of us are responsible, for keeping the integrity. So for us, it's all about, DigiCert 1 there in the middle to be able to try and help our customers. So, this is our platform for digital trust. It is called DigiCert 1. And we break this up into several pillars. I would tell you that, it's my belief that we are the only, provider that provides us single pane of glass, single entry into multiple pillars across the entire organization, including DNS. So we're talking a lot about, machines here. So, the servers, and the and the edge devices, that make it up, that trust life cycle manager, manages the certificates for. There's software trust and, it its own integrity inside of that. There's devices, documents. There's, many, many documents, especially in the EU, are really driven through digital identities, digital wallets, things like that. So there's a lot of content that's being there. There's a lot of content, in images and things like that. C 2pa for for images that's there. And then there's a lot of talk about the content inside of, AI models, that also is content that has the potential to be signed. There's an awful lot of things around, content and capability. And, just a couple of months ago, we finalized the purchase of our 2nd DNS company, company called Verkara. The product is UltraDNS, which is probably, if you know DNS, one of the one of the front running names in that. And so if you look at and this, Terry goes back to some of the other things that I wanted to mention. If you look at DNS and being able to validate, a DNS address inside of an organization. And if you look at the certificate that represents an identity at that DNS address, it's also validated. And you can find some synergies of how to bring those together where it makes some of this validity a little bit less painful to go through. Those are the things that we're looking at. Because the car just came on board, it's not under the single pane of glass umbrella yet. It will be at some point in the future. We will do that very carefully to make sure that we protect all of those UltraDNS customers that are are out there doing their thing today. But if you think about, hey, I, I can secure the endpoint and make sure that it's not under attack, and I can secure the identity at that endpoint, you're really talking about, the basis of trust on the Internet, to be very honest. And the trust inside of an organization, from a private standpoint. So, it's a really big deal, to have that in there. And, again, I think we're rather exclusive in in our approach in the DC one platform. This is our 1. We call it DC one. Sorry for the abbreviation. So let's talk about, certificate life cycle management and the way we approach it so that you all, have a a a view of what we think about. First, it's a matter of getting everything that you can. So, there are a number of, products out there, whether they are, Qualys or Tenable or some others, that are in the environment that allow you to reach out and look at what's inside the organization. There are the certificate authorities themselves, which you could talk to. There is the ability to take a network or network segment, and be able to do a a port scan across those and do a partial TLS handshake and be able to say, hey. Is there anybody there? And get an answer back. And so you start to accumulate these discovery events into this is everything that's inside of my organization. I wanna pull all that together and see what it is. And then start to make some, decisions. So, you know, we wanna gain some control. Hey. We know that we gotta rotate our publics every so often. Hey, auto enrollment. Not worried about it. We'll let, group policy Microsoft Intune do their own thing. Cool there. But, you know, I got these edge servers, and I've got these use cases, and I've got my Wi Fi service, and I've got my badge access, and I've got YubiKey, and I've got all these other things that, need a policy and a government and some control over that to be able to say, here's what I'm gonna do with these things. And I wanna be able to say who can do those things. So granular role based access control. I can look at it. I can change it. I can report on it. I can set policy on it. All of that capability comes into Trust Lifecycle Manager and how we approach it. You know, the big the big deal is to prevent downtime. I don't want an expiration. I don't want somebody that, you know, while they work they came over from, they they were working for our organization for a short time or a long time, and they bought a GoDaddy cert and put it on something that, now has occurred went from a research asset to a production asset, and I'm in trouble because I didn't have any inventory on that. Whatever the causes of those interruptions are, maintenance cycles, whatever the case, I wanna be able to, prevent that. And to the extent that automation makes sense and it doesn't it's nice to have on everything, but automation costs money, has a little bit of complexity, configurations, may or may not, involve some agent on the device in order to get that done, depending on the type of device and so on and so forth. But these things can reduce cost somewhat from the outages. Cool. Stop it. Everybody's happy. But the labor that's intensive, as Terry mentioned in his comments, of having to rotate certificates and do the other things associated with it, do the maintenance periods, have, deep expertise on hand, those are all things that, really, can be impactful for the organization either through hard cost, time or or other shared experiences. We look a little bit at the the maturity model, from the left where you're not doing anything or maybe you're exporting a CA to a spreadsheet and, you know, watching a spreadsheet up to a very granular automation capability, highly integrated to your SIEM system, ServiceNow, Intune, whatever the case may be. To be able to drive, organizational capabilities to be as flexible or agile, with, your cryptographic solutions as possible. And so we look at this model and say, this is a pretty fair representation of moving up the chain. And it's unusual for somebody to go all the way to the left, all the way to the right and say, I bought something and now I'm here. These are processes. These are things that go on in your business. They're things that, are, analyzed to see what is the right approach based on that. But at all of those, the capability of the, trust life cycle management platform is there to help and assist with being able to inspect, set policy, provide automations and integrations, as we go down the line. So this is TLM. It is the the product which does that and provides for both public and private certificate life cycle management in the kind of stripes and flavors that I've talked about. But what we see greatly in organizations right now are customers going, to be honest, I kinda wanna get out of the PKI business. It's keeping the lights on. It's storing the private keys. It's doing updates. I'm we've got a cloud based initiative that I don't wanna deal with. I don't wanna deal with the HSMs. Really, what I wanna do is consume certificates, know the posture of my business at any point in time, but I really wanna get out of the PKI business. I'll show you some more information later about, the fact that we're the largest provider of, public certificates in the world. And the infrastructure that we have around that, is really, world class. And, the same folks that do this world class infrastructure that supports Amazon and IBM and everybody else all the way down to, you know, mom or and pop's hardware shop, is the same infrastructure and the same capabilities we look at when providing PKI services, to the organization and and very rich PKI services to the organization. You know, we've talked about, the the inventory part of it and getting there, and getting to the devices. But, you know, you've got cloud work workloads. You're wanting to tap into Azure or you're wanting to get into AWS. You've got policies that set all of those. You've got I mentioned m d phones. So you've got an MDM. You've got, YubiKeys or some other, asset that allows you to have multi factor hard multi factor authentication. And so being able to go through all of those and have the support to get those done, is something that is significant, and being able to, interface to, all of those individual assets. Oops. Sorry about that. No. Let's try that. There we go. Hit the wrong button. Apologies. So this is kind of a a screen, from life cycle, trust life cycle manager, which you when you enter it, will give you the posture of your organization and allow you to do a number of things that are important. See the status of the organization, get to all the other assets that we've talked about, in what they do and how they do it, and make those things come together. So regardless of, where it is, if you'd like to see this a little bit deeper, I'm not gonna go through the screens today. We really wanted to provide you, an introduction and an overview, to the things that we do and why we do them and why the market's responding, we would be glad to follow-up on that appropriately. Okay. So now you've got your organization with all the things that you have. We look at it from our side, which is what do we provide our, clients. So we are a cloud based solution, but we have in premise tools that you can take advantage of. So we can put, we call them sensors, inside of network segments so that the sensor can communicate with everything in that segment and be able to either inventory or disseminate certificates, deliver them, do all the the functions that it needs to do potentially from a binding or other standpoint. And so, the client has all of these capabilities including you may wanna go to auto enrollment. I talked about private PKI. You wanna get rid of ACS and but still have, the capability to do auto enrollment, interface with group policy, and things like that. So the clients and the the way that we interface there is is pretty powerful. All the standard protocols that you think, should be there are, including API, which is very important to the the public certificate world. So for automation and the availability to turn things. The capabilities to, work with templates, to interface, to, certain embedded technologies, to be able to, give you the tools, the role based access control, and everything you need from that solution to be just like it was sitting on the, you know, on a server next to me. Provide those capabilities, and flexibilities to be able to get the job done, multiple formats, you know, how you're doing your CSRs, p k s 11 and 12, and all the rest of the things that you think should be there. And then the REST APIs. The REST, APIs are just are the bedrock of how we do our integrations with, other organizations, or other products, I should say. And so that API is something that we're pretty proud of. It, allows us to hold a ton of different relationships and communication vehicles out there to be able to, talk to, the assets that you would find in your organization. You say, hey. Thanks. I appreciate that. However, we use something specific to our organization, and it's not on this list or it's not on integration. Well, this REST API from our side describes everything that is capable from our side of certificate lifecycle management. From our customer side, if they have something unique, may have an API that we can see or you can see, then there is the capability to go ahead and do the translation and bring those together to be able to say, here is how we interface with this unique, use case or circumstance or technology, to be able to extend Trust Life Cycle Manager into, that environment. And so that REST API is great. By the way, all documentation on everything we do is, public and online. So if there's ever any questions about that, it's it's there for, everybody to consume. It's not something special. And so well, it is special because it's there, but, it's not something that, we hide away, and don't make available. We keep all of those things very public for all of our products, that we have in market. So, great way to be able to work, through the organization. I mentioned before about our capabilities in behind the wall and running not only try trust lifecycle manager, but in being able to, support, private PKI and manage PKI on your behalf. It's a global model with capabilities around the world to be able to access. If you look at all of the folks that we've touched, the numbers are huge. So we've been trusted a lot and I think worked very well. We've got a whole lot of individuals that make this happen, that have an amazing, quality score. Their NBS score, is is head and shoulders above the market its itself. And, so it's something that, I think we're we're pretty proud of, and a bunch of folks that manage your money trust us to help them. So, it it really is, what I think is a great operation. So it's not just the fact that we can do it. I think our operational model allows you to have us do that with confidence, and we're more than happy to, to make that happen. In fact, one of our largest customers is IBM, and we work extensively and have over time, to make sure that not only are we providing them, public and private capabilities, but we're extending it to the use cases that are most important to them on a global basis, on a development basis, on a product basis, that we're there to work hand in hand with them and to advance, the product and make sure that it is, top of mind. That's kinda why I mentioned them upfront. They they have been a great partner with us. We're very thankful for, their business, and we continue, I think, to do some pretty good things. Now, we're not the only, we're not the only fish in the sea. So, there is different ways of looking at the assets that you deploy and the management of those assets. So, I mentioned Qualys before. I I think I mentioned ServiceNow. There are tools that can get a a nice inventory of what you have, and we talked to many of those tools, and they could be portals by which you choose to do workflow. However, they're really not frontline certificate life cycle management tools working across, multiple platforms, being able to do updates, so on and so forth. And so they're a little bit different than what we do, but we talk to a ton of those. There are other certificate authorities that are out there. I mentioned before about Ntrust and their, challenges in the short term. They do have, most of the publics have some form of, hey. We can update your cert if you need to. But when you start to run over into, the private side, when you start to run it over into specific devices, sometimes with these, they say they replace them, but they haven't, actually checked the bindings, by pinging them back. There's some capabilities there that are a big deal. The 3 major CLM competitors that I am aware of in the market, and I know these folks all pretty well, we're a a pretty small selection and family of products, is that, Venafi has been out there for a long time. They tend to do smaller implementations. They got great integrations. It's it's to know Venafi is to know that, the installation is a little bit trickier because it's middleware. It sits between the CA and the end product, and kinda routes that that so it's not conducive always to being, cloud based. So Venafi is a great product. I am not, defaming them, but they've been out there a long time. They got some some older technology, and they have a very specific way of doing it. And to be quite honest, there's many situations where because of the way Venafi does what they do, customers say, hey. I need something else to deal with everything else or deal with this use case or deal with Microsoft. And so, other, there's a lot of times when you find yourself in a cohabitation piece for some period of time. Key factor came from a Microsoft background, good company, nice product, but really they came out of the the Microsoft world and, they're not a public CA. DC 1 is different from the way they approach it. And FUEX is kind of the same. They're not public. They came out of LinuxUnix world for starters, kind of a a entry level, and they've been expanding and do the things they do. No no disparagement towards any of those companies. They they're out there. They're doing what they do. I just think that our approach is a little bit more, inclusive, certainly, to the ability for us to do public and private, hosted, I think, that our, services can evolve, and that, everything else that we do, including software and devices and content, DNS, separates us from the pack in terms of thinking about a life cycle under which, all of these assets reside and things they touch and stuff like that. So proud of proud of where we are, proud to compete, against, other good companies. So this is Trust Lifecycle Manager. It, it gets us to, a good place in the market. It allows you to look at, the risk that you have in your business, hopefully, decrease, cost of ownership as you surround yourself with, tools that, are productive and, maybe help reduce a little bit of technical debt. It's all about security at the end of the day. Right? You need to be strong and capable to protect the assets of the organization, quite honestly, the reputation of your organization. And it gives you a centralized view, into what's going on in the world of, certificates and trust, inside of your organization. So, really, that's, that's the story that I wanted to share today. We would love for you to reach out and get more information. If you like things like PQC, we had a a Quantum Day where we had, doctor, Peter Shore and a number of other experts, talk, with us and to our CEO about what's coming up in Quantum. That's on our website if you wanna review that as is information about, all the other things. If you wanna reach out to myself, tom.kline@digisert.com, would love that. And if you wanna schedule, obviously, a a peek under the covers, the the team's more than excited to do that. With that, I'm gonna kinda kinda stop. I would love to take, questions, but I'd also love for you, if you wish, in the chat to to share if you thought this was good, too high level, about right, or anything else. The only way we get better is, for our customers, and our friends to, to give us constructive feedback. So with that, thank you. I'm here for questions if you have it. Otherwise, I thank you for the time. Hope you enjoyed the pizza, and, hope that you get a couple minutes back, in your day. So I think, the presentation will be posted if I'm correct, Michelle. There you go. We will share the recording. And, we, Ben, if you would like to, reach out as I said, love to give you some more assets that that'll give you some more specifics. We'll make sure that we follow-up appropriately. Apologize if it was just a little bit too high. Alright, everyone. I thank you very much. I hope you have a great day. Happy holidays. Merry Christmas, whatever you celebrate. And, talk to you soon. Cheers.