Comprehensive software reviews to make better IT decisions
Using PKI Jiu-Jitsu to Build a Powerful Digital Trust Ecosystem
In 2020, Google and Apple shortened TLS/SSL certificate lifecycle policies to 13 months. In March of 2023, Google once again proposed updates to its Certificate Lifecycle Management (CLM) policies, including lowering TLS/SSL certificate maximum validity to three months (90 days) rather than the thirteen months (398 days) issued just a few years before. What if you could use jiu-jitsu to turn those aggressive public key infrastructure (PKI) requirements into a powerful platform of digital trust?
Building a powerful digital trust ecosystem requires a powerful PKI platform. This platform needs to be resilient and well architected and it requires broad-spectrum support for full automation. During my time at the RSA Conference 2023, I learned that there are many frameworks, proven platforms, and vendor solutions that can make this digital trust reality come true.
The automated certificate management environment (ACME) protocol is a framework designed to allow agent communication with a certificate authority (CA) and provide full CLM automation. ACME solves key management on endpoints; protocol standardization and connectivity normalization to avoid impact from expired or misconfigured certificates. Think of how your machine identity initiative could benefit from implementing something like this.
EJBCA, formerly known as enterprise java beans certificate authority, is an open source CA, released in 2001, that is fully capable of broad-spectrum support for complete CLM. If you are stuck with Microsoft CES/CEP for your CLM program, this is a multi-tenant solution that can scale. It will allow you to automate CLM for your DevOps pipeline, workloads, and microservices. In some cases, this can support IoT trusted identities in manufacturing environments. Finally, EJBCA is the full package – it supports multiple CAs, registration authorities (RAs), and validation authorities (VAs) in a single instance. I was asked by some members if it integrates with HashiCorp Vault or Microsoft Intune. The answer: it sure does.
I spoke to four PKI vendors at RSA this year, below are some insights on their capabilities.
- Venafi – A privately held cybersecurity company founded in 2004. They are headquartered in Salt Lake City, Utah. Venafi can provide complete PKI CLM capabilities if implemented correctly while leveraging its discovery and automation strengths. They developed the open-source project, cert-manager, that was one of the first cloud native machine identity protection platforms. Machine identities and CLM are very possible and intuitive with their Control Plane offering for Kubernetes clusters.
- Keyfactor – Initially starting as CSS, a PKI consultancy, in 2014 the company took what they had learned over the years solving problems for customers and built a SaaS-delivered PKI solution and CLM automation platform. Keyfactor’s strong EJBCA foundation allows you to get closer to zero-trust compliance and remediate risks such as wild card certificates, that previously might have been difficult to discover and manage.
- AppviewX – A privately held company founded in 2008, AppviewX started its journey as a network management and automation software outfit. Today, it has a solution that I believe is a very powerful automation platform for CLM and very capable at solving machine identity challenges at large scale. Among the features in the demo that worked well is the Smart Discovery tool – a tool to do discovery across hybrid environments (CAs, cloud, etc.) and end-to-end CLM automation. This last one seemed particularly powerful to me, because it had many pre-built automated workflows and self-service certificate operations.
- Globalsign – This company became a public CA in 1996 and today it is in the top five largest CAs worldwide according to Netcraft. Over 60 million certificates and over 207 cloud signatures rely on Globalsign. When I spoke to the Globalsign engineers, it was clear the company has the experience, platform, and capabilities to provide an end-to-end PKI CLM solution. It offers a trusted root CA out of the box to fully automated certificate self-service. It is also very focused on IoT support and keen on the industrial setting, mentioning that it has over 50 million IoT certificates issued by its GlobalSign roots.
Moving Forward, Together (chromium.org), Company website 2023
What is the Maximum Validity Period of TLS/SSL Certificates? (appviewx.com), Company website 2023
Who is GlobalSign?, Company website 2023
About Us | Why Venafi is Trusted by Global 5000 Organizations, Company website 2023
About Keyfactor, Company website 2023
Google’s announcement is applicable to public-facing workloads and services, not your internal CLM or encryption policies and standards. The Google guidance, at a minimum, should have you exploring automation solutions to solve for the inevitable. As machine identities and zero trust become ubiquitous, your PKI and CLM will need to scale to support the demands for self-registration and automation. The four vendors I interviewed all have capable solutions. Ask if their discovery solution will charge you for the discovered assets or only the ones being actively managed, this varies across the industry. Define the use cases you will support and what you will need from the solution – digitally signing email, encrypting email (S/MIME support), certificate provisioning and management, Active Directory (AD) integration, and auto-enrollment support for domain-joined assets.
Although there are many protocols that aim to solve the CLM dilemma, ensure native support for ACME, but also ask for Enrollment Over Secure Transport (EST) and Simple Certificate Enrollment Protocol (SCEP) support to provide broad spectrum CLM support. It might be important to you to minimize key roaming. With that in mind, many of these solutions integrate with your existing hardware security module (HSM).
Want to Know More?
In June 2023, I decided to remove the password on my primary email account as well as the one used to log-in to all of my devices. Did I wait too long? Am I too optimistic this will work without issue? Are there kinks that still need to be worked out? I recently attended Identiverse 2023 and got a FIDO2 hardware token intending at some point in the future to go passwordless. Why wait though? I was pumped up with all the passkey and passwordless sessions I attended and was eager to try this out and share my experience.
If you’re in the market for a password manager or are interested in secrets management, Bitwarden has a powerful platform for you. This unified platform is delivered via a thoughtful and intuitive UI, which Bitwarden Password Manager users will recognize. Bitwarden ranks as top of the Leader Quadrant in SoftwareReviews under the Password Management category, and the company believes its optimized, wide-range passwordless solution set will address most organizations’ needs.
Next-generation firewalls were smarter than previous firewalls, able to deeply analyze traffic and integrate with complementary security solutions. Today our needs are more complex, however, with a 742% increase in software supply chain attacks over the past three years. Sonatype Nexus Firewall has been paying attention and claims its firewall product is smarter about these attacks.
Have you ever thought of what else you could do to take your security operations center (SOC) to the next level and focus on prevention? Look no further – external attack surface management (EASM) was a popular managed service and topic of discussion at Rivest–Shamir–Adleman (RSA) Conference 2023, named after a popular public-key cryptosystem.
Hillstone Networks has positioned itself as a robust and feature-rich provider of not only hardware but also security solutions. With its ZTNA 3.0 release and support for centralized management of IoT assets and incident response, the company embodies a next-generation firewall.
Acronis Offers a Unique Endpoint Protection and Data Recovery Package Tailored for the Small to Medium-Sized Business
Acronis hopes to overtake many competitors in the data recovery and endpoint protection solution space by forging partnerships with many MSSPs and appealing to the SMB market. The company has doubled down by hiring the former CEO of GoDaddy, who is committed to reinvesting in its technology and increasing and improving its product line.
Zoho, a multinational software and web-based business tool provider, has announced the launch of Trident – a hub that brings Zoho’s pre-existing and new unified communications capabilities into a single pane of glass. How will Trident’s addition to Workplace impact customer migrations from Microsoft and Google.
Field Effect Covalence is an EDR/MDR/XDR offering that translates chaos into order.
To revitalize and strengthen business transformation, Avaya has outlined a five-step plan for restructuring its product lines, go-to-market strategy, and balance sheet. This tech note evaluates these five steps, highlighting the main contingencies for each step’s successful rollout.