The 2021 Tag Cyber Security Annual is out today and it’s jam packed with 300+ pages of market outlook and industry insights. Tag Cyber recently collaborated with Keyfactor on a framework to approach your enterprise cryptography management and interviewed me on how teams can get a hold of their cryptography mess.
Check out my featured interview below and download the report to read other interviews with experts like Ann Johnson, Corporate Vice President at Microsoft.
Ann will be giving a keynote at the Keyfactor Critical Trust Summit on Oct 21st, so sign up today for free to hear her keynote and 15+ more sessions on achieving crypto-agility!
“Address Your Crypto Mess with Automation” with Ted Shorter
TAG Cyber: What are some of the legacy complaints about PKI?
There’s an annual report we do every year with the Ponemon Institute that highlights some of the core complaints around managing PKI. One main problem is that companies don’t have the right IT and InfoSec people who have expertise in PKI. Around 53% of organizations are unable to hire and retain enough qualified IT security personnel with expertise in PKI. Shifting IT resources, coupled with a decline in the number of PKI and cryptography experts in the industry, have left most PKI deployments shorthanded.
Organizations also tend to think of PKI certificates as they relate to SSL/TLS. They hyper focus on SSL/TLS certificates used for internet-facing or internal applications. However, SSL/TLS management is only a fraction of the certificate landscape. Cloud services, containers, and service meshes all use machine-to-machine communications that rely on client authentication certificates. Many outages are not caused by expired SSL server certificates, but by a failure to track web service client authentication certificates.
It takes just one to slip through the cracks, yet 74% of IT and security experts believe their organization does not know how many keys and certificates they have, much less where to find them when they expire.
TAG CYBER: What are some of the current market trends affecting PKI and cryptography?
While some tend to paint PKI as outdated, it’s actually being used more than ever. An estimated average of 88,750 keys and certificates are used by organizations today to secure data and authenticate systems.
Migration to the cloud requires significant changes to key and certificate management practices. Most companies embracing DevOps are using certificates to secure containers but are less confident in their ability to scale PKI across on premises data center, cloud, and hybrid environments.
The largest trend for PKI is in IoT device identity provisioning and management. When you hear that there will be 25 billion connected “things” by 2021, that immediately raises the question: “How are they secured”? Not only do companies need to embed security during the design and manufacturing state, but they also need to think through how to update that security if it has a certificate.
TAG Cyber: Proliferation of certificates doesn’t seem to be slowing, especially as everyone shifts to work from home. Where does PKI fit in?
You’re right that certificate usage and expansion won’t be slowing anytime soon. PKI is a double-edged sword if not properly conceived and planned. Most PKI out there today is not designed to go beyond the traditional network of the four walls of the organization.
Organizations’ current state PKI isn’t designed to scale to the cloud and does not have those capabilities built in to reach where the data lives. It can’t be “just protect the things that are in my four walls” anymore. PKI can be leveraged, but the scale must be built in or the PKI must be reconsidered to address the scale.
TAG Cyber: Speed and high assurance can be at odds. How does Keyfactor tackle that challenge?
If you architect a solution from the ground up, knowing that speed will be a requirement, then speed and high assurance won’t be at odds. The challenges we see with our customers is that they’re using legacy architecture and technologies to solve next-gen problems and initiatives.
With our PKI as-a-service, they don’t have to worry about the speed and scale.
For example, a customer in the automotive manufacturing space couldn’t maintain this duality of speed and scale with their current solution. One of the requirements we had to prove out in our POC was the ability to scale certificate issuance and renewal across 500 million+ devices. That’s a lot of devices! Even though they didn’t have many, they wanted to stress the load and scale of our solution to make sure we could future proof any expansion needs that would be needed.
TAG Cyber: If a customer starts with a crypto mess, isn’t it still a massive undertaking for them to get started on your platform?
The first step is to get an inventory of what you must understand to address the mess. We have scanning, discovery, and monitoring tools that can scan your entire network beyond your SSL/TLS certificates to find them. We show customers how easily we can do this and they’re blown away at how quickly we identify every crypto asset on their network. And this isn’t a one-time thing; we continuously scan to pull in any certificate that may be issued without their knowledge.
After that, naturally, comes assignment of maturity levels to enable automation and agility. This includes processes like:
- Defining automation and approval workflows for certificate issuance, provisioning, renewal, and revocation
- Identify high-priority applications for certificate automation (e.g., web servers, load balancers, etc.)
- Aligning with DevOps’ priorities and certificate usage practice
Our platform is designed to keep pace with the growing number of cryptographic keys and digital certificates to decrease operational costs. Many security teams still struggle to deploy and manage certificates using a patchwork of manual spreadsheets, internal PKI, and CA-provided tools.
However, keeping up with certificate renewals isn’t enough to stay ahead anymore, as evolving cryptographic standards are now challenging enterprises’ ability to respond and adapt.