Being adaptable and having sound planning and adaptation abilities are frequently seen as essential traits for every firm.
Crypto-agility, the capacity of a security system to swiftly transition between encryption algorithms, is a fantastic way to demonstrate your adaptability. It necessitates having insight into the areas of an organization where encryption is used, the deployment of encryption technology, and the capability of swiftly identifying and fixing problems when they occur. A business with crypto-agility is able to replace out-of-date assets without severely impacting the architecture of its system.
Although the value of this technology is quickly increasing, several businesses are hesitant to adapt to these developments. As a result, today’s interviewee, Ted Shorter, CTO at Keyfactor, provides vital insight into the potentially detrimental consequences.
How did Keyfactor originate in 2001? What has your journey been like so far?
Keyfactor was founded by Ted Shorter and Kevin von Keyserling in 2001 as a professional services company, working hands-on with Fortune 500 enterprises to build and deploy their public key infrastructure (PKI). In 2014, Keyfactor expanded from services to software to solve a fundamental problem in the cyber industry: existing solutions could not effectively manage the rapid growth of keys and digital certificates required to operationalize today’s modern business.
Co-founders Ted and Kevin realized that in order to address this vastly growing concern, a new approach was needed – one that combines leading PKI expertise along with the tools needed to discover, control, and automate keys and certificates at scale. As a PKI services provider turned software platform, Keyfactor provides the only solution that combines expert-run PKI as-a-Service and certificate lifecycle automation through a single, cloud-delivered solution.
Today, Keyfactor is the leader in PKI-as-a-Service and crypto-agility solutions. Our platform is trusted by 500+ enterprises globally, enabling our customers to proactively prevent outages, reduce operational risks and costs, and drive crypto-agility in emerging DevOps, Cloud, and IoT environments.
Can you tell us more about your crypto-agility platform? What features make it stand out?
Absolutely. But first, let’s take a step back to discuss what exactly crypto-agility is. Crypto-agility means knowing each instance where and how cryptography is being used and having tools and strategies in place to quickly identify issues and replace outdated crypto without intense manual effort or disruption to business-critical applications. This could mean the organization’s cryptographic keys, certificates, or machine identities that identify and securely connect virtually everything in an enterprise network, such as workloads, services, and devices.
Its importance is growing among organizations because the sheer number of keys and digital certificates in use across organizations has skyrocketed as a result of the shift to cloud computing, modern app architectures, and remote workforces. These shifts are making it much more difficult for security teams to respond effectively when something goes wrong, such as when a certificate authority, which validates cryptographic keys and digital certificates, is breached.
Keyfactor’s Crypto-Agility Platform™ is remarkable because it helps organizations seamlessly orchestrate every key and certificate – no matter where they live – so their business is protected from costly outages and security incidents.
Our platform brings all keys and certificates into a single inventory by integrating directly with network endpoints, keystores, and CA databases. This allows organizations to maintain complete visibility and control over all keys and certificates in their environment. By automating certificate lifecycle management at scale, organizations can ensure that all their cryptographic assets are secure and up to date with the latest industry standards, quickly respond to unpredictable changes or vulnerabilities, and reduce the risk of application failures or security breaches by up to 60%.
Another aspect of the platform that stands out from others is its key management capabilities, which enables businesses to administer entire encryption key lifecycles by implementing policies to control access and key management privileges. By leveraging strong user and object policy management, businesses can audit when, where, and how encryption keys have been utilized.
What are the main challenges associated with the Public Key Infrastructure?
Two of the main challenges associated with PKI are limited visibility into the number of certificates within the organization and relying on manual processes to manage these certificates.
Today’s enterprises rely on countless devices to conduct daily operations. Each device has its own unique digital identity that is verified through a digital certificate. Given the number of devices and associated certificates within a single organization, there are some pretty serious visibility limitations a security team can deal with. No matter how many monitoring tools a team uses or how detailed their spreadsheet might be, it’s not the certificates that they know about that cause headaches, it’s the one certificate that was overlooked.
To get a full and accurate inventory of your cryptographic environment, you need visibility into all certificate authority databases, SSL/TLS endpoints on the network, and key and certificate stores. Without this visibility, it’s difficult to detect any unexpected changes, like a certificate expiration.
Considering the sheer volume of certificates that need to be managed across an enterprise, using a manual process to manage the lifecycle of certificates can be extremely frustrating. For those who are responsible for issuing and approving certificates, keeping up with requests can feel impossible. For end users, manually renewing and installing certificates can lead to errors and hours of repetitive tasks. This becomes an even greater challenge when you think about the short life cycle of digital certificates.
In September 2020, the lifespan of SSL/TLS certificates was cut in half, shrinking from 825 days to 398. Without automation, this short life cycle makes properly managing identities much more difficult. Failure to properly secure and manage machine identities opens the door for some certificates to slip through the cracks, increasing the risk of detrimental outages.
Do you think recent global events have altered the way organizations approach cybersecurity?
Without a doubt. As a result of the pandemic, hybrid work appears to be here to stay. While there are benefits to remote work, today’s hybrid work landscape adds even more barriers to properly managing and securing human and machine identities, increasing the opportunity for cyber threats to occur more often than ever before.
This is because employees are now relying on a number of devices to accomplish their work in their new remote environments. Not only are there more devices and more reliance on them, but also each person is connected to a different network, instead of all working from one or two shared networks.
Due to these changes to the work environment, many organizations are starting to adopt more proactive approaches in an effort to prevent identity-based threats, which include properly managing and securing machine identities.
Russia’s invasion of Ukraine is another recent global event that has altered the way organizations are approaching cybersecurity. While the prospect of nation-state-level cyberattacks against organizations has been a real threat for quite a while, a real war happening alongside a cyber war has brought this more into focus for many.
As a result, many companies around the world are taking a step back to analyze their cybersecurity from all angles, making sure every area of their business is secure and nothing slips through the cracks.
Your 2022 State of Machine Identity Management report uncovered some interesting points. What would you consider the key discoveries?
There were many intriguing findings identified by the 2022 State of Machine Identity Management report. The most shocking finding was that 92% of organizations surveyed experienced at least one outage in the past 24 months, putting a spotlight on the growing importance of prioritizing managing machine identities. Many credit this to the shortened lifespans of digital certificates.
Furthermore, 65% admitted that shorter SSL/TLS lifespans are increasing the workload on their teams and the risk of outages – a 10% increase from 2021. However, many don’t see the challenges of managing machine identities slowing down any time soon, with nearly two-thirds of respondents ranking outages due to expired certificates as likely or very likely to continue occurring over the next two years.
Another interesting finding from the report is the challenges associated with recovering from outages. In fact, the average time to recover is 3.3 hours, with 68% of organizations reporting a recovery time of 3-4 hours or more. That network downtime could be detrimental to the organization, as it can cost an estimated $300,000 per hour. Not to mention, if a business-critical website or application is affected by an outage, brand reputation and revenue suffer as well.
Why do you think certain organizations are unaware of the threats hiding in their own systems?
Many organizations are unaware of the threats hiding within their own systems due to a lack of organizational-wide visibility that is required to protect against today’s threats. It is incredibly challenging to properly secure all the human and machine identities that make up an organization, especially in a hybrid world.
Automation is the key to improving organizational-wide visibility. When it comes to identities, automation can provide visibility across an enterprise’s public and private CAs, network devices, and cloud infrastructure, helping organizations discover any unknown certificates across their network and bring them into a centralized inventory. Further, security teams can simplify renewals quickly by leveraging fully automated certificate renewals and provisions to end devices without the need for admin intervention.
In today’s hybrid world, the visibility gained from automation significantly helps properly secure and manage every single device that makes up that enterprise.
What kinds of threats do you think businesses should be prepared to take on in the next few years?
In the upcoming years, businesses will have to start preparing for quantum computing. In May of this year, the Biden Administration announced two presidential directives aimed at advancing national initiatives in quantum science and raising awareness of the potential threats quantum computing will bring to the integrity of internet security. In doing so, the administration recognized that no data is safe from future attacks as quantum computing matures.
In fact, this was a hot topic at this year’s RSA Conference. Many professionals in the industry are encouraging organizations that the time to start preparing for a post-quantum world is now.