By Byron V. Acohido
To get network protection where it needs to be, legacy cybersecurity vendors have begun reconstituting traditional security toolsets.
The overarching goal is to try to derive a superset of very dynamic, much more tightly integrated security platforms that we’ll very much need, going forward.
Related: The rise of security platforms
This development has gained quite a bit of steam over the past couple of years with established vendors of vulnerability management (VM,) endpoint detection and response (EDR,) and identity and access management (IAM) solutions in the vanguard.
And this trend is accelerating as 2023 gets underway. DigiCert’s launch today of Trust Lifecycle Manager, is a case in point. I had the chance to get briefed about this all-new platform, which provides a means for companies to comprehensively manage their Public Key Infrastructure (PKI) implementations along with the associated digital certificates.
I visited with Brian Trzupek, DigiCert’s senior vice president of product. As a leader of digital trust, DigiCert is best known as a Certificate Authority (CA) and a supplier of services to manage PKI. We drilled down on why getting a much better handle on PKI has become vital in a massively interconnected operating environment. DigiCert’s new solution is designed to “unify PKI services, public trust issuance and CA-agnostic certificate lifecycle management,” he told me.
Here are the main takeaways from our discussion:
PKI sprawl
Where would we be without PKI, the framework used to issue and manage digital certificates? We’ve come to rely on PKI to validate and authenticate all connections on websites and mobile apps – as well as all of the internal IT activity, company-to-company, that supports the digital services we now take for granted.
PKI is robust and ubiquitous; and it’s destined to serve that same essential role — as a linchpin validation and authentication mechanism – the further we progress into massively interconnected, highly interoperable digital services.
First, however, PKI sprawl must be mitigated, Trzupek argues. The problem looks something like this, he says: In today’s operating environment, PKI payloads arrive moment-to-moment from myriad sources: to and from web portals and mobile apps; in between cloud vs. on-premises IT infrastructure; up and down the software development supply chain. What’s more, digital certificates can get issued by different CAs, or by components manufacturers, or even internally by the enterprise itself.
“You’ve got this big, dynamic spaghetti of stuff coming into the network and interacting, using PKI to authenticate and there is very little the enterprise actually controls,” Trzupek observes. “Often times, the company doesn’t even realize all of these PKI interactions are taking place until something breaks and there’s an outage.”
Outages and attacks
DigiCert’s newest service, Trust Lifecycle Manager, tackles this connections chaos head on, by establishing a hub into which all PKI validation routines can get inventoried and continually managed.
The reduced risk of a major outage caused by an expiring digital certificate alone should grab attention. Just ask Epic Games. An expired certificate triggered an outage that caused Fortnite, its cash-cow video game, to go dark for several hours.
And then there’s the risk of ransomware purveyors or a nation state-backed spy flushing out and exploiting a weak seam in an obscure PKI connection, instigating a nightmare scenario. Just ask SolarWinds.
The SolarWinds attackers, believed to be Russian-backed, had to have subverted PKI at multiple levels. They were able to gain control of the build process that SolarWinds used to create and automatically issue software updates to its bread-and-butter Orion network management tool. This enabled the attackers to subsequently breach the networks of 18,000 Orion users.
PKI outages and attacks happen much more often than gets publicly disclosed, Trzupek says. The fundamental reason, he says, is the non-existence, at this point in time, of a practical way to compile a comprehensive PKI inventory across a typical enterprise.
“The guy who’s running identity access management is different than the guy in charge of encryption or the guy running DevOps,” he says. “And they’re not talking to each other . . . the encryption guys might be well-versed in PKI management policy, but the DevOps guys probably aren’t –and even if they were, they’re focused on getting code out and moving workloads a fast as possible.”
Taking a platform approach
With Trust Lifecyle Manager, DigiCert is making a lane change from a product company to a platform company. This new offering is something truly unique – a comprehensive service designed to foster centralized monitoring and management of all digital certificates throughout an enterprise. To start, DigiCert is partnering with Microsoft Azure, Amazon Web Services and Google Cloud to integrate PKI telemetry generated by those top-tier cloud infrastructure providers.
On the horizon, Trust Lifecycle Manager will be able to receive and process PKI-related telemetry originating from just about any private or public source, Tzupek told me.
“We already have about 100 integrations and later this year we’ll be opening up publicly so that anybody can come in and ride on top of the system,” Trzupek says.
By leveraging APIs, DigiCert intends to make it possible to “glue in without any help from us,” he says. “The idea is to create a centralized hub where you can see all those digital trust assets across the environment, regardless of where they are.”
The Internet of Everything lies ahead — and brims with promise. A radical new approach, supported by bold new security platforms, coming at it from several angles, must take hold. That’s how we’ll be able to protect company networks, and preserve individual privacy, in a massively interconnected, highly interoperable digital world.
I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
January 17th, 2023