NEW TECH: DigiCert unveils ‘Automation Manager’ to help issue, secure digital certificates

By Byron V. Acohido

How do you bring a $9 billion-a-year, digitally-agile corporation to a grinding halt?

Related: Why it’s vital to secure IoT

Ask Spotify. When the popular streaming audio service went offline globally, last August, we saw a glimpse of just how tenuous digital transformation sometimes can be. Someone reportedly forgot to renew Spotify’s TLS certificate. The outage lasted about an hour, until the certificate in question got renewed.

The devil truly is in the details when it comes to how companies are hustling to leverage cloud infrastructure and spin up cool new apps. TLS certificates are a key component of all of this frenetic activity; they are part of the Public Key Infrastructure, or PKI, the system for authenticating and encrypting all human-to-machine and machine-to-machine connections.

If Spotify has an excuse, it is that the complexity of issuing and managing digital certificates has become prodigious. DigiCert’s Brian Trzupek has been tracking this trend across enterprise deployments of digital certificates.

“Our customers have had challenges with PKI in the past, and now it’s growing as a core piece of keeping their infrastructures running,” observes Trzupek, SVP of product at DigiCert, which issues digital certificates and supplies systems to manage them. “They’re in need of better ways to manage PKI, and it can’t be human error-prone processes. It has to be something turnkey that everyone can just depend upon operationally.”

I had the chance to catch up with Trzupek, and Avesta Hojjati, head of research and development at DigiCert, this week as part of the company’s Security Summit 2021 conference. We discussed the work DigiCert has been doing to strategically automate certificate management as we get deeper into digital transformation. Here are key takeaways:

PKI on centerstage

The commercial Internet is held together by PKI, the framework used to create, deploy and manage digital certificates, which are issued by certificate authorities, or CAs, like DigiCert.

Historically, the most visible public use of PKI has been to authenticate and encrypt consumer website traffic; without it there would be no online shopping, entertainment streaming or social media. What many folks don’t realize is that PKI has also been used at the backend to securely piece together modern business networks.

As company networks have become much more complex and dynamic, this operational role for PKI has taken centerstage. Consider how something called Continuous Integration/Continuous Deployment, or CI/CD, has rapidly emerged. Software developers today work swiftly on small chunks of coding, which they place into a code repository, such as GitHub. This gives other developers easy access to many chunks of coding. Anyone is free to modify, add to or utilize endless small chunks, and out of the other end comes a new app that gets deployed into service, with no human intervention. This is the stuff on which digital agility is built.

Digital certificates come into play for deployments in the modern CI/CD process; a fresh certificate must be issued — and set to expire — for each build, and, ideally, each certificate should be accounted for using data governance best practices. However, CI/CD usage is accelerating at a time when industry trade groups and government regulators lag far behind, in terms of implementing privacy and security guard rails. For instance, there really was no best practices industry standard, nor government regulation, that compelled Spotify to pay much closer attention to its expiring certificates.

Trzupek

“We’re at a time when PKI is just expanding,” Trzupek told me. “It comes into play with all of the tools being used for DevOps and cloud transformation, whether it’s container-signing, or secure-execution environments, or the CI/CD process itself, including the TLS connections taking place between containers and Kubernetes clusters.”

Chance of error

Believe it or not, it’s not unusual for DigiCert to learn that an enterprise is using a manual process to keep track of tens of thousands of digital certificates. “Customers are coming to us and saying, ‘Hey, we’ve had challenges with certain aspects of PKI in the past, and now, because it is growing as a core piece of keeping our infrastructure running, we need better ways to manage this,” Trzupek says. “And it can’t be spreadsheets.”

PKI works by certifying the authenticity of both sides of a data transfer and then issuing two different cryptographic keys – a public key and a private key. The public key gets used on both ends to encrypt the information to be transmitted, but only one party holds the corresponding private key, to decrypt the data on the other end.

It’s not just a matter of dealing with the sheer volume of certificates. The gelling of a new tier of certificate to use-cases to support digital transformation means that perishability has become an important variable, Hojjati told me.

First of all, it takes several steps to obtain and deploy a fresh certificate, he says. This begins by creating a key-pair, generating a certificate signing request (CSR, affirming issuance and, finally, installing the certificate. Configuring certificates is not an easy task, and when carried out manually at a high rate “the chance of error is extremely high,” Hojjati says.

The Spotify outage illustrates the exposure that many organizations face of enduring a potentially crippling disruption. While Spotify may be large enough to absorb an occasional embarrassing service outage, many organizations are not in that position. Adding to this risk is the reality that threat actors continue to intensively probe for poorly configured certificates as pathways to gain unauthorized access.

Once a certificate gets issued and deployed, it’s vital to monitor each and every one. For one thing, the expiration date of each digital certificate needs to be proactively managed. Equally vital, software updates, especially ones that address newly-discovered vulnerabilities, ought to get done in a timely manner, Hojjati says.

Automation to the rescue

DigiCert’s answer has been to build-out a platform of services designed to help companies automate the nuts-and-bolts of certificate management in the fast-changing digital landscape.

“It’s possible to automate all of these procedures to reflect policies set ahead of time in a way that allows the company and the CA to have visibility into the issuing of certificates and managing each certificate, going forward,” Hojjati says.

If PKI and TLS comprise the heart and arteries of modern business computing, then automation is the brain, Hojjati observes. Automation can enable companies to “create that orchestration for how they’re getting certificates, and how they’re able to manage them, both pre-deployment and post-deployment,” he says.

DigiCert is a couple of years into a long-run strategy to deliver a comprehensive platform of services for the care and feeding of PKI and TLS certificates, with automation as a centerpiece. At its event this week, the company announced DigiCert Automation Manager, a containerized enterprise solution for on-premises, high-volume TLS certificate automation. The initial release announced this week focuses on automating certificates for load balancers used in the enterprise. Coming soon will be support for popular web servers and many other features throughout 2021.

With the migration to public cloud and hybrid cloud infrastructures accelerating, the volume of new certificates with shorter and shorter life cycles will continue rising. “Given all of the complexity that goes along with that, we want to jump in and provide as much automation as possible to help our customers keep their systems alive, and to reduce the workload for them,” Trzupek told me.

Clearly, PKI and TLS certificates are destined to be part of the fabric of digital commerce, going forward. It’s encouraging to see necessary advancements of this caliber gaining traction. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(LW provides consulting services to the vendors we cover.

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone