“CISOs should use 2021 to account for all certificates in their environments and put automated management in place. That way, once quantum-safe certificates are available, they will be poised to act,” says Tim Callan, Chief Compliance Officer, Sectigo, in an exclusive interview with ITSecurityWire.
ITSW Bureau: What challenges enterprises encounter when securing their web servers, applications and connected devices?
Tim Callan: As the enterprise digital landscape increases in scope and complexity, IT’s optimized approach to securing these environments has changed. Gone are the days of a single firewall around the perimeter of the network with a relatively safe “green zone” inside.
Technology trends like public cloud, DevOps, BYOD mobile devices, frequent repatriation of workloads, work-from-home, and IoT have destroyed the traditional perimeter entirely. Instead, the modern enterprise needs to pursue a “software-defined perimeter” (SDP) or Zero Trust Network Access (ZTNA) strategy, in which each server, laptop, device, user, and the process is identified individually and given only the privileges necessary to perform its function.
SDP and ZTNA depend inherently on digital identity, without which they cannot function. And digital identity depends on PKI. Therefore, the rising popularity of these architectures has led to a vast proliferation in the use of digital certificates. At the same time, the stakes are higher than ever, as every function in the enterprise depends on the presence of valid, current, correctly installed certificates.
That means enterprises are feeling more pressure than ever to ensure they correctly deploy and manage the full set of digital certificates necessary to keep running successfully.
ITSW Bureau: In times when cyber-attacks are continuously growing, how can enterprises keep their customers’ confidence by keeping their data safe?
Tim Callan: No doubt about it, breaches are terrible. They can cost companies in downtime, fines, lost business, and SLA penalties, not to mention damage to brand reputation and customer goodwill.
The best strategy is to minimize the risk of data loss or other breaches in the first place.
Today’s enterprise is paying much more attention to Secure Access Service Edge (SASE) strategies as of today’s best practice in operating a secure, agile, high productivity enterprise.
Combined with a robust digital identity solution and robust certificate automation, this approach is considered a best practice in protecting the modern enterprise architecture.
ITSW Bureau: What steps can CISOs take for effectively migrating PKI-based cybersecurity systems to a quantum-safe one?
Tim Callan: At standard key sizes, ECC and RSA algorithms are impossible to crack by methods such as brute force on a traditional computer. However, quantum computers have the ability to attack these algorithms many orders of magnitude faster than is possible with 1/0-gated computing architecture.
Over time, that means all secrets protected with RSA or ECC will be exposed to potential theft. That means quantum computers post a thread to all the world’s communication, commerce, finance, transportation, manufacturing, logistics, healthcare, research, education, and governmental functions. The potential severity of such an outcome is so extreme that it’s earned its own nickname, the Quantum Apocalypse.
Avoiding the Quantum Apocalypse will require the complete replacement of all digital certificates and other PKI throughout all aspects of industry to use new, “quantum-safe” cryptographic algorithms.
The US government’s National Institute for Standards and Technology (NIST) is leading an effort encompassing academia, government, and industry, to arrive at a set of algorithms that enterprises can be confident are safe from quantum computers while still meeting the other requirements of a robust cryptographic foundation for digital systems.
These new algorithms are one or two years away, and when they arrive, enterprises will be motivated to move to them as quickly as is practical.
CISOs today can prepare for this changeover by achieving certificate agility. Certificate agility refers to the ability to immediately and accurately replace any and all certificates in use in the enterprise environment without downtime or other failures.
To achieve certificate agility, enterprises need to focus on automation. Automating deployment, renewal, and revocation/replacement is essentially to certificate agility.
But it’s also critically important for enterprises to know which certificates are in use in the first place. IT departments frequently encounter rogue certificates, certificates deployed without the knowledge of central IT. Too frequently, the way the CISO finds out about rogue certificates is when they expire without warning, bringing down essential systems or otherwise disrupting business operations.
CISOs should use 2021 to account for all certificates in their environments and put automated management in place. That way, once quantum-safe certificates are available, they will be poised to act.
Tim Callan is the Chief Compliance Officer at Sectigo, where he’s responsible for ensuring the company’s CA practices conform to industry and regulatory requirements and the company’s published Certificate Practices. Tim has more than twenty years’ experience as a strategy and product leader for successful B2B software and SaaS companies, with fifteen years’ experience in the SSL and PKI technology spaces.