Ryan: Tell us about your company and your CertAccord Enterprise product.
Mike: A company’s name is as important as an astronaut’s spacesuit. Without a good one, you feel like you are wearing an exam gown at a doctor’s office. Our company is Revocent and we built our CertAccord Enterprise product to make IT staff feel like they are wearing a highly engineered PKI solution “spacesuit” and not a drafty old gown that is a bunch of manual processes and a script or two.
CertAccord Enterprise is a Certificate Management Bridge (CMB) between Certificate Authorities like Microsoft ADCS and endpoints running Linux, Mac, Unix, and of course Windows. Microsoft ADCS is a widely implemented PKI solution that has two major shortcomings. First, it only automates certificate provisioning and renewal on Windows endpoints that are AD domain joined. It does not have any automated support for Linux, Mac, and legacy UNIX. Without this, customers are typically implementing manual certificate provisioning processes which are extremely expensive in terms of time, errors, and security breaches.
The second major shortcoming is that even on Windows endpoints, Microsoft ADCS deploys certificates to the certificate store but does not provide any integration with applications. Instead, it is left to IT staff to manually configure each application to use a certificate. This also is extremely time-consuming and expensive especially when it comes time to renew certificates.
CertAccord Enterprise solves both of these shortcomings by providing a fully automated certificate lifecycle management solution that creates and renews certificates, enables automated integration with applications, and supports all major enterprise platforms such as Linux, Mac, Unix, and Windows.
Ryan: How does CertAccord Enterprise automate digital certificate lifecycle management?
Mike: The focus of CertAccord Enterprise is to enable IT organizations to leverage their existing Microsoft ADCS-based PKI without replacing it or making any significant changes. Once you bolt on CertAccord Enterprise to your existing PKI you are able to setup automatic certificate provisioning based on AD device groups. This enables certificate provisioning at scale by enabling certificate creation when a system is built or when you deploy certain applications. You can also choose to quickly create certificates on the command line of any supported endpoint including Linux devices.
The entire solution has a focus on centralized management. You can use the CertAccord Enterprise Management Console to configure and control access to the product and certificate management. These centralized policies and settings are then consumed by CertAccord Enterprise Agent on the endpoints. We also provide lots of ability for IT staff to control how loose or how tight they control settings and policies.
The bottom line is that CertAccord Enterprise enables full lifecycle management of certificates at scale without manual processes.
Ryan: What are the challenges of the industry’s move to shorter certificate lifespans and how can organizations prepare for the threat posed by quantum computing?
Mike: Shorter certificate lifespans are a slow-moving tsunami that is gathering speed. Quantum computing is like a giant earthquake — there are signs that it’s coming and when it does it will be a huge disruptor.
Like natural tsunamis, shorter certificate lifespans are not something IT organizations can control. They can only prepare for it by investing in mitigation solutions such as certificate lifecycle management (CLM) solutions. CLM solutions automate certificate provisioning so that creating new certificates for your entire enterprise is clicking a few buttons and not an “all hands-on-deck” event.
Many IT organizations see manual certificate creation as a painful, but temporary problem. When it becomes necessary, they manually renew certificates, but they put off solving the problem permanently with CLM. This is like running away when a tsunami approaches and returning to life as normal when the water recedes. Sure, you solve the short-term problem, but you have to rebuild each time it happens. What’s worse is shorter lifespans and eventually quantum computing becoming viable are much more frequent than tsunami and huge earthquakes.
When you invest in a CLM solution you are building a foundation that is high, dry, and able to withstand huge earthquakes. Once in place, events like a new reduction in certificate lifespans or quantum computing become an easy task rather than a huge disruptor.
Ryan: What are the risks to organizations presented by manual updates of digital certificates and why is this so challenging?
Mike: When a builder builds a house, does he have his workers use a hammer to nail things together? If they are smart, they invest in a nail gun, which does the same thing as the hammer, but is much, much faster. Using a hammer also has other side effects such as leading to more injuries and making the workers more tired because of the extra exertion required.
Many IT organizations treat manual certificate processes like a hammer. It works and is cheaper for a one-time task. It’s hard to prioritize budget for a CLM solution when the cheap path is just to throw manual processes at the problem and then move on to the next problem. This thinking might be acceptable five years ago when you could have 4+ years of certificate lifespans and nobody could spell quantum computing. Today it’s all about looking at what’s coming this year or sooner and realizing that investing in CLM now will save lots of money, time, and sanity over the course of just one or two years.
One of the key things you get when you have CLM is the ability to improve your security and save money. With CLM, there’s no downside to you if you have a 3-month or a 13-month certificate lifespan. On top of that, your staff is freed up to work on the hard problems of making your business better.
Ryan: How did you first get interested in technology?
Mike: I started out playing with computers when I was in high school. Back then there were very few computers (yes, we did have electric lights) so my only exposure was in “computer” class. My friends were all super nerds, which made me feel like I was an idiot. Not because my friends were mean, but because they were on another level. I tinkered here and there and started learning about the “state-of-the-art” OSs at the time like Unix. Eventually I went to college and figured out that I actually wasn’t such an idiot and after that it got a lot easier.