MY TAKE: PKI, digital certificates now ready to take on the task of securing digital transformation

Just five years ago, the Public Key Infrastructure, or PKI, was seriously fraying at the edges and appeared to be tilting toward obsolescence. Things have since taken a turn for the better.

Related: Why PKI is well-suited to secure the Internet of Things

PKI is the authentication and encryption framework on which the Internet is built. The buckling of PKI a few years back was a very serious matter, especially since there was nothing waiting in the wings to replace PKI. Lacking a reliable way to authenticate identities during the data transfer process, and also keep data encrypted as it moves between endpoints, the Internet would surely atrophy – and digital transformation would grind to a halt.

The retooling of PKI may not be sexy to anyone, outside of tech geeks. Nonetheless, it is a pivotal chapter in the evolution of digital commerce. One of several notable contributors was DigiCert, the world’s leading provider of digital certificates and certificate management solutions.

I had a chance to interview Brian Trzupek, DigiCert’s senior vice president of emerging markets products, at the company’s Security Summit 2020 in San Diego recently. For a full drill down on our discussion, please give the accompanying podcast a listen. Here are a few key takeaways:

PKI’s expanding role

PKI revolves around the creation, distribution and management of digital certificates issued by companies known as certificate authorities, or CAs. In the classic case of a human user clicking to a website, CAs, like DigiCert, verify the authenticity of the website and encrypt the data at both ends.

Today, a much larger and rapidly expanding role for PKI and digital certificates is to authenticate devices and encrypt all sensitive data transfers inside highly dynamic company networks. We’re not just talking about website clicks; PKI comes into play with respect to each of the millions of computing instances and devices continually connecting to each other – the stuff of DevOps and IoT. It can be as granular as a microservice in a software container connecting to a mobile app, for instance. Each one of these digital hookups requires PKI and a digital certificate to ensure authentication.

Much like the Internet, PKI evolved somewhat haphazardly in the first two decades of this century to enable website activity – and it has come a long, long way since. PKIs core components derive from open source, corporate and entrepreneurial beginnings. By 2015 or so, the early pioneer PKI services companies had made their profits and had gotten themselves swallowed up by tech conglomerates in a wave of consolidation.

In late 2017, DigiCert announced it would acquire Symantec’s PKI division for $1 billion. At the time, Symantec very much wanted out of having anything to do with PKI; Google had just announced plans to distrust all Symantec-issued certificates, after a long tussle with the security vendor for failing to meet industry standards. DigiCert took the best of what Symantec had and combined it with tech that DigiCert did well, and worked feverishly to modernize PKI.


“Symantec just didn’t spend a whole lot of time actually integrating those businesses,” Trzupek told me. “They had acquired all of these PKI systems, order-entry systems, e-commerce systems, validation systems. . . it was like a million tiny freestanding companies and we had to try to figure out how to consolidate all of that.”

Platform challenges

A lot has transpired over the past two years.  The CA/Browser Forum, an industry standards body founded in 2005, accelerated initiatives to drive better practices and guidelines. Outside of the CAB Forum, many industries, from healthcare to automotive to manufacturing, have created standards and implemented digital certificate protections through global PKI practices that strengthen device security

Taken together these efforts have brought a semblance of order to the topsy-turvy world of enterprise PKIs. Companies had come to rely on a hodge podge of systems to authenticate remote workers and contractors, while at the same time delving deeper into DevOps, and also pressing forward with wider use of IoT systems.

“What we saw across all of that was a platform problem,” Trzupek says. “People were trying to use PKI and certificates in many different kinds of ways and all of this was being jammed through very old legacy tools.”

For its part, DigiCert responded by sending Trzupek on the road to visit 70 PKI customers in 12 nations and listen closely to what was on their minds. DigiCert used that feedback as the basis to design leading-edge PKI deployment and management tools and services, built on a flexible, scalable platform for speed and efficiency.

“The first step is to take a very manual inventory of what the parent company is doing with PKI, and what all of the sub-entities and subdivisions are doing with PKI, just figuring out who manages those projects and what PKI is being used for,” Trzupek says. “Then there’s an organizational component where you can consolidate management of PKIs and do things like standardizing tools.”

Future use cases

Innovations to help companies more efficiently manage sprawling PKI deployments continue to advance, and none too soon. Large and mid-sized enterprises are stepping up their use of DevOps and embracing philosophies like “fail fast,” the notion of quickly deploying minimumally viable software to learn where it works or fails, and then iterating and remediating the shortcomings.

This is how dynamic services are getting spun up; such services are capable of scaling up to serve high volume demand, cheaply and very quickly, and then wind down just as quickly. DigiCert is focusing on putting PKI at the nerve center of these types of scenarios, where short-lived certificates, with low latency and high availability, come into play.

“A lot of places need dynamic scale related to consumption, and they need that environment to be trusted, and that’s where PKI comes in,” Trzupek says. “As we look to the future, it’s all about getting more dynamic so we can interoperate with that world and produce certificates as they need them.”

It’s encouraging that PKI is once again on solid footing, we’re certainly going to need it, going forward. Data is the new oil, futurist and theoretical physicist, Dr. Michio Kaku, told attendees of DigiCert Security Summit 2020. Following the mainstreaming of steam power, then electricity and then the Internet, we’re today on the brink of the fourth wave giant technical leaps forward, observes Kaku, author of The Future of the Mind: The Scientific Quest to Understand, Enhance, and Empower the Mind.

Kaku argues that silicon chip-based computing has maxed out and will very soon be replaced by quantum computers which manipulate atoms to make massive calculations. Quantum computers can rather easily break the strongest encryption we have today. The good news is that the tech community has factored this into long term planning for the care and feeding –and future viability—of PKI.

A major public-private effort is underway to revamp classical cryptography, and ultimately replace it with something called post-quantum-cryptography, or PQC. DigiCert happens to be in the thick of this effort and has already begun offering strategies for companies to future proof sensitive systems for the coming of quantum computing.

“Devices being put into service today, like cars and airplanes and IoT systems that have embedded sensors have long term life cycles,” says Avesta Hojjati, DigiCert’s head of research and development. “We’re striving to protect those devices, right now, against threats that are coming in the next five to 10 years.”

In an environment where fail fast is the philosophy ushering us into the quantum computing era, there is a huge role for robust, reliable and continually improving PKI. We appear to be on that path. I’ll keep watch.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: