TalkingTrust with Thales and DigiCert - PKI
Public Key Infrastructure (PKI) is the proven framework for securing communications, transactions, network access, data and verifying ownership or authorship. However, traditional PKI deployment can be complicated and time-consuming. Also, if the digital keys are not properly secured, there are risks of a security breach. DigiCert, a leading provider in PKI solutions, has teamed up with Thales, an industry leader in data protection, to provide a “minutes, not months” deployable solution with automation for keeping keys safe and protecting your communications and assets. Join DigiCert and Thales to discover how a modern PKI platform and Thales Hardware Secure Module (HSM) establish roots of trust and drive security.
Join DigiCert and Thales in a discussion about how a modern, “minutes, not months” deployable Public Key Infrastructure platform integrated with Hardware Secure Module (HSM) is critical to establish a root of trust and ensure safe protection of digital keys and business assets.
John Ray, Director of HSM Product Management at Thales
Brian Trzupek, Senior Vice President, Product Management at DigiCert
Review all integrations and supporting documents for Thales with DigiCert.
Thales Technology Partner: cpl.thalesgroup.com/partners/digicert-inc
Partner website: www.digicert.com
00:10 Hi everybody.
00:11 Welcome to the next installment of
00:13 the TalkingTrust video series.
00:16 My name is John Ray. I’m the Director of
00:18 HSM Product Management at Thales, and I’m
00:21 joined today by
00:22 Brian Trupeck, the Senior VP of Product Management
00:26 from DigiCert. Hi Brian. Hey John. Thanks
00:29 for having me here today.
00:30 Welcome to the show.
00:33 Today we are going to talk about how DigiCert
00:36 and Thales are making
00:37 PKI easy for our customers,
00:41 so let me get some slides up here. So
00:44 Brian, what's so important about PKI?
00:4 John so you know from a DigiCert
00:52 perspective, we look at
00:55 three main pieces to PKI. The
00:57 authentication, the encryption, and the integrity.
01:01 And we look at these three things
01:03 uniquely with PKI because you can do
01:06 it so effectively, so securely.
01:08 You know, this PKI technology has been
01:10 around for the plus side of 20 years
01:12 and it has weathered the test of time
01:14 very very well.
01:16 Very high security applications built
01:17 on this and so we have at this core from
01:22 providing user device authentication data
01:25 encryption and system integrity around these
01:28 three principles.
01:30 This is where our products
01:32 fill out and where we work with Thales a
01:34 lot to deliver on this vision. So it's
01:38 really a foundational technology for a lot of
01:41security systems isn't it.
01:42 That's right. It's found in
01:44 everything. I mean you're talking door locks,
01:46 IoT, government entities, passports.
01:50 websites. You know it's everywhere.
01:54 It certainly is.
01:58 So from a digital perspective, to
02:01 go just a layer deeper, we have
02:04 a platform called DigiCert one and this is
02:08 really digital bringing together a lot of
02:10 technologies that we've developed
02:12 through the years. This is
02:14 backing with our generation
02:15 Five CA infrastructure,
02:18 and we pulled this forward into a
02:20 cloud native platform that offers a super flexible deployment
02:25 in factories on-premises, for
02:27 customer clouds, and we
02:29 have a managed offering ourselves.
02:32 It allows the customers to use
02:34 those kinds of PKI use cases
02:37 that we just mentioned briefly in any way that they want,
02:40 and have very secure software that
02:43 is then updatable in all of those paths and
02:45 deployment patterns. Deploy that in
02:48 huge scale so if you have the
02:51 cloud behind you, if you know we're
02:53 running in a kubernetes sort of infrastructure,
02:56 you can dynamically scale out across resources
02:59 and we deliver all of that
03:01 great tech stuff behind the scenes
03:04 on top of offering very customer-centric workflows
03:08 around things like enterprise authentication,
03:11 DevOps, IoT, document signing, and some
03:14 things we'll talk about later.
03:16 In all of this you know it's backed from
03:19 a PKI perspective with HSMs and we
03:21 have very tight integrations with Thales. So
03:24 it's all about making it easier for customers to deploy that scale.
03:29 That's right. Deploy and use,
03:31 because what we saw in previous platforms was
03:34 that customers would try to
03:36 use a generic PKI platform to solve
03:39 all kinds of needs I just mentioned, and they'd run into trouble
03:43 because one platform can't be built to solve all
03:46 of those things. So when you look at the
03:48 actual customer-centric perspective for
03:50 how they're trying to solve things,
03:52 meet them there with PKI, all of a sudden
03:54 you've got some magic and
03:55 and that's where we saw
03:57 lift off. Okay so it's about deploying
04:00 and managing once it's deployed.
04:02 Yeah, excellent.
04:05 So how does that tie into the HSMs?
04:08 That's a super good question. So we’ve
04:10 got a little screenshot here.
04:11 This is one of the areas we're super
04:13 proud of. In the product stack the
04:15 the first HSMs that we implemented and
04:18 integrated with were the Thales HSMs, and you can
04:21 actually see in the screen here
04:23 some of the SafeNet provider setup.
04:25 But not only did we integrate with those,
04:29 we also you know provided
04:32 really rich management. We have a pretty industry-
04:35 leading web console where you can
04:37 actually configure the HSM, you can
04:39 configure HA groups, you can
04:41 do all sorts of HSM management very very easily
04:44 from the web page right inside the
04:46 kubernetes console,
04:48 deploying into a containerized infrastructure
04:52 mapping back to your Thales HSM for that
04:54 strong key protection
04:55 and providing powerful roles and rights
04:57 and access controls around
04:59 policy driven access to that. So from a foundation
05:03 you can deploy strong trusted PKI root
05:06 certificates ICAs etc. protected in the HSM,
05:09 and then upstream in the different
05:11 workflows in the application.
05:13 Customers are able to consume that and
05:14 use it without having to worry about all that HSM
05:17 layer or configuration, they can get to work.
05:21 So I guess PKI and HSMs and
05:24 that foundation they go together
05:26 that protection of that key
05:29 and keeping it easy for the deployment
05:31and the management of that is
05:36 important. Yeah that's right, and in all
05:38 of our use cases that key protection is
05:40 absolutely critical.
05:42 You know we have many government
05:43 types of use cases, large industry.
05:46 You know there's different
05:48 ways people are using this and they want
05:49 to ensure the integrity of trust for their systems.
05:52 All right, and I guess when it gets to
05:56 that making it easy, it's making it quick to deploy as well.
06:02 It is. One of the benefits that we
06:06 have seen is you know we had a system
06:09 and some customers still have it out there
06:11 that was on-premises and a very traditional
06:16 windows install architecture, get a database
06:20 running behind it, and cluster
06:22 and configure and do all these things.
06:24 It took us with our customers often times
06:28 10 weeks. You're
06:30 talking two and a half months in some
06:31 cases to deploy and configure and get to a
06:35 usable PKI system. That's a lot of
06:38 time. That's a lot of opportunity cost.
06:40 Now with the modern PKI we're doing this
06:44 in minutes not months, and we have the
06:47 ability to, you know if you already have
06:49 a Microsoft azure cluster,
06:51 kubernetes cluster or something
06:52 configured, you can deploy into that
06:54 pretty much instantaneously. You can
06:56 connect that with a Thales HSM
06:58 and you can be up and running within an hour,
07:02 and now from a customer perspective they
07:05 can test the system. They can test
07:07 integrations. They can you now forget
07:09 about all of that heavy lifting
07:11 and get to work using PKI almost immediately,
07:14 and that really helps out everybody.
07:19 Yeah that certainly does when you
07:21 can do things quickly,
07:22 get rid of all that I'll call it
07:24 baggage, and deploy quickly, test quickly.
07:27 That certainly helps. Now we talked
07:29 about or you mentioned earlier,
07:33 the high level value of PKI
07:35 and for authentication encryption and integrity,
07:38 how do you break that down into the more
07:40 real world use cases that
07:42 it fits into. Yeah I mean I could go
07:46 for a half hour on this slide, so real quick I think
07:50 at its core DigiCert is providing easy to
07:54 use PKI. We're doing that through automation
07:56 where PKI is unseen. You know our
07:59 customers tell us that's where it's most
08:01 valuable. It's seamlessly
08:03 working and it's not burdening people. We
08:05 see five major groups of use cases
08:08 and we have workflows built around these.
08:10 Servers - you know your typical
08:12 kind of web server, the key
08:14 management associated with web server
08:16 where Thales comes in
08:17 in those perspectives too. User - so
08:19 if you think about enterprise users,
08:21 email security like smime,
08:25 synchronizing keys across multiple
08:27 applications, mobile devices,
08:29 laptops, iPads, authentication,
08:31 and MDM. Those sorts of activities all
08:34 have PKI powered behind it for
08:36 protection of those assets.
08:38 so Brian, with the servers and the
08:40 users it's really about
08:42 ensuring the identity of those different things.
08:45 Yeah, identity for the web server
08:49 use cases absolutely, mobile devices,
08:52 authentication, email, there's
08:55 identity in there. Email also is about
08:57 encryption of those messages
08:59 and tampering with.
09:00 Protecting that data too.
09:03 You look forward then like document
09:06 signing use cases where we work in the EU,
09:10 like eIDAS and qualified signing and
09:13 Adobe integrations for consumer solutions
09:17 where we're able to do individual mass
09:18 signing regulated, where we're
09:20 implementing these flows to allow people
09:22 to get these documents signed and use
09:24 third-party systems to do that,
09:25 and we're providing that key management
09:27 underneath and we're making all that HSM
09:29 management and all those components
09:31 pretty seamless for those customers to consume it.
09:34 From a device management perspective in
09:36 the lower right if you think about IoT,
09:39 we do everything from the chip
09:40 manufacturer in the supply chain where
09:42 they're fabricating chips,
09:43 through the device manufacturer in
09:45 factory and injecting credentials or identities
09:48 into devices, authentication into devices,
09:50 to when a device gets fielded
09:52 and needs to be updated and firmware
09:55 needs to be signed and things like that.
09:56 We cover that whole spectrum of those
09:58 those use cases and I think that's a
10:00 highlight that those use cases are very
10:01 different than the others, Yeah and that
10:03 seems to be a growing area with more and more
10:06 connected devices from phones to smart home to
10:12 even printers and things like that.
10:14 Everything. Airplanes. So everything in there
10:19 and then last but not least is DevOps
10:21 which you know it's just such a growing area
10:24 with cloud transformation these days.
10:26 Customers changing the security
10:28 perimeter of their infrastructure to
10:30 include the cloud. They want to ensure
10:32 the integrity of containers
10:34 workloads. They want to ensure the
10:38 identity of those things as well
10:40 so that they can have trusted systems
10:42 running in maybe third-party operated
10:44 data centers or cloud environments while
10:48 managing the secrets and the privacy
10:49 related to how developers or
10:53 the SRE teams are deploying software,
10:55 and so we have very tight
10:56 integrations to automate all of these.
10:59 Yeah, and I think in the world
11:01 security is being built in by the
11:03 developers, so you need to
11:04 have this sort of nice workflow built in
11:07 with them. It's not added on after the fact anymore.
11:10 Yeah, that's right.
11:12 You can skip to the next one where we
11:14 talk a little bit about that. So to that point,
11:17 it's a great segue from the developer
11:20 perspective. Just starting down there
11:22 those integrations we have for that
11:23 automation is right into the things like
11:25 the IDs that they're writing code in, right into the
11:28 Kubernetes and Dockers management
11:31 systems that they're using things like that,
11:33 and you go around you know kind of the circle here.
11:36 There's all of this third-party
11:38 technology in all these PKI use cases
11:41 where PKI's being used,
11:42 and we just have these integrations to
11:44 them where we can help manage whatever it is
11:47 related to some of the key
11:48 aspects of the usage of them to the PKI
11:51 deploying certificates and
11:53 allowing identity access or encryption
11:55 in all these places.
11:58 So this really shows a lot of the
12:00 different integrations of the solution of the PKI,
12:05 and DigiCert and the HSMs with
12:09 other third-party products and how it
12:11 ties in. Yeah, that's right, and in devices
12:14 down there, just as an example like you
12:15 see Thales down there.
12:17 You know, that's a great example of where
12:19 we work together because
12:20 in that device manufacturer segment for IoT
12:24 where you know somebody's producing a device,
12:28 oftentimes they want the PKI system in that
12:31 factory or in the network of the
12:33 factories, and they also want the HSMs there.
12:35 They want full key sovereignty protection,
12:38 data sovereignty as things are going
12:41 into devices to be sent out into the world. It's a
12:44 great way where the combination of all
12:46 these technologies come together to
12:47 really solve a meaningful problem for those guys.
12:50 So that that segues nicely into
12:53 different deployment options and where people
12:57 are looking to deploy. You talked about sovereignty
13:0 and inside a datacenter, a particular factory
13:04 versus a cloud sort of service or solution.
13:08 Yeah, so I think when you look at
13:12 you know this is an example of a
13:14 high-level deployment architecture.
13:16 There's so many ways people can deploy this
13:18 in so many different scenarios, but I think the keys
13:22 of what a deployment looks like is right. There's a
13:26 PKI server centrally, and we do
13:28 things with like auto enrollment
13:30 software you know auto enrollment
13:31 itself in Microsoft technologies,
13:34 enterprise gateways that are on-premises
13:36 for customers to control enrollments and
13:38 allow users to tie to directories and enroll.
13:42 We have the clients, so Windows. Mac,
13:45 all these things that take care of
13:47 that endpoint technology to configure
13:49 the PKI, deploy it, get it into
13:52 software that's using it so that users
13:54 don't have to. If you gave a user
13:55 an smime cert and said go configure it
13:57 across all your devices so that the keys work,
13:59 that's never going to happen and so we
14:01 have the software that
14:03 ties in whether it's mobile laptop,
14:05 whatever, to do that and make all
14:07 those things work.
14:08 This is one example but all of this
14:11 ultimately is backed where we have
14:14 a Thales HSM in multiple places here
14:17 for our customers when they
14:20 have a solution that is on-premises and
14:22 talking back hybrid, talking back to our
14:24 cloud, they're going to want to protect
14:26 those keys, those communication keys,
14:28 those authentication keys to their core
14:29 CA that's in in our cloud
14:31 with the Thales HSM on their end to
14:34 protect how things are authenticating and how
14:36 any local key escrows happening, they could you know
14:40 store keys and escrow them for any of these use cases
14:43 on-premises and work with a hybrid PKI deployment.
14:47 And then obviously as we're back ending
14:50 an HSM or a PKI as a managed service for somebody,
14:54 we have the HSMs using
14:57 providing strong protection for those
14:59 keys related to the root CAs, and the
15:02 signing CAs, the ICAs that customers are
15:04 deriving PKI credentials from,
15:06 it really powers this whole thing.
15:10 Yeah so it looks like lots of different,
15:12 like you said, a million different ways how you
15:15 could deploy PKI for all of those
15:17 different use cases with different
15:19 requirements, and it looks like we have
15:21 flexibility here for the customers to choose what fits.
15:24 That's right. That's a great summary. Okay
15:27 perfect. So when you you put all this together,
15:33 why DigiCert and Thales, why Thales HSMs,
15:36 how did they fit into work to help solve these
15:41 PKI deployment issues and make it easy for customers.
15:44 Yeah I mean it's so foundational
15:47 these two things just belong together right.
15:50 If you have the workflows that we're
15:52 providing for things like root of
15:54 trust or you know compliance auditing cert management,
15:57 that's all great but unless those keys
16:01 those ICAs, those roots, unless those assets are protected
16:05 with an HSM the whole system is worthless.
16:08 You don't have any value, you
16:10 don't have any trust in PKI
16:12 without that strong protection
16:13 underneath it and it's not just that PKI or
16:17 the roots and the ICAs like I said,
16:19 it's also you know when customers are actually using this
16:22 things like key escrow and some of these
16:24 other areas where you're generating PKI assets and you
16:27 need to securely store them
16:29 so that somebody else can't access them.
16:31 That's what's underneath this whole platform.
16:34 Yeah, I guess one of the things with PKI is that
16:38 the technology comes down to
16:41 the protection of a root key makes it
16:43 easy to deploy in all the different
16:45 devices or entities or,
16:50 devices or identities trust each other, but
16:54 it relies on that one key and so
16:57 making sure that well protected is really important.
17:00 Yeah exactly and I guess compliance
17:03 sometimes comes into play too but
17:04 depending on the use case.
17:06 Yeah I mean you look at a
17:08 government or even IoT where they maybe
17:10 have some regulations they need to
17:12 produce devices with,
17:13 in a lot of cases there could be
17:14 regulatory components for how they need
17:16 to manage data and encrypt it and sign it and store it and
17:21 provide access to it and it's integral
17:23 to what we're providing.
17:26 Absolutely, and I guess from a cost
17:28 perspective if it's quick to set up and
17:30 easy to set up then that
17:32 certainly reduces the cost. Yeah that's
17:34 right. I mean the fact that we can
17:36 deploy so quickly and get customers
17:39 connected, we've got
17:40 all these standard protocols SCAP, EST
17:44 CMP v2, ACME, all these things
17:46 built into the platform so people can
17:48 get going really quickly. That allows them to get in,
17:53 scale use this thing and do this at record setting pace
17:59 that we haven't had before so that their
18:01 time to value has just
18:04 decreased so dramatically that they can
18:07 immediately judge what the system
18:09 is going to do for them. Absolutely,
18:11and I guess from we mentioned,
18:14 easy to set up but also continuing the
18:17 management and the auditing and the reporting of that,
18:19 that's a really important part to it and making sure that
18:22 is easy to do as well. Yeah, I mean it's
18:2 always a piece where you have
18:27 regulation, where you have PKI,
18:29 where you're providing roots of
18:30 trust, you need to have that
18:32 auditability. You need to
18:33 have the ability to produce and
18:36 demonstrate that for third parties or
18:38 internal parties that are interested in
18:40 how you protected these assets and
18:42 ensuring that you do have trust and
18:44 that's where certificate management comes in.
18:46 So on top of all of these great
18:48 things we talked about
18:49 having all those protocols, having all
18:51 these workflows, having the auditability,
18:53 the strong key protection,
18:55 that ties it all together so that
18:56 ultimately below this layer of PKI you
18:59 can manage the certificates inside of
19:01 all these workflows customers are using.
19:04 Awesome. So that's a really great
19:06 overview of how DigiCert and Thales have
19:08 been working together to
19:10 to make it easy, make PKI
19:13 easy for our customers. We've got
19:16 some information here that if you want any more
19:19 information there's a nice solution brief talking about
19:24 DigiCert and PKI management. We've got
19:27 some information on the integration
19:29 of DigiCert and Thales HSMs and
19:34 some more general information in
19:36 general, and links here
19:38 if you want to go and look at some
19:40 of the other TalkingTrust
19:42 videos. So I'd like to in closing
19:46 bring us back to our faces.
19:49 I'd like to thank Brian for that
19:52 excellent talk and information on PKI
19:56 and HSMs together from DigiCert,
20:00 and like to thank everybody for listening
20:03 and watching and hope you have a good
20:05 day. Thanks for having me.
Secure PKI Management solutions with DigiCert® and Thales - Solution Brief
DigiCert, the world’s leading provider in PKI solutions, has teamed up with Thales, the worldwide leader in data protection, to provide a joint solution for authenticating and encrypting user communications, systems, emails, documents, websites and servers.
Securing Emerging Technologies with Thales Luna HSMs - Solution Brief
In today's digital world, enterprise and government are in a state of flux. Organizations are optimizing by taking workloads to the cloud, or forging ahead transforming, taking advantage of a wide variety of emerging technologies. They are revisiting their strategies due to...
Thales Luna Network HSM - Product Brief
Secure your sensitive data and critical applications by storing, protecting and managing your cryptographic keys in Thales Luna Network Hardware Security Modules (HSMs) - high-assurance, tamper-resistant, network-attached appliances offering market-leading performance.
DigiCert Platform 8 with Thales HSMs - Integration Guide
This document describes the installation and configuration steps for SafeNet Network HSM to be used by the DigiCert PKI Enterprise Gateway and Autoenrollment server.