TalkingTrust with Thales and DigiCert - PKI

TalkingTrust Series - DigiCert – PKI

 

00:10 Hi everybody.

00:11 Welcome to the next installment of

00:13 the TalkingTrust video series.

00:16 My name is John Ray. I’m the Director of

00:18 HSM

00:19 Product Management at Thales, and I’m

00:21 joined today by

00:22 Brian Trupeck, the Senior VP of Product

00:25 Management

00:26 from DigiCert. Hi Brian. Hey John. Thanks

00:29 for having me here today.

00:30 Welcome to the show.

00:33 Today

00:34 we are going to talk about how DigiCert

00:36 and Thales are making

00:37 PKI easy for our customers,

00:41 so let me get some slides up here. So

00:44 Brian, what's

00:45 so important about PKI?

00:4 John so you know from a DigiCert

00:52 perspective, we look at 

00:55 three main pieces to PKI. The

00:57 authentication,

00:58 the encryption, and the integrity.

01:01 And we look at these three things

01:03 uniquely with PKI because you can do

01:06 it so effectively, so securely.

01:08 You know, this PKI technology has been

01:10 around for the plus side of 20 years

01:12 and it has weathered the test of time

01:14 very very well.

01:16 Very high security applications built

01:17 on this

01:19 and so we have at this core from

01:22 providing

01:22 user device authentication data

01:25 encryption and

01:26 system integrity around these

01:28 three principles.

01:30 This is where our products

01:32 fill out and where we work with Thales a

01:34 lot to

01:35 deliver on this vision. So it's

01:38 really a

01:39 foundational technology for a lot of

01:41security systems isn't it.

01:42 That's right. It's found in

01:44 everything. I mean you're talking door

01:45 locks,

01:46 IoT, government entities,

01:48 passports.

01:50 websites. You know it's everywhere.

01:54 It certainly is.

01:58 So from a digital perspective, to

02:01 go

02:01 just a layer deeper, we have

02:04 a platform

02:06 called DigiCert one and this is

02:08 really

02:09 digital bringing together a lot of

02:10 technologies that we've developed

02:12 through the years. This is 

02:14 backing with our generation

02:15 Five CA infrastructure,

02:18 and we pulled this forward into a

02:20 cloud native

02:21 platform that offers a super flexible

02:24 deployment

02:25 in factories on-premises, for

02:27 customer clouds, and we

02:29 have a managed offering ourselves.

02:32 It allows the customers to use

02:34 those kinds of PKI use cases

02:37 that we just mentioned briefly in any

02:39 way that they want,

02:40 and have very secure software that

02:43 is then updatable in all of those paths and

02:45 deployment patterns. Deploy that in

02:48 huge scale so if you have the

02:51 cloud behind you, if you know we're

02:53 running in a kubernetes sort of

02:55 infrastructure,

02:56 you can dynamically scale out across

02:58 resources

02:59 and we deliver all of that 

03:01 great tech stuff behind the scenes

03:04 on top of offering very customer-centric

03:07 workflows

03:08 around things like enterprise

03:10 authentication,

03:11 DevOps, IoT, document signing, and some

03:14 things we'll talk about later.

03:16 In all of this you know it's backed from

03:19 a PKI perspective with HSMs and we

03:21 have

03:22 very tight integrations with Thales. So

03:24 it's all about

03:25 making it easier for customers to deploy

03:27 that scale.

03:29 That's right. Deploy and use,

03:31 because what we saw in previous

03:33 platforms was

03:34 that customers would try to

03:36 use a generic PKI platform to solve

03:39 all kinds of needs I just

03:41 mentioned, and they'd run into trouble

03:43 because

03:44 one platform can't be built to solve all

03:46 of those things. So when you look at the

03:48 actual customer-centric perspective for

03:50 how they're trying to solve things,

03:52 meet them there with PKI, all of a sudden

03:54 you've got some magic and

03:55 and that's where we saw

03:57 lift off. Okay so it's about deploying

04:00 and managing once it's deployed.

04:02 Yeah, excellent.

04:05 So how does that tie into the HSMs?

04:08 That's a super good question. So we’ve

04:10 got a little screenshot here. 

04:11 This is one of the areas we're super

04:13 proud of. In the product stack the

04:15 the first HSMs that we implemented and 

04:18 integrated with

04:19 were the Thales HSMs, and you can

04:21 actually see in the screen here

04:23 some of the SafeNet provider setup.

04:25 But not only did we integrate with those,

04:29 we also you know provided

04:32 really rich management. We have a pretty

04:35 industry-

04:35 leading web console where you can

04:37 actually configure the HSM, you can

04:39 configure HA groups, you can

04:41 do all sorts of HSM management very very

04:43 easily

04:44 from the web page right inside the

04:46 kubernetes console,

04:48 deploying into a containerized

04:50 infrastructure

04:52 mapping back to your Thales HSM for that

04:54 strong key protection

04:55 and providing powerful roles and rights

04:57 and access controls around

04:59 policy driven access to that. So

05:02 from a foundation

05:03 you can deploy strong trusted PKI root

05:06 certificates ICAs etc. protected in the

05:08 HSM,

05:09 and then upstream in the different

05:11 workflows in the application.

05:13 Customers are able to consume that and

05:14 use it without having to worry about all

05:16 that HSM

05:17 layer or configuration, they can get to

05:19 work. 

05:21 So I guess PKI and HSMs and

05:24 that foundation they go together

05:26 that protection of that key

05:29 and keeping it easy for the deployment

05:31and

05:33 the management of that is

05:36 important. Yeah that's right, and in all

05:38 of our use cases that key protection is

05:40 absolutely critical.

05:42 You know we have many government

05:43 types of use cases, large industry. 

05:46 You know there's different

05:48 ways people are using this and they want

05:49 to ensure the integrity of trust for

05:51 their systems. 

05:52 All right, and I guess when it gets to

05:56 that

05:57 making it easy, it's making it quick to

06:00 deploy as well. 

06:02 It is. One of the 

06:04 benefits that we

06:06 have seen is you know we had a system

06:09 and some customers still have it out

06:11 there

06:11 that was on-premises and a very

06:15 traditional

06:16 windows install

06:17 architecture, get a database

06:20 running behind it, and cluster

06:22 and configure and do all these things.

06:24 It took us with our customers often

06:27 times

06:28 10 weeks. You're

06:30 talking two and a half months in some

06:31 cases to

06:32 deploy and configure and get to a

06:35 usable PKI system. That's a lot of

06:38 time. That's a lot of opportunity cost.

06:40 Now with the modern PKI we're doing this

06:44 in minutes not months, and we have the

06:47 ability to,

06:48 you know if you already have 

06:49 a Microsoft azure cluster,

06:51 kubernetes cluster or something

06:52 configured, you can deploy into that

06:54 pretty much instantaneously. You can

06:56 connect that with a Thales HSM

06:58 and you can be up and running

07:01 within an hour,

07:02 and now from a customer perspective they

07:05 can

07:05 test the system. They can test

07:07 integrations. They can you now forget

07:09 about all of that heavy lifting

07:11 and get to work using PKI almost

07:13 immediately,

07:14 and that really helps out everybody.

07:19 Yeah that certainly does when you

07:21 can do things quickly,

07:22 get rid of all that I'll call it

07:24 baggage, and deploy quickly, test quickly.

07:27 That certainly helps. Now we talked

07:29 about

07:31 or you mentioned earlier,

07:33 the high level value of PKI

07:35 and for authentication encryption and

07:37 integrity,

07:38 how do you break that down into the more

07:40 real world use cases that

07:42 it fits into. Yeah I mean I

07:45 could go

07:46 for a half hour on this slide, so real

07:48 quick I think

07:50 at its core DigiCert is providing easy to

07:54 use PKI. We're doing that through

07:55 automation

07:56 where PKI is unseen. You know our

07:59 customers tell us that's where it's most

08:01 valuable. It's seamlessly

08:03 working and it's not burdening people. We

08:05 see

08:06 five major groups of use cases

08:08 and we have workflows built around these.

08:10 Servers - you know your typical

08:12 kind of web server, the key

08:14 management associated with web server

08:16 where Thales comes in

08:17 in those perspectives too. User - so

08:19 if you think about enterprise users,

08:21 email security like smime,

08:25 synchronizing keys across multiple

08:27 applications, mobile devices,

08:29 laptops, iPads, authentication,

08:31 and MDM. Those sorts of activities all

08:34 have PKI powered behind it for

08:36 protection of those assets.

08:38 so Brian, with the servers and the

08:40 users it's really about

08:42 ensuring the identity of those different

08:44 things.

08:45 Yeah, identity for the web

08:48 server

08:49 use cases absolutely, mobile devices,

08:52 authentication, email, 

08:54 there's

08:55 identity in there. Email also is about

08:57 encryption of those messages

08:59 and tampering with. 

09:00 Protecting that data too. 

09:03 You look

09:05 forward then like document

09:06 signing use cases where we work in

09:09 the EU, 

09:10 like eIDAS and qualified

09:12 signing and

09:13 Adobe integrations for consumer

09:16 solutions

09:17 where we're able to do individual mass

09:18 signing regulated, where we're

09:20 implementing these flows to allow people

09:22 to get these documents signed and use

09:24 third-party systems to do that,

09:25 and we're providing that key management

09:27 underneath and we're making all that HSM

09:29 management and all those components

09:31 pretty seamless for those customers to

09:33 consume it.

09:34 From a device management perspective in

09:36 the lower right if you think about IoT,

09:39 we do everything from the chip

09:40 manufacturer in the supply chain where

09:42 they're fabricating chips,

09:43 through the device manufacturer in

09:45 factory and injecting credentials or

09:47 identities

09:48 into devices, authentication into devices,

09:50 to when a device gets fielded

09:52 and needs to be updated and firmware

09:55 needs to be signed and things like that. 

09:56 We cover that whole spectrum of those

09:58 those use cases and I think that's a

10:00 highlight that those use cases are very

10:01 different than the others, Yeah and that

10:03 seems to be a growing area with more and

10:06 more

10:06 connected devices from phones to smart

10:09 home to

10:12 even printers and things like that. 

10:14 Everything. 

10:16 Airplanes. So everything in there

10:19 and then last but not least is DevOps

10:21 which

10:22 you know it's just such a growing area

10:24 with cloud transformation these days. 

10:26 Customers changing the security

10:28 perimeter of their infrastructure to

10:30 include the cloud. They want to ensure

10:32 the integrity of containers

10:34 workloads. They want to ensure the

10:38 identity of those things as well

10:40 so that they can have trusted systems

10:42 running in maybe third-party operated

10:44 data centers or cloud environments while

10:48 managing the secrets and the privacy

10:49 related to

10:51 how developers or 

10:53 the SRE teams are deploying software,

10:55 and so we have very tight

10:56 integrations to automate all of these.

10:59 Yeah, and I think in the world

11:01 security is being built in by the

11:03 developers, so you need to

11:04 have this sort of nice workflow built in

11:07 with them. It's not added on after the

11:09 fact anymore.

11:10 Yeah, that's right.

11:12 You can skip to the next one where we

11:14 talk a little

11:15 bit about that. So to that point,

11:17 it's a great segue

11:18 from the developer

11:20 perspective. Just starting down there

11:22 those integrations we have for that

11:23 automation is right into the things like

11:25 the IDs that they're writing code in,

11:27 right into the

11:28 Kubernetes and Dockers management

11:31 systems that they're using things like

11:32 that,

11:33 and you go around you know kind of

11:35 the circle here. 

11:36 There's all of this third-party

11:38 technology in all these PKI use cases

11:41 where PKI's being used,

11:42 and we just have these integrations to

11:44 them where we can help manage

11:46 whatever it is

11:47 related to some of the key

11:48 aspects of the usage of them to the PKI

11:51 deploying certificates and

11:53 allowing identity access or encryption

11:55 in all these places. 

11:58 So this really shows a lot of the

12:00 different integrations

12:02 of the solution of the PKI,

12:05 and DigiCert and the HSMs

12:08 with

12:09 other third-party products and how it

12:11 ties in. Yeah, that's right, and in devices

12:14 down there, just as an example like you

12:15 see Thales down there.

12:17 You know, that's a great example of where

12:19 we work together because

12:20 in that device manufacturer segment for

12:23 IoT

12:24 where you know somebody's producing a

12:27 device,

12:28 oftentimes they want the PKI system in

12:30 that

12:31 factory or in the network of the

12:33 factories, and they also want the HSMs

12:35 there. 

12:35 They want full key sovereignty

12:37 protection,

12:38 data sovereignty as things are going

12:41 into devices to be

12:42 sent out into the world. It's a

12:44 great way where the combination of all

12:46 these technologies come together to

12:47 really solve a meaningful problem for

12:49 those guys.

12:50 So that that segues nicely

12:53 into

12:53 different deployment options and

12:56 where people

12:57 are looking to deploy. You talked

12:59 about sovereignty

13:0 and inside a datacenter, a particular

13:03 factory

13:04 versus a cloud sort of service or

13:07 solution. 

13:08 Yeah, so I think when you look at

13:12 you know this is an example of a

13:14 high-level deployment architecture.

13:16 There's so many ways people can deploy

13:18 this

13:18 in so many different scenarios, but I

13:20 think the keys

13:22 of what a deployment looks like is

13:24 right. There's a

13:26 PKI server centrally, and we do

13:28 things with like auto enrollment

13:30 software you know auto enrollment

13:31 itself in Microsoft technologies,

13:34 enterprise gateways that are on-premises

13:36 for customers to control enrollments and

13:38 allow users to tie to

13:40 directories and enroll.

13:42 We have the clients, so Windows.

13:44 Mac,

13:45 all these things that take care of

13:47 that endpoint technology to configure

13:49 the PKI, deploy it, get it into

13:52 software that's using it so that users

13:54 don't have to. If you gave a user

13:55 an smime cert and said go configure it

13:57 across all your devices so that the keys

13:59 work,

13:59 that's never going to happen and so we

14:01 have the software that

14:03 ties in whether it's mobile laptop,

14:05 whatever, to do that and make all

14:07 those things work.

14:08 This is one example

14:10 but all of this

14:11 ultimately is backed where we have

14:14 a Thales HSM in multiple places here

14:17 for our customers when they

14:20 have a solution that is on-premises and

14:22 talking back hybrid, talking back to our

14:24 cloud, they're going to want to protect

14:26 those keys, those communication keys,

14:28 those authentication keys to their core

14:29 CA that's in in our cloud

14:31 with the Thales HSM on their end to

14:34 protect how things are authenticating

14:36 and how

14:36 any local key escrows happening, they

14:39 could you know

14:40 store keys and escrow them for any of

14:42 these use cases

14:43 on-premises and work with a hybrid PKI

14:45 deployment.

14:47 And then obviously as we're

14:49 back ending

14:50 an HSM or a PKI as a managed service

14:53 for somebody,

14:54 we have the HSMs using

14:57 providing strong protection for those

14:59 keys related to the root CAs, and the

15:02 signing CAs, the ICAs that customers are

15:04 deriving PKI credentials from,

15:06 it really powers this whole thing.

15:10 Yeah so it looks like lots of different,

15:12 like you said,

15:13 a million different ways how you

15:15 could deploy PKI for all of those

15:17 different use cases with different

15:19 requirements, and it looks like we have

15:21 flexibility here for the customers to

15:23 choose what fits.

15:24 That's right. That's a great

15:26 summary. Okay

15:27 perfect. So when you

15:30 you put all this together,

15:33 why DigiCert and Thales, why Thales HSMs,

15:36 how did they fit into

15:37 work to help solve these

15:41 PKI deployment issues and make it easy

15:43 for customers.

15:44 Yeah I mean it's so foundational

15:47 these two things just belong together

15:49 right. 

15:50 If you have the workflows that we're

15:52 providing for things like root of

15:54 trust or you know compliance auditing

15:56 cert management,

15:57 that's all great but unless those keys

16:01 those ICAs, those roots, unless those

16:03 assets are protected

16:05 with an HSM the whole system is worthless.

16:08 You don't have any value, you

16:10 don't have any trust in PKI

16:12 without that strong protection

16:13 underneath it and 

16:16 it's not just that PKI or

16:17 the roots and the ICAs like I said,

16:19 it's also you know when customers are

16:21 actually using this

16:22 things like key escrow and some of these

16:24 other areas where

16:26 you're generating PKI assets and you

16:27 need to securely store them

16:29 so that somebody else can't access them.

16:31 That's what's underneath this whole

16:33 platform.

16:34 Yeah I guess one of the things with PKI

16:36 is that 

16:38 the technology comes down to

16:41 the protection of a root key makes it

16:43 easy to deploy in all the different

16:45 devices or entities or

16:47 or,

16:50 devices or identities trust

16:52 each other, but

16:54 it relies on that one key and so

16:57 making sure that well protected

16:58 is really important.

17:00 Yeah exactly and I guess compliance

17:03 sometimes comes into play too but

17:04 depending on the use case.

17:06 Yeah I mean you look at a

17:08 government or even IoT where they maybe

17:10 have some regulations they need to

17:12 produce devices with,

17:13 in a lot of cases there could be

17:14 regulatory components for how they need

17:16 to manage data and

17:18 encrypt it and sign it and store it and

17:21 provide access to it and it's integral

17:23 to what we're providing.

17:26 Absolutely, and I guess from a cost

17:28 perspective if it's quick to set up and

17:30 easy to set up then that

17:32 certainly reduces the cost. Yeah that's

17:34 right. I mean the fact that we can

17:36 deploy so quickly and get customers

17:39 connected, we've got

17:40 all these standard protocols SCAP, EST

17:44 CMP v2, ACME, all these things

17:46 built into the platform so people can

17:48 get going

17:49 really quickly. That allows them to

17:52 get in,

17:53 scale use this thing and do this

17:57 at record setting pace

17:59 that we haven't had before so that their

18:01 time to value has just

18:04 decreased so dramatically that they can

18:07 immediately

18:07 judge what the system

18:09 is going to do for them. Absolutely,

18:11and I guess from we mentioned,

18:14 easy to set up but also continuing the

18:17 management and the auditing and the

18:18 reporting of that,

18:19 that's a really important part to it and

18:21 making sure that

18:22 is easy to do as well. Yeah, I mean it's

18:2 always a piece where you have

18:27 regulation, where you have PKI,

18:29 where you're providing roots of

18:30 trust, you need to have that

18:32 auditability. You need to

18:33 have the ability to produce and

18:36 demonstrate that for third parties or

18:38 internal parties that are interested in

18:40 how you protected these assets and

18:42 ensuring that you do have trust and

18:44 that's where certificate management

18:45 comes in. 

18:46 So on top of all of these great

18:48 things we talked about

18:49 having all those protocols, having all

18:51 these workflows, having the auditability,

18:53 the strong key protection,

18:55 that ties it all together so that

18:56 ultimately below this layer of PKI you

18:59 can manage the certificates inside of

19:01 all these workflows customers are using.

19:04 Awesome. So that's a really great

19:06 overview of how DigiCert and Thales have

19:08 been working together to

19:10 to make it easy, make PKI

19:13 easy for our customers. We've got

19:16 some information here that if

19:18 you want any more

19:19 information there's a nice solution

19:22 brief talking about

19:24 DigiCert and PKI management. We've got

19:27 some information on the integration

19:29 of DigiCert and Thales HSMs and

19:34 some more general information in

19:36 general, and links here

19:38 if you want to go and look at some

19:40 of the other TalkingTrust

19:42 videos. So I'd like to in closing

19:46 bring us back to our faces.

19:49 I'd like to thank Brian for that

19:52 excellent talk and information

19:55 on PKI

19:56 and HSMs together from DigiCert,

20:00 and like to thank everybody for

20:03 listening

20:03 and watching and hope you have a good

20:05 day. Thanks for having me.