CTO Interview – Sectigo’s Jason Soroko on the Future of Digital Identity

A lot can change in 12 months and nowhere is that more the case than in the Enterprise IT environments anchoring business throughout Covid-19. With workers accessing data, software and systems from a swathe of new devices outside traditional network perimeters, establishing Digital Identity – both for employees and the servers they access  – has become priority number one for security leaders. 

In this Q&A, we talk with Jason Soroko, CTO of PKI at Sectigo, parent organisation of SSL247, which it recently acquired. Soroko explains the importance of Public Key Infrastructure to Digital Identity and its centrality to Zero Trust Architecture. 

Enterprise IT environments have evolved dramatically in 2020. How has Public Key Infrastructure (PKI) evolved to meet the new use cases?

Mobility and the cloud have been major drivers to put digital identities everywhere. Digital transformation has led to the proliferation of digital identities needed to secure transactions across hostile network boundaries. Zero Touch Architecture (ZTA) principles have PKI at its foundation. Certificate management is more important than ever.

In which use cases is PKI most relevant?

PKI has become ubiquitous in many computer systems. From normal human authentication for IT systems to web servers, PKI has served its original purposes well. But lately PKI has been found to be an ideal technology for security in DevOps, IoT, and even credit cards and passports.  Digital identities have proliferated and PKI is a proven and adaptable technology to meet the challenge.

What is digital identity?

A digital identity defines a trust boundary. In effect, identity has become the new security perimeter. When an enterprise employee logs into a CRM that action requires two trust boundaries to be defined. At a minimum, the human user needs a digital identity as well as the CRM server so that they can mutually authenticate each other, which is also true for IoT devices and DevOps containers.

How do you manage the lifecycle of digital identity?

Discovering, Issuing, provisioning, renewing and revoking are all pillars of the digital identity lifecycle. With the proliferation of digital identities due to digital transformation trends, these lifecycles and their related technologies are increasingly complex. PKI has risen to the challenge of managing this complexity.

What are examples of major outages due to unmanaged certificate expiry?

Most recently in February 2021, Google Voice had an outage due to a certificate expiry. O2 and Microsoft Teams had major system outages due to the same problem: a certificate expiry that was unmanaged. It is simply too risky to leave certificate lifecycle management to human administrators. Certificate automation solves this.

From a technology standpoint, what does PKI enable?

PKI enables encryption, signing and authentication. Encryption can be of data at rest, or in motion. Document and code signing protects the integrity of both the document itself as well as the identification of the originator. Authentication is fundamentally important to ensure the client and server of any transaction mutually know who each other are.

How are digital identities used in IoT?

A digital identity for an IoT device can act as a birth certificate for the device, giving important information about the authenticity of that device. Software on the device is ideally code signed, to protect the integrity of the device’s instructions. Devices also authenticate themselves to other devices and systems.

How are digital identities used in DevOps?

A major technology in DevOps is containerisation. Container orchestration technologies utilise TLS certificates issued from certificate authorities in order to authenticate. It is also important to protect the integrity of the code in containers, using code signing.

How do I manage trust in a multi-vendor ecosystem?

From the beginning one of PKI’s strengths was to define trust models. It is increasingly becoming important for systems and devices from different vendors to interoperate. PKI enables a hierarchy of trust within a defined group of third party vendors. Modern PKI enables the management of that hierarchy and control over certificate policies.

How is PKI a foundational pillar of Zero Trust Architecture?

NIST’s guidance on ZTA names PKI as one of the pillars of Zero Trust. ZTA is a set of principles that puts the concept of authentication and encryption of data in motion at the forefront. In contrast to the principle of ‘everything behind my firewall is safe’, ZTA forces us to think about our own enterprise networks as a hostile environment.  That means every node needs to be able to authenticate and securely communicate, which requires a digital identity.

• To find out more about the topics discussed in this Q&A, please visit https://www.ssl247.co.uk/pki