Root Causes 301: The Difference Between Certificate Automation and CLM

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  So, Jason, you and I, on this podcast, talk a lot about certificate automation and in fact, I’d have to doublecheck this, but I think we mentioned it in our very first episode. So, I think it goes back to the very beginning but if not, really close to that. And we also more recently have been talking about Certificate Lifecycle Management – CLM. And CLM, of course, is an industry term that has really kind of come into common use during the tenure of this podcast. In the early days, people weren’t saying CLM and now they are, and we’ve adopted that term as the industry has adopted that term. In all that discussion, it may seem to the listener as if these two terms are more or less interchangeable. But they are not interchangeable are they, Jay?

• 

  Jason Soroko

  They are not the same at all, Tim. I would say that the best way to explain this is that automation comes down to a subset of CLM pillars whereas, if you take a look at the pillars overall, visibility being the horizontal capability of certificate lifecycle management. If you don’t have visibility to your certs, you don’t have CLM and you have important input to visibility. One of the pillars of CLM is discovery. Without it, you don’t really have CLM. But, neither of those things is automation. Automation comes in whenever you are talking about provisioning, moving the cert around, renewal. When we are talking about certificate lifecycle management, those are pillars of certificate lifecycle management, but they can potentially include automation. That’s where automation actually fits.

• 

  Tim Callan

  Automated installation of your certs, by way of example; automated renewal of your certs, by way of example, those are clearly cases where automation is vastly important. But at the same time, there are plenty of people who are in a hybrid environment where, let’s say, most of my TLS certs can be installed automatically using ACME but some can’t and so I’m automating 90% of it and I’m dealing with the other 10% the old-fashioned way. So, provisioning is not fully automated but it’s mostly automated by your CLM, and the ones that aren’t automated you still have visibility. You can see what they are, you can see what they do, you can get a warning or an alert if you are coming down near the last day and you know you have to deal with it. So, the capabilities of CLM that are valuable can extend beyond simply automating these things. And I think that was your point, right?

• 

  Jason Soroko

  Exactly right, Tim. Let’s name off the pillars. There is the horizontal pillar of visibility, deployment, discovery and then there’s the third – revoke and replace – and then, of course, renew. And I would say automation fits on three of those: deployment, revoke and replace, and renew. Those three pillars are where automation is possible. It’s not necessary but it is possible.

• 

  Tim Callan

  And greatly valuable and widely used.

• 

  Jason Soroko

  I would have to say, Tim, what is the reason for this podcast? And I have to answer, it’s mostly this. It has to do with the fact that the Google 90-day maximum certificate lifecycle, I would have to say it basically means that if you had nothing else you need to have automation on the deployment, the revoke and replace and the renewal because otherwise, every quarter or less – probably less – you are going to have to be doing these kinds of activities. So, therefore, automation to be able to make those costly and risky activities go away in terms of it being a risky problem and not have your site go down because of an expired certificate, and have the risk of that outage every 90 days or less. It’s very important to note that when we are talking about CLM and you say, geez, I think I need Certificate Lifecycle Management and you might have another person across the table from you saying, well, I don’t need CLM. What I really need is automation. Well, the thing is, you need both and the way to think about CLM is that three out of the five important aspects of CLM can and should be automated, Tim.

• 

  Tim Callan

  I think the two feed each other. CLM enables automation, first of all because it’s a platform that can do it for you, but also, like you talked about, visibility. Visibility is very important to automation. You’ve got to learn what you have. You discover your certificates. You bring them into the platform and now you are able to automate their renewal. Without knowing what they are you can’t automate their renewal. So, CLM enables automation, and vice versa is also the case, and you made a very compelling argument for this. That without automation, the value of these pillars goes down vastly. And visibility, that capstone that sits on the top of the four pillars, is very much enabled by automation. If I have certificates that are in the automation cycle and they run through automatically, one of the things that happens is they show up in your reports. They show up in your dashboards. So, visibility itself also depends on automation and the two really are very synergistic. They each make the other stronger when they work together in kind of integrated platform approach.

• 

  Jason Soroko

  Tim, let me argue that it’s really useful to talk about this in a real world way because we’ve broken it down now so far in industry speak about what these pieces of certificate lifecycle management and automation actually are. We’ve defined the difference, but I think what might be helpful to really get down into the weeds here. Let’s say that you have shadow IT in your organization…

• 

  Tim Callan

  As we all do.

• 

  Jason Soroko

  It’s just a fact of life and they’ve acquired certificates from a commercial vendor and then you also had some experimentation going on with another vendor. Could be one of the free vendors, you know, ZeroSSL, Let’s Encrypt, one of those, and you might not know all the different certificates that you are using. Hence the need for discovery. Discovery is what feeds visibility and unless you have those things how can you keep track of your unmanaged certificates? Those Let’s Encrypt certificates, perhaps they are automated through ACME protocol, which is a great thing to do, your visibility to them, your ability to discover them doesn’t come from Let’s Encrypt. It comes from certificate lifecycle management which is something that Let’s Encrypt does not provide.

• 

  Tim Callan

  And CLM helps you in that in other ways. For instance, it’s giving you a single pane of glass. If you got ACME, you are only dealing with the certs that are deployed through ACME. With a CLM you can think about all of them. If you are automating through ACME, are you necessarily getting the good visibility and using reports that you need to really understand what is going on? Well, you can, but you gotta write those yourself, right? And so all of things are enabled by a properly featured CLM platform.

• 

  Jason Soroko

  Tim, I would make the argument that even though we obviously are employed by a Certificate Authority, I’ve been saying, you’ve been saying for a very long time, CA agnostic CLM is important and, in fact, remember back in the day, Tim, when Microsoft used to rail against Linux? It almost seems like that was a different age, but I remember that time very clearly. Microsoft clearly lost that argument and now has swung in completely the opposite direction. I think that those of us who have been in this CA world for a very long time always recognize the fact within an organization even of a medium size, it was fairly natural to have certificates from multiple CAs for various legitimate purposes. Being able to dual source from multiple CAs is probably not a bad practice anyway, right? In all honesty. And so, therefore, it just highlights the absolute importance of certificate lifecycle management as a whole - those pillars and visibility, which allows you to see everything, is covering what is the natural order of things within the IT world and in how webservers work and how the web overall is structured. It’s very natural to have certificates from a lot of different places, and you should be able to have visibility to all of it regardless of how you paid for it, what the branding was or any of the other things that are important to you about those publicly trusted certificates. I would say though that because of the Google 90-day announcement that happened recently that importance of automation, that word is just coming up more and more and more.

  And I think this podcast was really all about they are very inclusive words to each other – Certificate Lifecycle Management and automation. We just wanted to put a very fine point on where automation fit and, Tim, you did a good job of explaining how they really do come together as a whole.

• 

  Tim Callan

  Jay, may I also take one more interesting angle on this. So, you started in the beginning, you said that you feel that CLM is a superset of automation and I think that is mostly true but I do imagine that there are examples where automating our business processes is essential to our crypto and our PKI and our certificates that falls outside of the traditional boundaries of CLM. This might be things like ordering certificates, attributing costs to cost centers, certain things you may do in the DevOps world that are certainly enabled by your CLM but are really operating inside that DevOps environment, Domain Control Validation, which is gonna go down to 90 days and it’s gonna be incredibly important that that gets done every 90 days or your certs won’t work and now at that point you want that to be automatic, and maybe some of these things you could argue well, what are the exact boundaries of the CLM and if a sufficiently featured CLM might include all of these things. But, you know, it does reach it tendrils into all kinds of other parts of the organization because certificates are just so foundational and ubiquitous and as such, you start to imagine – and especially as we get down to the 90-day certs – that other parts of your operation probably would very profitably stand to be automated as well or that’s gonna become the bottleneck and the point of pain and the source of error.

• 

  Jason Soroko

  Tim, we didn’t plan talking about this ahead of time. I promise the audience. But we have planned on having another podcast about a new pillar for CLM. And in fact, that pillar has to do a lot with what you just said.

• 

  Tim Callan

  That’s a good topic. I want to get to that. I do agree with you on that for sure but, you know, I think you gotta think about how all of these other aspects of your business, you know, the pressure is going to be on them and what am I gonna do to make sure that runs error free and without sucking up all of my human capital as well?

• 

  Jason Soroko

  I don’t think somebody who is in the business of IT at this very moment could feel that they could function well without automation of a lot of processes in IT, which back in the day when I knew a lot of IT folks on the ground. They didn’t have these kinds of automated functions and the world was right there.

• 

  Tim Callan

  I just want to reference for the audience – you talked about the four pillars of automation. Go back to our Episode 143. 143 was where you and I defined the model of the four pillars of certificate automation and like I said in the beginning, at the time we weren’t even saying CLM. That episode is not called the four pillars of CLM. It’s called the four pillars of certificate automation because that’s prior to the real common parlance of that term. Go back and give that a listen because that explains the viewpoint on all four of those pillars. They haven’t really changed and that’s I think a good bit of prep work for the future podcast you and I, like you said, are intending to record, where we will introduce a fifth pillar that’s worth considering.

• 

  Jason Soroko

  That episode that’s upcoming really is directed at you IT folks who have a lot of processes automated already and you want to know how certificate lifecycle management itself can help and be part of that automation ecosystem that we know you’ve worked really hard on. It’s gonna be a very interesting discussion, Tim, about how automation is a bigger topic even than just this, which is what really you were just trying to point out.

• 

  Tim Callan

  Exactly. So more to come. This is a rich topic. I don’t think we have remotely explored it. I think this is one of the ones we are gonna have to keep returning to and returning to as we not only establish a baseline and then build on top of that but also, as you and I figure out the implications. And I think we are gonna come back and discuss more things that maybe today we haven’t even really thought through all the way.