Root Causes 376: Gartner's New CLM Framework

Tim Callan

So, we have spoken a lot in past episodes about our five pillars model of CLM. It actually started as the four pillars of CLM some years ago and in the intervening time, the ecosystem has changed and caused a fifth pillar to become extremely important and we are now up to our five pillars model. And we've seen this basic approach and this kind of pillars model show up in other places and dialogue and it's kind of gotten out into the the fabric of the discussion of CLM as a whole. So recently, we saw that Gartner - specifically Eric Wahlstrom at Gartner, an analyst there - has published what they call the seven core functions of Certificate Lifecycle Management.

Jason Soroko

That is correct, Tim, and in fact, where he published an important graphic from that Gartner research was on LinkedIn. So that may - - if you go to LinkedIn - -

Tim Callan

That’s where I saw it.

Jason Soroko

- - look up Eric Wahlstrom, you'll see exactly where. So that's why we want to talk about it. There's a lot of stuff that's behind there. You know, you have to be a client in order to be able to look at their research. Eric was able to share one specific graphic, and we wanted to map it to our five pillars, and we also wanted to talk about how it all works together because these seven core functions are not quite the same as the pillars, but they weave in between the important ways in which the pillars work, Tim. And just while you guys are looking up Eric's work, I wanted to mention, the first time we talked about this on this podcast was Episode 143, The Four Pillars of Certificate Automation. And then Root Causes 305 - The Fifth Pillar of Certificate Lifecycle Management. And so therefore, that is what we are referring to.

Tim Callan

Very good. And let's just describe this graphic a little. I know you can't see it because this is an audio only podcast but imagine a semicircle with the flat edge on the bottom and the circular part of the circle, you know, describing a half circle sitting above it. And we've got three concentric tiers and the middle most tier is just a semicircle that says Certificate Lifecycle Management. Pure and simple. And then the next tier out has a series of graphics that are just supposed to represent, like icons that are supposed to represent the outermost tier. And then the outermost tier is evenly divided into these seven segments, and we could walk down what they are. Should I just list off all the segments first, and then we'll go one by one?

Jason Soroko

Let's do it, Tim.

Tim Callan

Okay. Number one - centralized governance and control and decentralized issuance. Number two – discovery. Well, that sounds familiar. Number three - reporting and alerting. Number four - approval workflows. Number five - automation using standard and non-standard interfaces. Number six - delegated administration and self-service. And number seven – well-defined processes.

Jason Soroko

Yeah, Tim. Yeah. There's a lot here. And one of them - discovery, as you mentioned, is in fact the name of one of the five pillars. Exactly right.

So I'd like to walk through in that same order, Tim, and talk about how it weaves in with what we call the five pillars and why they are different and why this is a healthy addition to the five pillars.

Tim Callan

Yeah. It strikes me just off the top of my head, that this is almost an orthogonal way of looking at it.

Jason Soroko

Exactly.

Tim Callan

Right? That they're dividing up the world according to different criteria than we used to divide up the world and that these two models almost sit as a crosshatch of each other. Does that make sense?

Jason Soroko

It does, Tim, let me illustrate that. Okay?

Tim Callan

Okay.

Jason Soroko

Renewal is one of the pillars. Right?

Tim Callan

Yes.

Jason Soroko

One of the five pillars. You do not see renewal here. Nobody listening to this podcast is going to deny that renewal is a pillar of CLM. However, you know one thing we don't call out as a core function though, Tim, of renewal is in fact, automation, which is number five on Eric’s list.

Tim Callan

Exactly.

Jason Soroko

And so you understand now, these things are almost like the how.

Tim Callan

The how. The enablers. Yes.

Jason Soroko

And our pillars are the what. Right?

Tim Callan

Yeah.

Jason Soroko

And so let's go at them one at one at a time.

Tim Callan

Okay, so number one - centralized government and control and decentralized issuance.

Jason Soroko

So interestingly enough, number one on Eric's list, decentralized governance, governance and control and decentralized issuance, that term issuance maps very, very nicely to deployment.

Tim Callan

Yes.

Jason Soroko

And so in other words, deployment should have some connection to governance. And isn't this interesting, Tim. This now is the Nexus point between Eric's model, the five pillars of CLM, and now, the NIST Cybersecurity Framework 2.0.

Tim Callan

Right.

Jason Soroko

Because now this ties together the importance of deployment, the first pillar of CLM, and it also ties it to issuance, decentralized issuance, but centralized control and governance, which is what is essentially super important with regards to implementing CSF 2.0. So I love this number one from Eric and, in fact, it's almost like he got an advanced copy of CSF 2.0 and patted us on the shoulder for getting it right with respect to putting deployment number one. So there's your mapping, folks. It's basically the mapping of deployment.

Tim Callan

Yeah. Yeah. Okay. Number two - discovery.

Jason Soroko

Guess what? Perfect match. Discovery and discovery.

So I would say the reason why it's on this list is because deployment itself is a function as well as a pillar.

Tim Callan

Uh-huh.

Jason Soroko

And that is why Eric chose to put discovery number two, and just call it discovery because, yes, it is, in fact, a pillar. You can't have a CLM without doing discovery but discovery is also the how, right? It's the what and the how, which is why it shows up on Erick’s list.

Tim Callan

Yeah. So, for instance, renewal, you cannot renew certificates that you don't know exist and so if you're going to take something like renewal, and to use your earlier example and say it lays across a lot of these things, right?

Jason Soroko

Exactly.

Tim Callan

And, you know, we see it sits in issuance, it sits in discovery, sits in reporting, approval workflows, automation, probably all of them. Right? And so, discovery is required for renewal to occur in the event of certs that are unknown. Right? Or discovery - - to put it another way, discovery is required for consistent, reliable renewal to occur.

Jason Soroko

Absolutely and it's also - - and this is what's interesting to note. I was going to save this to later, but we're the overarching pillar of CLM and in fact, we call this the horizontal pillar, is visibility.

Tim Callan

Visibility. The capstone.

Jason Soroko

And in fact, the capstone, overarching horizontal pillar of CLM is, in fact, also true for all seven of Eric's core functions as well. So, in other words, discovery, as well as every one of these but especially discovery, discovery is part of the how of that capstone pillar of CLM. So that's even a different way of looking at it.

Tim Callan

That is a different way of looking at it. And if you go to number three, reporting and alerting, visibility is bigger than reporting and alerting, but reporting and alerting are two of the examples that you and I always pull out when we talk about visibility.

Jason Soroko

You got it, Tim. Yeah. So, in other words, guess what everybody? Number three, reporting and alerting and number four on Eric's list, approval workflows. Let's talk about those two together.

Tim Callan

Sure.

Jason Soroko

Now, the fifth pillar, the fifth pillar of CLM is essentially this.

Tim Callan

Yeah.

Jason Soroko

Because what we are referring to in the fifth pillar of CLM are integrations in general, and IT workflow specifically and some of that IT workflow is, hey, I want to know that I have an expiring cert and I want to know from a Slack IM, or I want to know from an SMS messaging, and, you know, number four, approval workflows, I want to be able to make a change and I want my CLM to be smart enough to know that there's an approval workflow to some changes I'm going to make in my CLM.

Tim Callan

Or I want to do that approval in ServiceNow.

Jason Soroko

That is all the fifth pillar of CLM. So three and four, Eric basically took the fifth pillar of CLM and broke it into at least two parts here - three and four.

Tim Callan

All right. Number five – automation. Like that word. Automation using standard and non-standard interfaces. So a standard interface would be ACME.

Jason Soroko

Correct. And non-standard interface - -

Tim Callan

And a non-standard interface would be my CLM agent that I give you and you deploy it in your environment.

Jason Soroko

Yeah. Something proprietary. Could be goodness knows what. It might be an RPA bot. Who knows? Right? It could be non-standard. And that's what Eric saying here. So therefore, he's answering the how.

Tim Callan

Uh-huh.

Jason Soroko

Automation exists in several places inside of CLM and that is deployment.

Tim Callan

Deployment is the most obvious one, right? Without automation, you don't have automated, like, without these interfaces, you don't have automated deployment.

Jason Soroko

Automated renewals and automated discovery.

Tim Callan

Yep.

Jason Soroko

And a lot of goes on - -

Tim Callan

Automated replacement. Right?

Jason Soroko

You got - - Tim, so in other words, what Eric is doing here is answering the how in at least four of the five pillars of CLM.

Tim Callan

Yeah, yeah. And I mean, automation. You can't ignore automation. Without automation, what do you have? It's a ghost of what it would be otherwise.

Jason Soroko

The pillars of CLM imply it. Eric's orthogonal view answers the how, and the how has to show automation.

Tim Callan

Number six - delegated administration and self-service.

Jason Soroko

So, an important part of Certificate Lifecycle Management is people have to use the tool and quite often there are complexities in I want specific users to have specific rights within the CLM and that is essentially delegated administration. I find it interesting that he could have actually broken this out into a separate core function, but self-service - It is tied to delegated administration, but self-service is something that a lot of people are not used to in Certificate Lifecycle Management because most people are either buying onesie-twosie certificates, and maybe just getting some light visibility to the cert or they are on the enterprise side of things and they're going through a salesperson, and they're being set up by sales engineers and professional services, etc. I think, Tim, we are entering the era and Eric is, you know, has his finger on the pulse, you're gonna see CLM start to be more self-service. And let me tell you why I think why, Tim.

Tim Callan

Okay.

Jason Soroko

I think 90-day and, by the way, he mentions this, he specifically calls out shortening certificate lifespans in his notes to this that he published publicly on LinkedIn, but if you go down to 90 day, Tim, there's gonna be an entire class of customers that have never been addressed yet that are going to need CLM.

Tim Callan

They're going to need some kind of automated solution. They can't do it manually anymore.

Jason Soroko

Yeah. And so I don't think there's anybody who's scaled up to handle that by individual salespeople. In other words, the traditional CLM sales model, and therefore, self-service is going to be necessary, because I think you're going to start to see CLM everywhere. And so self-service becomes the how we're going to scale it.

Tim Callan

Now, I think there also is another aspect of self service, right - and tell me if you agree with this - which is, even inside of that enterprise model that you were discussing before, where there's centralized control, there still is a self-service aspect of that, because I am a particular SysAdmin; I'm in a particular environment; I identify the need for certs. That's not done by the Office of the CIO. That's done by me.

Jason Soroko

That's correct.

Tim Callan

And then at that point, I have to determine what certs I need. I have to request them and when they come back, they either need to be automatically installed for me if that's possible, or I need to go the last mile and get those things installed. And so either way, it's a blend of centralized command and control with these spokes out at the outside, which are the humans that touch the endpoints, who actually have the feet on the ground knowledge of, okay, I need a certificate because I'm creating this application and I’m standing this service up on this date.

Jason Soroko

Tim, you are dead right. You're talking about development people, you're talking about operations people, you're talking about people who are at the forefront of building things, and who are in need of being able to get certs to where they need to go from whatever source they come from. And so therefore, you're talking about a new age in which you either had to call in professional services - and I think this what Eric is signaling the beginning of the end of is that age of charging professional services and that's where your business model for CLM is. They may be coming to an end.

Tim Callan

Yeah.

Jason Soroko

And additionally, people want to use their CLM differently than they did before and there needs to be more autonomy and more self-service for exactly the reasons you just said.

Tim Callan

Yeah. So, I'm out there in the business units, right, and I have a need for certs and either I'm just gonna go by them, and I'm going to be rogue and shadow IT and all these words that we use and that's where pillar number two – discovery - has to go remediate the problem, or better, my life is going to be easier if I actually use the centralized system and I put in my request, and I get my cert, and then somebody else is managing renewal and has visibility and somebody else is settling standards for certificates that they must follow and choosing, you know, allow lists and block lists of CAs, and getting volume pricing deals and all of the stuff that only a centralized certificate administration function can accomplish. And having the two of those, like running together in tandem really is, I think, the optimized model for the large enterprise.

Jason Soroko

It is. It is. And so this applies to everybody. And, in fact, it applies in different ways, depending on how you look at it. So number six is one of the most interesting ones on this list, because it could mean different things to different people, and I think it's going to become increasingly important to everyone.

Tim Callan

Right. And then number seven, which I think we've already touched a bunch of times without using the phrase is well-defined processes.

Jason Soroko

Interesting that I think even Eric, if we were to have him on this podcast, he might admit this might be his horizontal, right? Because I think that, well, every one of his previous six actually could be defined with number seven – well-defined processes. I would say it could also mean some other things as well, which is giving people who are using CLM, Certificate Lifecycle Management, the ability to actually have more control to map their processes to the way their CLM works. So, in other words, there are aspects to number seven here, core function, well-defined processes, that actually are deeply involved with how you are doing custom work and custom integrations with the fifth pillar of CLM integrations. But I'd argue that well-defined processes are horizontal to all the previous six.

Tim Callan

Absolutely. And this is fundamental to a CA at all or a PKI at all. Right? I mean, there is a certificate practices statement that a good PKI will have that defines exactly what you're going to do and not do. And so you know, without well-defined processes, PKI in particular, certificates in particular, are really vulnerable.

Jason Soroko

Yeah. You got it, Tim.

Tim Callan

All right. Well, there you go. So once again, I think what have we learned once again - NIST and Gartner and everybody else clearly, they're paying rapt attention to what you and I have to say, right, Jay, and using that to govern their own worldviews. But I do think, joking aside, that it is interesting, and valuable to see the amount of attention that is coming around, dissecting and characterizing and understanding and ultimately prescribing practices for the CLM market. Right? Where just a few years ago, there was no thinking on this at all. When you and I first started talking about this, nobody had a model for it and now we see multiple models and I think that shows how much maturity has come to this industry in a pretty short period of time.

Jason Soroko

Tim, I really like that we're coming down to what is Certificate Lifecycle Management and I think we've been on the right side of history, in terms of carving out what it is not, and getting much closer to what it is. And I think this functional model from Eric really helps to weave in that orthogonal view, as you say, of the how of the pillars, and I think people were waiting for this and now here it is. So congratulations, Eric and Gartner and anyway, I'm glad that you published that publicly so that we at least could refer to it on this podcast.

Tim Callan

Absolutely. And I'm glad we talked about this. I think it's important. And thank you very much, Jay.

Jason Soroko

Thank you, Tim.

Tim Callan

This has been Root Causes.