A group of Sectigo’s senior leaders, including Bill Holtz (CEO), Tim Callan (Chief Compliance Officer), Edward Giaquinto (CIO), Jason Soroko (CTO of PKI), and Alan Grau (VP of IoT), met to discuss a few of the cybersecurity trends that have impacted us in 2020, and how those trends might evolve in 2021. Part two of that discussion is below, and touches on topics including security regulations, quantum computing, and the importance of certificate agility.
MODERATOR: Thank you all for joining me again, and welcome Bill and Tim—I’m glad you were able to join us this time. Bill, let’s start with you. You’ve talked about the fact that traditional username and password credentials are a particularly unreliable form of security, and about the idea of a “passwordless” future. Do you still feel that we are headed for a future where passwords will be a thing of the past?
HOLTZ (CEO): I do believe that, yes. The days when a “strong” password was enough to thwart hackers are—unfortunately—well behind us at this point. Many companies have already begun to phase out passwords in favor of stronger and more reliable methods of authentication, and in 2021 we can expect to see that continue. Companies will shift to passwordless authentication based on public key infrastructure (PKI) to manage identities.
MODERATOR: We’ve touched on PKI a number of times during these discussions, and one thing we should probably talk about is certificate agility. We just saw all of the major browsers decrease the maximum certificate duration, which is in keeping with the recent trend. Tim, can you speak to that trend, and expand on how businesses are improving their agility when it comes to managing their PKI solutions?
CALLAN (CCO): It’s true. The need for crypto agility has been on the rise in recent years, and this will continue to be the case in 2021. As enterprises watch their total certificate volumes go up and average certificate duration go down, they’re going to need help managing those certificates. Manual certificate management is incredibly burdensome and time consuming when you have the volume of certificates that today’s businesses use, which means they will need to explore software solutions for maintaining secure PKI and reducing the risks associated with certificates, including unexpected expirations and forced revocation events. The good news is that today there are better, more reliable automatic certificate management systems than ever.
MODERATOR: On that note, let’s talk Zero Trust. Zero Trust is still a bit of a nebulous concept to some people—Jason, can you talk us through what it really means?
JASON SOROKO (CTO of PKI): Of course. It’s important to understand that you can’t just go out and buy “Zero Trust.” It doesn’t work like that—Zero Trust is a set of principles, not a singular product. It’s essentially based on the idea of providing the minimum amount of access necessary for someone to do their job or complete a task. Technologies now are carefully crafted to align with these principles to meet Zero Trust architecture, and we can expect to see a trend toward the integration of these tools as organizations look to make their customers’ lives easier.
MODERATOR: That makes sense. Let’s move on to another topic that most people are still working to wrap their minds around: quantum computing. Tim, I know you have strong feelings about quantum computing and the impact that it will have on cryptography, so why don’t you start us off?
CALLAN: My pleasure. Enterprises are becoming acutely aware of the fact that quantum computers are soon to make our existing encryption obsolete. It’s happening sooner than you might think. In 2021, IT departments should be creating transition plans for the new, quantum-safe algorithms expected in 2022.
ALAN GRAU (VP of IoT): NIST actually announced the completion of the second round in its selection of quantum-safe crypto algorithms. The initial pool of algorithms has been narrowed down to 15 algorithms, which includes seven “finalists” and eight “alternative algorithms.” The finalists are the most promising general-purpose algorithms and the candidates either need more time to mature or are tailored to specific applications. Tim alluded to the fact that NIST expects the third round to be completed in 2022 with the selection of several standard algorithms.
CALLAN: Right. But even once those algorithms have been selected, it will be critical for businesses to discover and categorize the full set of certificates in use and implement automated management solutions. That way they’ll be able to replace them efficiently and error-free.
GRAU: And that’s why it’s critical right now: commercial deployment of quantum-safe cryptography is no longer a long term consideration. Enterprises will spend much of next year educating themselves about quantum-safe crypto and looking to security vendors to provide education and proof of concept solutions that enable them to experiment with integration of these solutions.
MODERATOR: It’s definitely interesting to see quantum computing enter the mainstream. Before we wrap up, I wanted to discuss a couple of IoT-related topics. Alan, the number of IoT devices on the market continues to climb, and regulators are finally targeting some of their known vulnerabilities, correct?
GRAU: That’s right. Government and industry groups have enacted IoT security legislation and standards to help prevent the most common IoT security threats. To avoid costly fines or loss of reputation, we will quickly see IoT device manufacturers implement stronger security solutions in their devices. OEMs will look for vendors to provide device authentication solutions and security platforms that comply with these emerging standards.
MODERATOR: Will that include PKI?
GRAU: Absolutely. We expect to see a significant increase in adoption of PKI in IoT devices, especially in connected cars, medical devices, and equipment used in critical infrastructure. Remote work has helped enterprises realize that any endpoint represents a potential entry point into a network. Whether that endpoint is a connected car, a personal laptop, or an industrial control system, it needs to be protected. And PKI just works.
MODERATOR: Thank you so much for your time and your expertise, everyone. Looking forward to welcoming in the new year with all of you!