Free Trial
Contact Us
Podcast

Root Causes 222: Consolidation and PKI Solutions

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
May 11, 2022

Vendor consolidation is an important topic in IT security. As the scope and variety of threats continues to increase, we have seen a proliferation of point solutions and features, and a resulting desire to reduce that vendor footprint or at least facilitate using them together. In this episode we discuss this trend and how it specifically affects PKI and digital certificates.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanWe want to talk about vendor consolidation and PKI.
Jason SorokoJason SorokoI think we should talk about vendor consolidation as a whole because this is big in the industry right now and then talk about maybe what it looks like or what the real term should be when it comes to PKI.

I think vendor consolidation is incredibly important right now as a topic for CIOs, CSOs, anybody in the IT procurement. If you're in enterprise or government, you just have a lot of tools to have to deal with. You really, really do. And part of the reasoning for that, to me, is a really positive thing because a lot of very nimble companies have popped out in the last two or three years to help to solve very, very specific problems, and a big chunk of that has been because there’s all kinds of investor money that has been sponged up by very smart people and spent doing very, very cool innovations to solve really specific problems, and it’s terrific. Really terrific. The problem is, if you're a CIO, you are now being asked to do a whole lot with less, and that less includes staff sometimes or quite often. And so, therefore, how many people do you need to be able to support all those point solutions in-house? It’s just brutal.
Tim CallanTim CallanSure. Well, it’s especially brutal because if there are different point solutions, how do they work together. Are you trying to connect through some kind of API, did you have do some custom development to make them work. Not only do you have more people to support that but fundamentally, the jigsaw-puzzle nature of that just makes the work harder.
Jason SorokoJason SorokoExactly, Tim. So when we bringing it now closer to PKI, bringing it closer to the world that we live in, there’s a number of use cases that float around us that there are a number of point solutions out there, sometimes very good ones. And topics we’ve talked about before such as passwordless, credential vaults, I’d like to bring up any form of authentication tooling that’s out there right now, and there have been a number of really sharp, smart, smaller innovative companies that have popped into the scene and have done some really, really great things. There’s also been some behemoths that have been made, Tim. I’m thinking in the DevOps space companies like HashiCorp that brought together a number of tools that are used by DevOps practitioners and – but if you look at the full scope of what even HashiCorp does, it’s kind of, it’s very specific compared to back in the old days when you had a Microsoft that kind of just gave you the whole platform, and, that was where most of your computing happened, other than maybe really specific application packages such as a CRM or something like that. What I’d like to point out is, I think if you’re a CIO, if you’re CSO, if doesn’t matter what space you’re looking at, what particular needs you have in your company, the need to have to consolidate, to have to figure out, alright, there’s some terrific point solutions that I absolutely need here, but exactly what you said, Tim, how do they work together? And quite often, what a lot of these companies, smaller companies, have not done, because they’re small in themselves, they haven’t put in the time and effort to do the full integration with everything that the CIO needs. And so these point solutions end up needing to be part of custom solutions that are more holistic but sometimes very, very proprietary in that they were either built by expensive PS teams or consultants or sometimes by in-house people within the enterprise, and that’s really hard to support.
Tim CallanTim CallanAbsolutely. I mean, especially even just the fact that you have an ongoing support burden itself is a problem, and then you can imagine the problems that come with what if these things, what if these people move on to different jobs or different roles or different projects, and, is everything fully, properly documented, and in the meanwhile I’ve got other things changing, its integrating this application here to that platform there, and the application and platform both get upgrades. And so you’ve got all kinds of things that can be moving at the same time. It’s not just fixing your own bugs. That’s a nightmare.
Jason SorokoJason SorokoExactly right, Tim. So, I think I’m left now with, as we get closer to really talking about the PKI part of the story, I think the second to last idea I want to bring up is, let’s look at areas that are adjacent to identity and PKI. And so, one of the things that we have seen is a word that I know that you’ve used before, Tim, which is – and isn’t necessarily consolidation but it’s a convergence within the industry. It is basically a number of companies – I’m thinking of Okta’s purchase of, what is it, Auth0. I’m thinking of how I think CyberArk did some of their own acquisitions, and to me it’s interesting how, what was a very, very pure PAM player now has some other capabilities. And, something like an Okta, an authentication SSO company in the cloud now has some other capabilities that look more like an IDP or an IAM, or something like that. And so, that to me is interesting in and around the identity space. But I still see a lot of point solutions. I’m seeing companies that have a lot of very interesting concepts for solutions around SSH Certificates, a lot of solutions around passwordless authentication. There’s a whole lot of applications out there now, software-defined networking, that to me look like VPN replacements. But again, each of these things - it’s not necessarily a larger company that’s kind of converged on itself, these are point solutions that really need to be part of a consolidation more than likely down the road, and I suspect a lot of these smaller companies were built just for that reason alone, to essentially be acquired and good business model because it’s good to be acquired, good to make some money that way. But on the other hand, I think they even realized the best way for a CIO to consume me is through something larger that’s fully integrated.

So then the final point comes down to PKI itself and I think in PKI itself, what are we really talking about here? Well, we’re talking about the certificate life cycle management vendors CAs, people who basically have the capability of setting up private CAs, etc., and what are some interesting areas that those could converge? Because we are really specifically - that part of the industry - is about a specific credential form factor, and that is certificates, x.509 certificates typically. But many of them also have SSH capabilities, and many of them also have some other capabilities and have been focusing on some other use-case areas. So even in PKI, which has remained pretty steady for a lot of years, has been doing some forms of convergence and consolidation. And I think, Tim, that’s going to be a trend we see. I think ultimately the point of the podcast is and sometimes we ask you guys as the audience to consider this, which is, when you're doing procurement in this area, that’s a really good thing to ask your PKI vendor, which is how are you helping me to consolidate my needs as a CIO and as CSO, as a director of IT? Whoever it is that’s doing this kind of procurement, what are the things that you’re are consolidating, what are the things you're converging on, what are your strengths beyond as a platform to help me to not have to do a lot of these other things? What are the integrations that you’ve built for me?
Tim CallanTim CallanI was going to say, out-of-box integration. So, you sort of started with this scenario. You start to imagine a rollup. Big company acquires small companies and integrates their stuff, and then I buy it all from one vendor. We all get that. That’s kind of the one-throat-to-choke thing. But the other point here you're bringing up I think is very valid, is just to say, look we all know that’s not going to happen. There’s not going to be one big giant monolithic company. It’s the only tech vendor in the world, and we probably prefer it that way. But there’s still is a consolidation play here which is, do you have robust, rock-solid integrations with the other pieces that I’m going to need to use? Do you have support for that? Do you have a track record with that? Is that part of your corporate culture? Can I feel that I can count on you for future integrations or to keep these things current as the platforms and the set of applications in this world continue to change? Things along those lines.
Jason SorokoJason SorokoI think you got it exactly, Tim. So, that’s it. It’s kind of a short and sweet message but I think a super important one. I wanted to have a podcast that actually touched on that very specifically because, I think after March 2020 when the world kind of changed a bit - or a lot - I think that this topic is now really top of mind for everyone regardless of the technology that you’re procuring. So, just wanted to hit on it.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud