Q&A with DigiCert
Author: Anders Adolfsson, Versasec Technical Consultant
Next >> Microsoft Store
Previous << Team Building in the time of Covid
Versasec integrates with all of your other CAs and we have had a close partnership for a long time. We have invested and since released vSEC:CMS which integrates with DigiCert ONE. The IAM and MFA market is exploding with new inventions and standards, so we wanted to understand what is unique about DigiCert ONE and also your take on PKI's future.
Read our entire interview with Brian Trzupek, SVP of Emerging Markets at DigiCert.
Brian Trzupek is SVP of Product at DigiCert. A crypto and security tech by day and night, Brian brings nearly two decades of expertise on many security subjects to the team. He's constantly innovating use cases for enterprise PKI. He previously worked for more than six years as VP of Managed Identity and Authentication at Trustwave where he helped fight cybercrime, protect data, and reduce security risk. While at Trustwave, he testified before a congressional panel on the Dec. 2013 Target breach. Prior to Trustwave, he was a founder of Creduware Software, Inc., a company that automated credential password and digital certificate renewal and installation, as well as policy-based application monitoring.
Q1: What are the reasons behind launching this new CA?
DigiCert® ONE, more than a new CA, is a modern approach to PKI, a platform that puts the deployment and management of digital certificates where the customers want to be. For too long, this industry has been stagnant. We've revolutionized the way PKI is used in the DigiCert ONE platform across every common use case and continue to add new workflows and functionality, with a focus on portability, flexibility and speed. DigiCert ONE is a container-based platform and built with a cloud-native architecture. Because of this modern design, DigiCert ONE and its managers (workflows) can be deployed in the cloud, on-premises, or consumed as a SAAS product and can be managed by DigiCert or the customer (air gap, customer hardware, private cloud, or public cloud) and elsewhere. The ground-up focus on a cloud-native architecture and expansive use of Kubernetes allow DigiCert ONE to be fully deployed within a Docker environment in an hour, not days or months. This leads to rapid time to value and solving real business problems with the DigiCert ONE managers and workflows.
Q2: How is it deployed?
DigiCert ONE is our most flexible offering yet. With the same code base and deployment patterns, DigiCert ONE can be deployed in customer-managed on-premises or cloud environments, in-country or managed by DigiCert - allowing the product to meet stringent compliance requirements, facilitate custom integrations and address air-gap deployment needs. Organizations may create and manage extremely high volumes of digital certificates quickly using DigiCert ONE's robust and highly scalable platform. A good example of a DigiCert ONE Manager is the Enterprise PKI Manager, which delivers end-to-end centralized user and device certificate management. Our modern approach to PKI provides trust across Kubernetes clusters and dynamic IT architectures in ways never possible before.
Q3: With DigiCert ONE and vSEC:CMS what are the most interesting use cases and market verticals you see?
We meet a number of use cases, including the following:
- Strong authentication and document signing for online banking
- Strong authentication for physical and logical access leveraging the long list of smart cards, USB tokens and virtual credentials supported by Versasec vSEC:CMS
And now, with the flexibility of product deployment scenarios, we can address scenarios requiring key sovereignty, data sovereignty and requirements for nationally based operations.
Q4. What does the pricing model look like?
DigiCert ONE uses a pay-as-you-go model that aligns pricing with usage. This allows customers the scalability and elasticity they desire. Each manager application on DigiCert ONE allows our customer to explore the use cases and select what they need. consume only what is needed.
Q5. If a Versasec customer wants to do email signing and encryption how long does it take to configure and launch DigiCert ONE if you go with the cloud solution?
Once an account has been created for a customer, CA hierarchies can be created via an online portal in minutes, and the customer can issue certificates shortly after. Note: DigiCert ONE does not yet support email certificates off a public/trusted CA chain - it is on our short-term roadmap. We support these use cases with our PKI Platform 8 environment for the time being, which also integrates with Versasec.
Q6. Can customers also use certificates (from the same DigiCert CA) for Windows Domain authentication?
Private certificates can be issued by the DigiCert ONE platform for Windows Domain Authentication and Windows Smartcard Logon. Certificates can be issued from the same private CA used to issue other types of certificate, or from a dedicated CA hierarchy.
Q7. What are the advantages in adding a credential management system such as vSEC:CMS into a PKI project?
CMS providers can tightly integrate their CMS system with DigiCert ONE's platform to issue certificates onto physical security tokens, such as smart cards or cryptographic USB tokens, which can be branded/personalized and used to meet a variety of authentication and document signing use-cases, thus extending into that last mile of certificate usage by our joint customers.
Q8. Why are DigiCert ONE and vSEC:CMS such a good fit?
DigiCert ONE easily integrates with and can be configured out of the box with Versasec vSEC:CMS. DigiCert ONE and Versasec vSEC:CMS shares the same technical characteristics and the same pricing model making them a great bundle. Both DigiCert ONE and Versasec vSEC:CMS deploys in hours rather than days or weeks. This allows for quick deployments for any project and as needs grows or changes the deployment adapts. Among other things, DigiCert ONE offers the following:
- The most scalable PKI solution from any CA, which can handle mostly anything you throw at it.
- A deployment that makes it easy to comply with government or industry regulations.
- Multiple/flexible deployment models, including full on-premise solution for air-gapped environments, and public/private cloud solutions
- Speed of deployment: dynamic CA and account creation via the admin portal allows for rapid time to value
- Ability to import customer CAs and bring them into management.
- Multi-language support.
Q9. vSEC:CMS makes it possible to integrate DigiCert ONE certificate issuance into Windows Hello for Business (WHfB). What are your thoughts on the potential of this new virtual certificate/key container?
The virtual certificate/key container is a great client-based solution from vSEC:CMS that both companies can offer today to joint customers. We have customers looking for us to support WHfB and this allows us to provide a solution to immediately help them.
Q10. What do you see in the future for PKI?
There are many different options now for identification and authentication, and PKI is growing rapidly and will continue to do so. Digital transformation, including IoT, document signing, improvements in email sender identity and many other factors are leading to the need for highly scalable and proven methods of device and user authentication, integrity of devices and code via code signing, and identity attestation with digital certificates. Add to this initiatives such as the EU and eIDAS-based open banking and identity initiatives, and you find a need for technology that can give cryptographic-based proof that works seamlessly with limited user interaction. With this huge growth comes the need for modern PKI that is scalable, easy to manage, speedy to deploy and portable across all environments, whether on premises, in the cloud, hosted as an SAAS solution, or even for in-country data initiatives. DigiCert ONE accomplishes all of this in a unique way that other solutions cannot.
About DigiCert, Inc.
DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.