In this podcast, Jen Racine, Director of Sales Consulting at Entrust, and Andrew Sheedy, Enterprise Sales Director at Entrust, discuss the importance of managing SSL/TLS certificates and how agencies can maintain TLS encryption with Entrust Certificate Services (ECS). Listen to the podcast to discover how Entrust ECS can support your organization with SSL/TLS management to secure online communication, meet compliance requirements, advance Zero Trust initiatives and much more.
Corey Baumgartner
Welcome back to CarahCast the podcast from Carahsoft, the trusted government IT solutions provider subscribe to get the latest technology updates in the public sector. I'm Corey Baumgartner, your host from the Carahsoft production team. On behalf of Entrust, we would like to welcome you to today's podcast focused around SSL and TLS certificate management. Jen Racine digital security consultant, and Andrew Sheedy Global Center of Excellence PKI of interest, we'll discuss what the new government mark certificates are and why every agency needs them how easy it is to manage your digital certificates inventory within a single dashboard, how to automate certificate management and ensure compliance and the latest developments and expiry tracking alerts and notifications and lowering the cost of ownership by as much as 50%.
Jen Racine
Thanks, everyone for joining today. Our topic du jour is why TLS SSL certificate management matters in 2023 and our group online today's the public sector. My name is Jen Racine, and within the sales group here at Entrust I'm part of the global center of excellence. I've been with Entrust since 2014. Always with a new business and the acquisition side of the house, dealing primarily in strategic and key accounts as a cov and a subject matter expert. Part of my role is to help enable customers prospects, channel partners and sales team members on our ECS solutions, our public digital certificates offerings. Andrew?
Andrew Sheedy
Thanks, Jen. My name is Andrew Sheedy. I'm also with the Entrust global center of excellence. I specialize in our PKI non-public offerings, so our certificate lifecycle management, and private PKI products. I've been in the PKI and ICAM space for about 20 years, have been an Entrust for three of those and work on the same team as Jen supporting our enterprise and public sector sales teams
Jen Racine
On deck for discussion today will be why certificate management matters in 2023. As promised, specific to the public TLS SSL market, we'll talk about the latest public certificate type available to the public sector. How centralizing to a platform allowing for compliance and automation is important. And touch on why you will need commercial flexibility going forward.
Andrew Sheedy
For those of you who don't know who Entrust is I'll just give you a little bit of a brief on us as a company. So we're nearly a billion dollars in revenue. Our main US headquarters is outside of Minneapolis, we have a large Canadian contingent as well based in Ottawa, worldwide, we're about 2800. Colleagues, we've been around for about 50 years, we've been in the PKI space, specifically for about 25 years. You know, overall, we're a pretty significant player in the worldwide identity management and credentialing space. Just some other stats. You know, we have been around as I said earlier, for about 25 years in the PKI space specifically, I think we're probably one of the original providers of commercial CAE software, when you partner with Entrust which you're partnering with is our longevity and our commitment to this space. You know, we're not a flash in the pan we've been around for a while we invest heavily in the technology that we bring to market last year alone was $100 million in spend in R&D. We're very, very active in the national security space in the civilian US federal government but also internationally for passport and national ID solutions. Not that this is a federally specific presentation. But to give you some idea of our commitment to the space and you know how we're regarded with public sector customers. Those of you who are familiar with the US Federal piff card should know that it's most likely that you are carrying if you are in the civilian federal executive branch that you're carrying a PIV card that most likely has certificates that have been issued by an Entrust ca. We've been involved in this space since the very beginnings of HSPT 12. So that was back in 2004. We continue to evolve our products in accordance with relevant specifications. We have a broad portfolio of customers, federal law enforcement, Citizen Services, the diplomatic corps, you know, the US financial services agencies as well. So very, very well established in one of the offerings that we offer to our federal customers is a managed PKI that is part of the federal Shared Service Provider Program. As such, we are given at and authority to operate an ATO inside of our Entrust managed data centers, whereby we issue certificates that chain up to the common policy route in our cross certified with the federal bridge certificate authority. All of our data centers are on US soil and the Federal PKI. Authorities are all managed by US personnel. And it's important to understand that certificates play a very, very important role in a Zero Trust architecture. Because what they actually do is a managed back to map back to a specific identity, it could be an identity of a web service, it could be an identity of a human person, it can be the identity of a machine on your network. And underpinning all this is the governance of those identities, and the active validation of those identities, while they're being used on the network on a daily basis. Let's just talk real quickly about the differences that when we talk about public certificates and private certificate, so a public certificate is something that you're very, very familiar with, even though you may not know it natively is that it's something that identifies the probably the most familiar use case you'll have is the proper identification of a commercial website. There are several public trust certificate providers that are acknowledged by the web trust consortium. And Entrust is one of those. And what we do as part of our service is that we vet, and we identity proof the owners of the specific domains and the owners of the websites, that we're going to be issuing a certificate for that way, when you go to a web page, you see the lock in the address bar, you click on that lock, you go down, and you can explore into the details of that, you'll know what certificate authority issued the certificate for the website that you're looking at right now. And you can make the decision to trust the content of that website is is providing, generally speaking, reputable certificate authority issuers are included in the Native trust stores of most of the commercial browsers. So things like Chrome, Firefox, edge, Entrust is already an approved issuer inside of those browser trust stores. So you'll never see an issue with an Entrust issued certificate in in this by those browsers. For a commercially issued website, on the private side of the house, it's a little bit different. And the difference is trust. So a publicly trusted certificate is something that's recognized by you know, browsers by operating systems. And those tend to be something that are generally a little bit more expensive and a little bit harder to deploy, then private trust certificates and private trust certificates are generally used for workaday use cases, where use cases that make sense inside of an enterprise trust boundaries were crossed cross domain or cross boundary certification and trust is not necessary. thinking specifically of internal machines, internal user credentials, internal resources that just need to be trusted inside of that organization's boundary. Private trust certificates can be issued in a much more flexible manner, at higher quantities and at lower cost. You know, it does make sense to still follow the same types of policies and procedures when you're issuing private trust certificates. Because really, at the end of the day, what you're doing internally, is you're making a decision to trust an issuing authority. So that becomes a trust anchor for your internal authority. With a public trust certificate, you're actually offloading the validation and the policy enforcement to a third party. In the case of a private trust certificate authority, you are making those decisions internally. And in need to enforce those best practices and governance and policies yourselves internally. I just want to spend just a couple of minutes because I would be remiss if I didn't spend the time on this to talk about probably one of the hotter topics today in the PKI and cryptography space. And that is on the topic of post quantum cryptography. There is a anticipated event sometime within the next 10 years. And I think it depends on who you talk to whereby quantum computing resources will be available that will be able to defeat current RSA, or ECC crypto. And that has ramifications for encryption that has ramifications for hashing and other types of cryptographic operations. It's unclear at this point when that will be available. It's a little bit non deterministic. But what's happening right now is most security agencies and companies frankly, like Entrust that are involved in the security space, are trying to get the word out to say hey, this is something that maybe a little ways down the road but it's a generational change in implementation of the cryptography that you use on a day to day basis, RSA crypto, ecc crypto will no longer be considered secure. And the types and algorithms of the crypto that's going to be next generation is going to present a completely different way of interacting with the crypto, it's not going to be a drop in, you know, cut and paste, or an algorithm a cut and paste for a binary, there are going to be some significant changes that are required in the landscape. To that end, you know, the NSA has come out with this CNSA to Dotto algorithm suite. And they've started putting some timelines around what they expect national security agencies, defense industrial base corporations to start putting in place and the suppliers to those types of agencies like Entrust. So I want to just make sure that I had brought that up, that's something that we're watching very, very closely. We're very, very involved with, we've got a number of different resources on our website. You know, we have folks here at Entrust that are actively involved in building some of these candidate algorithms, we have some submissions to the IETF working groups, we're watching this very, very closely. We're intimately involved in what's going on with it. And we're actively supporting betas while we wait on this to approve these crypto primitives which should be coming sometime within the next year. Once these crypto prime primitives are approved, we'll start incorporating these into the production builds of our software for right now. They're available as ADA in our PKI as a service, which is our cloud native PKI. And as a option pack with our HSM products. I want to just talk real quickly about this because this is fairly important. And it really gives you a little bit of a perspective on kind of what's coming, given everything I've just said, why PKI is extremely important and why you need to give it to do consideration and your organization. There are a large number of use cases in your typical enterprise for digital certificates, things like code signing, device authentication, email security, not the least of which obviously, is SSL cert certificates for public facing websites and services. And the truth is, is that as organizations start moving to cloud or hybrid cloud environments, and embark or continue to embark on these digital transformation efforts, a functional and properly architected PKI, in partnership with a trusted vendor in this space is going to become more and more important as time goes on. Because this technology actually is, I would say, it's been around for a while, I don't want to call it old, because I don't want to be deprecatory. It's certainly been around for a while. But it continues to be sort of the technology of choice for use cases that are laid out in this slide, because it scales so well. It's got a very, very well understood, validity checking function. And it's very, very small, lightweight scales well hierarchical in nature. And it's not going to go away anytime soon. So this is something that really needs to be top of mind. For anybody who's in the CISOs office, or in a cybersecurity office. Frequently, what we find is that this is not the kind of thing that's getting the attention that it deserves in organizations, and it's leaving the door open for business problems for cybersecurity problems down the road when things aren't properly architected, and government. All right over to you, Jen.
Jen Racine
Thanks, Andrew. So at the core of this complex web of cybersecurity needs that Andrew just described, lies government, Bureau of Public sector agencies, network infrastructure, and TLS. SSL certificates are a most important core element. They require mastery to be able to align with a Zero Trust maturity model. Over the years we've all personally witnessed as individual citizens or as IT professionals, the uptake of TLS everywhere through it network infrastructure. And as Andrew alluded earlier, in the original use case, our browser experiences looking at the images along the bottom there. As IT pros, you know that enabling a secure TLS connection between servers, configuring those servers properly, and installing a digital certificate issued by a publicly trusted certificate authority like Entrust will serve to securely identify your bureau department agency's website, servers and devices, as well as providing encryption. Over time we and our end clients our citizens have been groomed by the browser's to look initially for the age GTP s and the URL bar, then for the HTTPS and the green padlock, with the browser's offering viewers the ability to inspect the site's public certificate information, including the legal organizational info, and the period of validity of the certificate. We know that with TLS, and certificate and server all in order, the IRS is also achieving a better search engine optimization and SEO ranking from browsers without having to pay. People are finding the taxman quicker. So certificates are part of the core for it, protecting your crown jewels, your public access points, your priority systems and applications that manage your transactions and identities of your clients. The challenge with SSL certificates, as many know is that they have a defined maximum lifespan which is currently the maximum allowable by industry is 398 days, aligning with CISA and Executive Order NIST, whatever it is, most public sector entities are issuing, and have been issuing one year term certificates for the past few years easily. So they expire. And they expire every year. And as Andrew alluded to, in his last slide, that that evolution of PKI grid, they're on the increase, more ever, ever. So since the pandemic as well. Now, I've had hundreds and hundreds of conversations about certificate management since I started at Entrust, and I can attest to the fact that the majority of entities out there are struggling with certificate management. With expires with moving from manual tracking to a centralized platform with stepping up the maturity scale to a place of Zero Trust and with full automation in play. My personal experience about 75% of IT organizations are just starting their journey with the remaining 25% on a strategic track towards maturity. For government specifically or the public sector specifically, IT teams have a double sided challenge of a driving cybersecurity compliance for the rest of the world with the NIST and CISA. edX published for you know, over well over a year now, and be actually having to comply to those high standards, all while under the public's eye. Last on this list is the public ca industry itself, providing further challenges to IT teams. So we also have the public industry itself layering on regular changes for it to entities that are associated with public digital certificates are the CA browser forum, as well as the PKI Consortium. The first the most impactful I'd say they handle more policy and rules making for us. The second the PKI consortium, they handle technical engineering type changes to the specifications. The little did, I think when I joined Entrust in 2014, that providing certificate solutions would be so exciting. The CA browse browser forum, as you might imagine, has got the big browsers on one side, Google, Microsoft, Apple, Mozilla and the others. And the public CA is on the other side of the table and trust DigiCert global sign sectigo and and others as well. And through a very formal and regimented series of meetings, working groups, sub working groups and the use of ballots. They make decisions about policy for the use of all digital certificates, SSL s mime code signing, etc. The PKI consortium does the same thing from a technical perspective. Now in the past it teams have had to deal with a large number of public digital certificate issues cropping up or industry changes cropping up with very short notice. Looking back towards 2018 here on the timeline, just as most it orgs had finally managed through the deprecation of SHA one as a signing hash algorithm. The now defunct Symantec had their route deprecated by browsers. And that caused a huge ripple of extra work for certificate management teams worldwide, having to replace their certificates with a new route. At the time, Symantec was the largest ca in the world. That same year, certificate transparency, which is the mandate for public CA is to log publicly, the certificate information came into force as well. And at that time, the smartest of organizations performed a risk review of their DNS and server naming conventions. In 2020, Apple made a unilateral decision to ask for shorter SSL cert lifespans to down to 398 days from the three years But we had at the time, created an additional burden for rolling certificates by it multiple times. Users of code signing certificate saw changes for larger crypto key sizes and 2021. There were hardware impacts their impacts to logistics and budget for some. And then in 2022, Apple hit us again for reduced lifespans. This time for s mime certificates. Google deprecated, a popular SSL certificate field, one called the O U field or organizational unit fields, which was quite popular for some, they did that almost a full year before the industry regulation required them to do so Really has been a whirlwind. And as we move along the timeline here, the trends for you working in this space, going forward are for tighter rules for authentication for domain and business checks that need to be done annually for larger key sizes to handle terms of tokens and HSMs. And for reductions in certificate lifespans, pointing to the need for automation in the future, as of just this past June. So this is what's going on kind of this summer going into into the end of the year. So as of June 1, any Bureau department or agency use it using public code signing certificates, is going to need to authenticate with their ca on an annual basis that you're using hardware security modules HSMs to store your code signing keys. And that might include a picture of the serial plates on the back of the HSM. This is new for the industry. And for some smaller organizations might also notice that necessitate the creation of a brand new security policy for key management, we're gonna have to start tracking things like this going forward. Coming up in September of this year, s mime certificates will be impacted again, their lifespans will be reduced from three years down to two years. And there will be some stricter and more deeper verification authentication requirements, including a provision of an organization ID as well as the name of the individual. Now on that timeline, as well, we've got a note related to Google's 90 Day proposal for TLS certificates and I'll place mark that, suffice it to say that the cybersecurity gossip halls are buzzing again right now. And we're going to have an exciting next few next 12 months or so 1218 months, I'm thinking. And then alluding to Andrews point earlier, we've got that 2030 Post quantum horizon on this timeline as well. All of these things are industry pushing your IT teams life to be more complex. Our TLS SSL certificate management professionals also have to contend with their own flavor of cybersecurity challenges continuously. As it relates to the public world. We've heard it said number one on the mind is always business or service disruptions. And that could be caused by expired certificates, maybe just an improperly installed certificate. Perhaps we've got end user security warnings having happening can cause us problems. Like everybody else in cybersecurity, they also have specific to SSL servers, various vulnerabilities or various vulnerabilities and threats coming towards us. And you really only need to Google the news every morning to see for the latest and greatest freaky named threat coming at us. But in the past most recent, the largest has been Heartbleed poodle was quite a quite a name as well. IT pros are constantly trying to keep up with evolving technology. You have those reducing certificate lifespans to worry about that I've mentioned, you may be considering shifting from ecc. To RSA for some use cases, you need to create policy for certificate transparency. Take advantage of something called certification authority authorization, or ca where you actually register officially who is your primary public ca so that nobody else can issue certs. And now you're hearing on the interweb. And from your carrier soft rap and your Entrust rep hopefully that Google is positioning a proposal now to reduce TLS SSL certificates match maximum lifespan down to 90 days. That would mean for everyone in the public sector, four rotations of certificates per year instead of just one. How will you manage how will you enable automation compliance requirements change all the time we've just said, Miss DISA, whatever it is. Depending on your business's industry vertical, you might have PCI or HIPAA compliance if you're doing dollar transactions or in health care, there may be dealings with the European Union and you so you have GDPR to contend with, or perhaps Ei, das or PSD to regulations. All these over and above any local, state and internal security policy requirements that the team is having to think about as well. It's a busy place, and like the rest of the world in cybersecurity, you're likely resource constrained, if that's a given, I think, last one off to the right might not be the thought of a day to day it persons. But for many CISOs are VP IT's or you know, digital transformation heads, the most important one for their upper line, brand protection or the damage that can be done to it. Just think in your own personal experience as a shopper, or a registrant of your local city website or government estore whatever it is, how easily a brand can be damaged confidence undermined by a website's simple underperformance, let alone a data breach due to an expiry and now we wonder why the average lifespan of a CSO is between 18 to 20 months, it's no wonder. So as you explore for better ways to perform your public TLS SSL certificate management, it's important for you to work with a partner vendor like Entrust and Carahsoft. To help solve efficiently. Every customer engagement will have a commercial element and commercial flexibility with your partner, I always assume as a basic requirement. But in my experience, these are the true top seven pains as an IT organization you might be actually trying to solve for now, certificate expires and still the number one problem, every IT organization has this pain, the need to get centralized. Because of an acquisition reorganization, a spin off of a rogue buyer or buyers of certificates found in your midst. Maybe you're undoing silos across business units, You need to automate. And maybe that means integrating through into a very large certificate lifecycle management platform for both public and private certificates at some point, or fancy reporting systems that you might have. You need to remain compliant with reports for your internal audit processes. Or perhaps your ATS at such a large size that you're looking for what we call ca agility, vendor diversity amongst TAs, now account management and CA behavior issues. Those are the other two items that don't really get put into writing so much. It's always good practice as you're procuring something to watch the web for CA behavior. And there's a lot of good gossip. It's all done publicly, just Google, you know, Entrust plus CA browser forum, and a whole bunch of fun and exciting things start popping up for your reading pleasure. And you always want to be sure that you're connected with a good and responsive account management team, and a vendor and partner who is continuously communicating with updates and providing that value add and that enrichment. As you saw, it's a whirling dervish of change. And you need somebody to help keep you up to date, and trusts public certificate management solution. We call it Entrust certificate services or ECS, purple and white. And it's a great example of a certificate as a service a cloud based solution provided by a mature public certificate authority. Its aim is to be simple, efficient, and logical. In 2023, you also want to be you you too need to be simple, logical and efficient. You know what's important to get to a position of centralization and oversight. And you're starting with Republican public digital certificates here. You're looking for a certificate management platform that can grow as you move along the maturity scale. In my case here, as a certificate manager, I am most concerned about my expiring certificates. It's prime real estate here in my UI, as I log in. And my choice of menus is very simple. If I'm creating certificates, I go to the Create menu. If I'm performing administration, or I need help, I go to those menus. I'm always looking for chat support available with my with the support team. And you'll see top right I've got some messages awaiting me that I'm assuming or From the ECS product team advising me of the latest and greatest version releases. Now, as you search for a vendor, you want to be sure that you're getting centralized oversight of all your public SSL certificates in that single pane of glass. I always like a little bit of pizzazz with a nice dashboard and some configurable widgets, ideally to, you want to be able to have immediate visual alerts, advising you of expires, as well as system embedded email notifications going out to the admin team. I've got a few best practice widgets turned on here as well. You'll see searching for certificates with Broken Chains, weak server ratings, as well as looking as my at my SSL server ratings live. Remember that you want a configurable platform. So in this view, as a certificate manager, I have a place to view all of my certificates I can audit, I can perform updates, and I can manage them using the Actions menu on the left hand side. With the ability to do things like bulk update, and bulk revoke, maybe a specific grouping of certificates all needs to be reviewed for renewal. In this case, I've got a grouping of previously discovered certificates that I'm reviewing I'm a little bit proactive and on the maturity scale. In 2023, it's important for you in it to concentrate on governance to perform regular discovery scans and audits. You want to be able to review and decide whether any of those discovered any non interest certificates in this case, are important enough to configure for my reports and my alerts. Now trying to Manage SSL certificates in multiple geographic dispersed environments can create a blind spot for it. Inviting risks like unexpected outages and compliance breaches. In my personal experience, which I'll confess is pretty limited compared to Andrews, certain quadrants of the public sector from an SSL perspective are a little bit like the Wild West. With fragmented regional teams managing themselves independently. You want a solution that ensures that your that ensures your regular audit compliance and reporting and that kind of helps you rope in those cowboys. Here we see a list of reports available in a Report Center, allowing for a multitude of policy violations to be groomed for best practice, and other general alerts. Let's talk a little bit about the philosophy behind our ECS certificate management platform. I'm using it as an example of a best practice certificate management solution out there. Now, certificate management is of course the name of the game and is the core of the certificate management platform. Whether you're a small customer just beginning to use an automated system or a department or agency or education institution with years of sophisticated certificate management. End to End lifecycle management is your common need TLS and other digital certificates to fit your use cases from cradle to grave, from issuance through to revocation. Ideally, also with privileged roles based access for your administrators. You know that on your maturity journey towards Zero Trust, you need to start checking in on endpoints. And that's important tools should be available for you to do that. As an Entrust customer, you might use our cobranded Qualis SSL server vulnerability scanner tool that's built into the UI to start proactively monitoring server configurations. Certificate managers should expect to be able to configure basic public cert policy for the organization within the UI as well and control any custom tracking or data fields that might be in scope. In the background. Of course a public ca will police the the UI excuse me, keep it updated visa vie industry changes so that at no point could you in IT issue a bad certificate. And then for those organizations with higher compliance and audit needs like you in the public sector along with embedded email notifications and alerts, you need to have good access to reporting. So you want to look for a Report Center. On the left side you want a solution that has considered how to handle requests for certificates, your enrollment processes. You might currently be swapping emails with sis admins in the fields to buy and manage your certificates. You might be using a central spreadsheet in SharePoint in combination with Microsoft Outlook calendar reminders. Or you might have a national network with automation in play and requirements for multiple API integrations, or a variation in combination of any of those in between. The idea here is you want the choice to be able to either manage those requests manually, maybe use a provided an embedded e form, to sink in a SharePoint for your requesters to begin automating using Acme to use connectors to reach third party tools like Ansible. Or to use an available open RESTful API, or select from some off the shelf integrations, look for that flexibility. Being able to create from a choice of many certificate types is important. You want that need that flexibility. And then off to the right. As you start to become proactive in your certificate management practice, you can begin to perform certificate transparency log imports, or perform discovery tool scans within your environments, looking for all certificate types, not just public, internal PKI, perhaps getting your toes wet in that. And then all of those non Entrust those foreign certificates, we call them all brought back into our central management platform into that single pane of glass for monitoring and reporting. And then supporting everything in the certificate management platform down below was kind of the lifeblood, you don't have the people cycles to be experts. So you want to have a dedicated account management team who's going to meet with you regularly talk best practice, keep you up to date. As I said earlier, you want to ensure that you've got access to a world class customer support organization. And our ECS verification organization is grant they provide a 24 hour SLA for our Platinum services are 24 by seven 365 customers, and then maturing bureaus, departments and agencies wanting to get automated, they will eventually want to step up into bigger certificate Lifecycle Management CLM solutions. So looking for off the shelf integrations and open RESTful API. Again, it's going to allow you to connect to third party solutions that further expand your capabilities to automate the provisioning, the fulfillment and the installation of your SSL certificates to connect with your IT workflows, through right through to report and best practice alert configurations, as well as connecting to key vaults. Interest has long been a partner with benify and ServiceNow. We connect with App UX and key factor and a multitude of others. We also support integrations with existing tools like Qualis hashey, Corp, Ansible. And then of course, down at the bottom there you see Entrust's own CLM solution, it's called Certificate Hub. Okay, so we've heard earlier that the number of use cases is growing season certificate manager will look for a choice in certificate types. If is the request they received for a single web server for one domain coverage, or is it a Microsoft Exchange server cluster requiring a multi domain certificate above the gray line here you see and trusts most widely used SSL certificate types, each dependent on the number of domains needing coverage as well as the level of assurance for you in the public sector. Best practice dictates the use of high assurance certificate. So those you see here, either the OV, the organizationally validated, or EV Extended Validation types. Some entities amongst you may have to deal with or have remote locations to protect in the European Union. Below the line also considered TLS SSL are a new series of qualified trust certificates, aligning to EI, das, and PSD to regulations. As you search, you're going to want to look for a vendor who is also an official que te SP a qualified trust provider. If this pertains to you. You may have coding and Dev activity happening, though code signing certificates will publicly attest to your downloaders that your code identifies as you and is valid. You might have 1000s of customer statements to manage loans, mortgages, real estate titles, architectural plans, invoices, all needing to be electronically signed and sealed, perhaps remote working groups wanting to sign off their projects and workflows, all these necessitating documents signing certificates or associated services. Same for public s mime secure email certificates and automation requirements. needing to be solved there. The verified Mark certificate of VMC it's been around for about two years now, some may have heard it called a Bimi certificate. I'm saying be like, boy, I am like Mary, I bet me. Email marketing departments are starting to crawl out of the woodwork looking for these things. Again, it's important to be prepared to satisfy a breadth of use cases. And a skilled certificate manager with some complex use cases to satisfy making use of multiple a multitude of certificate types. They can see their overall inventory shrink, sometimes by up to 25%. In our experience, now, the latest innovation in public certificates happens to be especially for government, the government Mark certificate, like the VMC I just mentioned, a government Mark certificate and GMC is the combination of a high assurance Extended Validation SSL certificate with an authenticated or authorized logo file. A GMC installed on a properly configured email server will magically allow your logo to appear with within email browser views. And the idea here is that your logo is a symbol of trust against all those other anonymous senders that are hitting your clients, your citizens your consumers inbox, a GMC creates a more personalized brand experience for your email communications, instilling trust in your organization, drawing in the reader with a clear visual indicator of who it is that's communicating to them. And with that trust comes a proven increase in clicks in open rates by your clients and citizens. The first public entity to issue a government Mark certificate earlier this year was the federal government of Denmark. And I've got a little quote there from Thomas Thomas. Using a GMC for him meant that he was able to comply with one of his own internal goals, which was compliance with a high level strategy called secure communications for their federal IT team. Let's pretend that you're at the point when your pain threshold is down or you've been identified identified a vendor that's going to help you as well as having your challenges cybersecurity challenges. In order you've got your your certificate management solution selected from you know, feature functionality perspective, and your plans towards certificate Management Maturity are ready to move. The last important step will always be making commercial choices. Ideally choices that allow you to reduce your overall costs, while improving efficiency and allowing the flexibility for growth and change as you might require. Luckily, you have choices. First basic commercial item that you want to identify with your SSL provider is that your license allows for unlimited copies. So you buy a certificate, you can copy it to the any number of servers that you want, without ever having to pay anything. And I'm going to update my slide to put this important bid on after we get off the call today. You should never be paying for copies of Sir certificates. And there are some especially smaller users that are still getting caught up in a very old methodology for SSL sales. After that, you want to start looking for flexibility and commercial models. So looking at the right hand side here is the unit based program. And so way back when in the mid 90s, when Entrust and two others became the very first three public CA's, we all sold SSL certificates by the unit. This is the traditional approach. It's still in use today. And lots of organizations who are forced by process to manage at the individual transaction level their budget, they will understand this one and also how painful it can be. So in this model, the idea is one unit of license is valid for one year of certificate life. The pricing is volume based. So the more units you buy, the better the discount. And there is flexibility with this model in that you can buy units, then hold them in your inventory for up to 365 days before you actually create a certificate using that unit license. This model works well if you're only handling a few certificates, maybe a few 100 certificates if you've got your act together, but for the enterprise organization, large organization, there are downfalls of this model and I see these as threefold first, pricing is only ever offered with a one year account relationship considered when in reality we know you know that some of your certificates will have been in place for maybe decades. Second, though, you can hold your units up to for up to 365 days, that in itself then becomes another administrative burden for an IT person to have to manage. The last downfall of the unit based certificate model brings in the notion of change management, there will always be a percentage of these certificates that we have to do something to after the fact, let's say a domain has been rebranded whatever it is remedy in a unit based model is to actually revoke kill the original certificate by a new unit and create a new certificate. And so due largely to the cries and screams from our larger customers many years ago, with these large customers having to contend with higher, higher percentages of corporate change and also wanting to see the benefit from long term vendor relationships. Entrust created the invented for the industry, the subscription based licensing model. And this is what I recommend to every new customer that I speak with, it just makes more sense. Subscription licenses are also volume based. But they'll now also allow for longer account terms. And in our case, it's up to five year terms if you can get consideration for that. With additional term discounts applied as a result. The certificates being managed right now by some of you, as I mentioned, may have been renewing for the past 20 years, and they will likely renew for the foreseeable future. So if you're able to reach in and do contracting for longer terms, it only makes sense. In the subscription model. Instead of scrambling every year to manage an expiring bucket of units, you'd be shifting to thinking about how many active certificates would be alive every year for each year of your account. And then the best thing about subscription is that the licenses are redeployable. So let's talk about that instance, where I have to make a change to a certificate and shift to a visual here. Starting in the center with my inventory, I've got my inventory of subscription licenses. Let's say that on day one, I deploy license a onto server number one for a one year term. Actually, with Entrust our subscription licenses, you can create a certificate that's any as as little as 10 days with a maximum of 398 days just as an FYI. So I create my one year certificate and I install it on server number one. Now six months into that project. That's that certificates life, the project gets killed for whatever reason, I can revoke that original certificate, and its license will return to my inventory. And I can redeploy it to another project using that same certificate type. Now, I can do this as many times as I want with each of my licenses throughout the life of my account, without ever having to buy anything new. That's the idea behind the redeployment of a subscription license. I hope that makes sense. Lastly, let's layer in a new concept or a different concept. And I think the notion of flex licensing is something that is unique to Entrust. Now a flex license is a subscription license, but it's a generic license type. So it would give a certificate buyer the choice to have a flat rate license model for any SSL certificate type. And you see them written there between the parentheses. So with a flex license, I would start again with my Flex subscription inventory. On day one year one, I could deploy a standard o v certificate to the server six months later need to kill that it's licensed would return to inventory. And that same license could be used for a different project entirely. In this case as a for domain coverage, a multidomain all OV certificate, and I could then six months, 10 days, 15 days later deactivate it have its inventory returned to to the main bucket, redeployed as a wild card, and so on and so on and so on. Again, the idea is that we bring you more efficiency, both as certificate managers as well as certificate budget owners. Instead of having to manage how many and what color for SSL inventory. I need 10 standard and 10 wildcards and 10 multidomain we minimize that decision down to just how many certificates do you need? The commercial goal for you with redeployment is that with practice over time? You as certificate management team Even so we'll be able to reduce your overall number of certificates. Along with giving that efficiency for management and sourcing, sourcing. Ideally, everything together reduce your your total cost of ownership, as well we reduce the complexity by splitting that decision. So the commercial teams, they handle the dollars, they negotiate a three year account for you. inventory goes in and off the commercial team centers for the next three years, it can then take those licenses and in the field, they determined what certificate type is going to be utilized based on the use cases that they've got coming in. We have had many customers who have successfully transitioned from unit to subscription subscription based commercial methodology. In summary, your mission your challenge, should you accept it is stepping onto the path towards Zero Trust maturity. It's not going away. 2023 is the year to start taking your next steps. Focus on governance, look at reducing complexity where you can centralize to gain oversight if you're not doing it now, be compliant in so doing, increase your efficiency, move towards automation, work those commercial angles, and start planning for the future now. And ideally, you'll have a set of resources that you can reach out to from a trusted advisor perspective.
Corey Baumgartner
Thanks for listening and thank you to our guests Jen Racine and Andrew Sheedy. Don't forget to like, comment, and subscribe to CarahCast, and be sure to listen to our other discussions. If you'd like more information on how Entrust can assist your organization, please visit www.carahsoft.com or email us at entrust@carahsoft.com. Thanks again for listening and have a great day.