HID logo and microphone

HID Connects Podcast S2E5 — PKI: What Do These Three Letters Mean for Internet Security?

Welcome to HID Connects! 

HID Connects is a podcast designed to bring you the latest news and trends in the security space. Our goal is to not only equip you with information and best practices, but also open new conversations on topics shaping our industry. 

With billions of online transactions taking place every day, protecting sensitive data and ensuring secure end-to-end communications is paramount to our lives. So to help us better understand PKI, what it does, and what the future looks like, Vish Patel, VP and head of PKI and IoT Services at HID and Kevin Bocek, Vice President of Ecosystem and Community at Venafi are joining us in the studio. 

Together, we’ll answer the question, “PKI: What do these three letters mean for internet security?” 

Take a minute to listen below. And while you’re at it, be sure to subscribe to receive future episodes. 

 

Here is a transcript if you’d like to read along:

Matt Winn 
Hello, everyone. Good morning. Good afternoon. Good evening. Whatever time it is, and wherever in the world you may be, my name is Matt Winn, your humble podcast host and resident secure identities nerd. Welcome back to HID Connects. Now, in today's episode, we're going to dive deep into the Internet security pool with a core focus on PKI, or public key infrastructure.

With billions of online transactions taking place each and every day, protecting sensitive data and ensuring secure end to end communications is paramount to our lives, albeit behind the scenes. So to help us better understand PKI, what it does and what it means to Internet security, I'm excited to be joined by two expert guests. First, we have Vish Patel, VP and head of PKI and IoT Services.

Also joining us in the studio is Kevin Boucek, Vice President of Ecosystem and Community at Venafi. So, gentlemen, thank you both for joining us. Very excited to have you and thank you so much for traveling all the way to our studio, which is a new conference room this season. But let's start with you. Say hello to our guests and tell us a little about yourself, what you do.

Vish Patel 
Yeah, well, thanks for inviting us. So I've been with HID for probably eight years now and head of PKI and IoT Services. We help customers secure their networks, secure their IoT devices and help them basically address their cyber security threats. 

Matt Winn
Very good. Thanks for joining. And Kevin, thanks for joining us as well. So give us a quick intro and please shamelessly plug Venafi. Tell us what you do. 

Kevin Bocek
All right. Well, first of all, I like to think I'm the director of fun, I get to work with great technology partners and our ecosystem, like HID, and at Venafi we help manage protect secure machine identities out there in the world, in the networks, on the Internet. There are two actors: there are people and machines. Both need to have identities. And we manage the machine identities, which of course we're going to talk a lot about. Venafi is heavily involved in making that successful. 

Matt Winn
Very good. Well, thanks for joining us. And with that, you got your experts ready for you. So let's dive into today's burning question: PKI — what do these three letters mean for Internet security?

So, Kevin, let's start with you. Give us some background, just why are we here together? How to Venafi and HID work together? Let's explain the relationship. Just get started. 

Kevin Bocek 
Yeah, well, as I first said, out there in the world, there are humans and machines. And, you know, we as humans, hopefully everyone out there human, we use usernames, passwords, biometrics, other form factors of authentication to say, “Hey, we're here, it's who I am. It's really Kevin.” But machines, they're a bit different. Of course, they come in all different shapes, sizes. They might be something that runs an Amazon, AWS, it might be a light post, it might be a server and a data center that's running software. All of them are machines. And wow, how do they say, “Here I am.” Am I good, bad friend or foe? Do I belong? 

And that's where PKI comes in, because it allows us to establish … think of it as the passports for all of these machines. It's who I am, it's who I belong to, who says I should be allowed to belong. And yeah, can I sign a key today? Tomorrow? And of course, too, like with a passport, they expire. They need to be replaced. 

All of that is public key infrastructure, or PKI, a name that we gave 30 plus years ago back in the days when I got started. It shows. Yeah, and it's used every day. Everything that we know, if we go on to online banking, the padlock that's PKI work, that's a machine identity that's saying, yeah, that's really our bank.

The transactions and the payment systems from the terminal to the backend to the payments provider — all of those transactions, all those machines along the way saying, “Yep, I'm good,” — that's at work, that's a machine identity at work. And yeah, we wouldn't be here in our digital world, you wouldn't be able to use your mobile apps, you wouldn't be able to fly on a plane — because a plane today is just a big mobile app — software gets installed on them. How does a plane, a big machine, big mobile device know what's good or bad software? Because it comes with machine identity. It's part of a PKI. 

Matt Winn
Very important. Vish, help further explain PKI — what it is — for those of us who may not be familiar with it, please continue, because those are really great examples.

Vish Patel
Yeah. I mean, Kevin is focused on machine identities. We then further extend that also into using AI for individual identities. Right? Today you may have a card that may have a smart chip on it and it has what is called a digital certificate issued through this technology that identifies you as an individual and then also allows you to authenticate to door readers to logical — you know, workstations — to be able to then say, okay, this is Vish and he can do these things.

So it's an extension. Same technology in a different use case, in a different way to identify people along with machines. 

Matt Winn 
Excellent. And if you think about this thing, why is it called public key? I'm curious about that, too. 

Kevin Bocek 
Who the heck? You know, someone really wanted to torture us in the future when they gave those names back in the eighties, which basically means, we can use a public key — something that we can publish anywhere, literally. I think sometimes people put them in the newspaper and books, but also too we have the idea of directories. It's all gone. But actually it's something that we can post anywhere and then we have something that's private, that we keep and that’s secret. And then you've got this public thing I know that also then belongs to this private thing. Then we can do other cool things too, like we can drive encryption for privacy or we can drive authentication for transactions that live forever like a blockchain. All of that works because of this thing called PKI.

Matt Winn 
Very nice. And I want to dig even deeper into the third word, which is infrastructure. So, Vish, what do we mean by the infrastructure? We've got the public portion covered. We kind of know what the key is — what is the infrastructure, what do we mean by that (whether the term still applies or not)? But let's focus on the I.

Vish Patel
So in order for this technology to work properly, you need a combination of software and hardware and practices that allow you to maintain the security that's possible for this kind of technology. So infrastructure for us means both the ability to produce digital certificates and lifecycle management, meaning something that gets created also needs to be maintained.

It has the ability to cancel, the ability to know if it's valid or not. So all of those things are pieces and components that we put together, in order to be able to use those certificates in the different use cases: machine or individual identities. It's a combination of hardware, software and practices around managing those components.

Matt Winn
Excellent. And that, infrastructure makes.

Kevin Bocek 
I think just three things to add that vision is that that infrastructure is really a hacker no zone/protection zone because we do all of this — or what we consider infrastructure (which sounds very proper) — we do this actually so that the adversaries can't compromise what we've worked so hard to put in place. So that whether it's machines or people,  that they can't get one of these identities or they can't copy them along the way and show up and say, “Yeah, here I am,” too.

So yeah, this is very much also about stopping the adversary with that infrastructure. We do it right. The bad guys won't be able to manipulate it, abuse it. We do it wrong — which plenty of times it's been done wrong — then they get in.

Matt Winn 
The stakes are high. Vish, you talked about certificates and you talked about certificate lifecycle.

So let's talk more about that one. What is a certificate lifecycle? And then just expand on that kind of, give us some background on the goals this technology is trying to achieve. What's a certificate lifecycle? Why does it matter? 

Vish Patel
If you think about a digital certificate as an ID card, let's just say any … like your driver's license, right? The driver's license is created by you first establishing that you are who you say you are. So that process is part of the lifecycle — we're creating the ID card, or in this case, a digital certificate. We're then making it available because the public component requires you to make it available to be relied upon or to be used right in applications.

So that is the use part of it, that's part of its lifecycle. Once you have an ID card, if for whatever reason we need to [cancel it] because it's compromised or in a machine, things go away and come back. So you need to be able to cancel that ID card, similarly with a credit card, right?

So once you cancel it, that's also an event in a lifecycle. It's the ability to create, to use, the ability to — we call it revoke — to revoke the credential and then be able to produce new ones as needed. So that's what we mean by lifecycle. And then, of course, there's always other things such as our ability to know which ones are outstanding at any given point.

You want to know the reporting, which ones are … and all of these credentials have a definitive lifetime start and an end. So that means you need to manage them because once they expire, you need to replace them, if that identity still needs to live on.

Matt Winn 
Very good. Kevin, Let's expand on that. So just general thoughts on the question and then anything around the management piece, because with the volume out there, how does one do that?

Kevin Bocek
Yeah. So yeah, you know, you've got your public infrastructure, it's issuing these identities, things like digital certificates, which especially at Venafi, we're thinking about machines, shiny identities and really smart people planning this. They had learned from passwords. So that lifecycle, they actually gave a beginning and an end date. You know, passwords never expire unless you take some action or some administrator makes sure that they have a lifetime.

Some of the more geeky listeners, you know who I'm talking about, know about SSH keys, they never expire — like after ten, 20 years, they're still going. So yeah this lifecycle actually is really, really important to protecting us, whether we're authenticating humans or machines because it has its begin date and its end date, which then can create some problems — especially when we think about issuing tens of thousands millions, especially when we think about machines.

Because last time I checked, machines weren't showing back up to get these new identities, we have to help them. We have to manage that because ultimately they're going to expire. And increasingly what's happening is these lifetimes are getting shorter and shorter and shorter. Back in the day when Vish and I got started, we would be issuing these certificates out of PKIs, ten years now we're getting down to just minutes for machines and transactions and we're getting really, really close to actually being just one time use.

So that means that we've got to manage this lifecycle. They're going to expire and they're going to have to replace them and get them in use. And of course, again, especially when it comes to machines, they're not doing that by themselves. The audience has experienced this … you've gone to your bank, you've gone to maybe a wow, social media site — go figure — or you used an app and it said cannot be trusted. It seems like the world is ending, and won't let you use it. 

That's because actually someone has forgotten to renew one of those certificates and get a new one in place. So we actually feel that. Which of course that's painful to us. It's painful when billions of dollars, when apps don't work, planes don't fly, baggage systems don't work, ATMs don't work. Your social media site, you can't access it. All of this we've seen and a whole bunch more just because that pesky lifecycle isn't being managed, which is going to get us to think along the lines to automation

Matt Winn
Yeah, absolutely. Just personal anecdotes. I started my career working in e-commerce software sales, and part of that was the sales of SSL certificates. And part of that was, my gosh, my store is not taking orders. And it's like, well, your SSL certificate — did you not didn't renew it? So, you know, it's only 80 bucks for the year, but go ahead and get it done. But yes, that that that was triggering for me and handling some of those calls. 

Kevin Bocek
Yeah. And just I'd say, back in the day, let's see how we can issue those for like two or maybe ten years, because I think that knows where we'll be in ten years.

Then for the bad guy, though — this is what we've seen —when those certificates are hanging out for a really, really long time, we've seen breaches where the adversaries getting in. They can show up in masquerade, whether that's like a payment system or another website or transaction system and completely abuse what we thought was completely private, authenticated.

Matt Winn 
Interesting, amazing. You brought up automation, Vish, lets hand it to you. Let's talk automation. There seems like there's a lot to think of, consider and to the point around lifecycle management, manage, right? How do we automate? What's going on in that space?

Vish Patel 
Yeah. So the need for automation is getting more and more because of the volumes, because of the lifecycle of those. And the way we go about it is we look at  a way that already exists where certificates are getting consumed, getting issued, getting distributed out to these end points. So whether they're devices, whether they're on a card, right? And we look at automation as, okay, let's create appropriate integration points — or connectors is what we call it — to be able to then utilize standards that already exist to handle the volume so that customers don't have to handle each certificate by themselves.

This is what used to happen ten, 15 years ago when we started, which was what everybody dealt with … I have to, as you said, renew my SSL certificate. That means I handle that one certificate at a time. Well, we're now getting to the point where it really is an automated process to replace out those certificates. And the staff that usually deals with it are dealing with it on an exception basis, meaning if something goes wrong, they get the appropriate alert, and they look for how to remediate it.

But more and more customers are realizing the volumes cannot be handled manually. So therefore we need to automate them, and we do that via having all the different kinds of connectors that go out and reach out the ecosystem on the network as well as where certificates are on somebody's card or on their on their laptop. 

Matt Winn
Kevin?

Kevin Bocek 
Yeah, well, let's pretend that I'm a retailer. I've got a bunch of different websites, literally web servers, maybe load balancers where customers come and make transactions. Also, we have APIs, because our mobile apps or other shops want to call our APIs on web services. So now back in the day, automation was me in a spreadsheet.  I'd be going down every day in the spreadsheet, and [find] that one needs to be renewed.

Billy, Yohan, better renew that. And they would need to go through that lifecycle of making a request, getting a new certificate (one of these new machine identities) going, then getting approved, maybe paying for it. Sometimes, maybe getting it from an internal issuer and then installing it. like unto no one. Better not leave their job or go on vacation.

So today, when we think about automation, it's really about taking the problem — which is us — out of the equation. How do we make this as absolutely seamless as possible and so that it's following a policy and a person never is involved … so that that web server automatically gets that new certificate, that new machine identity, that load balancer, that API service automatically gets it without anyone even thinking about it.

And definitely there's no spreadsheet, which of course, all of that means that we're not having those outages [and it] also means that the bad guy, the adversary, they want to compromise us because we're the weakest system in the loop. We've got great risk the bad guy can't copy them or steal them. And that also allows us — because we're getting automation — to be replacing them more and more often.

And we also see that the likes of Google and Apple or others are driving this because they're aware of challenges from the hackers looking to steal, looking to thwart the system we put in place. They want to get shorter and shorter lifetimes so that these certificates that were hanging out for a few years now are just hanging around for a few days. To make that all happen, we've got to take us out of the process, put in automation machines, especially for us, [because] we think about machine identities, go figure. They should be automated by other machines. 

Matt Winn 
Gotcha. So we've talked about — and this is a bonus question — we’ve talked about automation solving some pain points as it relates to PKI. What other pain points do professionals run into in this space? Vish, what are some of the other hang ups that we might not have talked about yet? 

Vish Patel
Yeah, I mean, we know that the environment that our customers deal with is always under attack, right? Cyber security is a real problem. And so one of the other things that is a pain point that we help them solve is something called cryptoagility, which means that ability to replace out the certificates that are in use, not just because they expired, because of some sort of threat or some sort of discovery there might be weakness in algorithms and so forth.

So that ability to on demand replace out certificates on those endpoints, machines, websites, thermostats, whatever it might be, it is critical for maintaining the cybersecurity posture of a customer. And so that is more and more now on the minds of our customers. And they are looking at what's happened, also really looking at partners to help them make sure that we provide ability for them to handle that.

Matt Winn 
Very fascinating. So it's not just time, it's quality and ability to execute. That's right — did not think of that. Kevin, do you want to tack on … or anything else that you see in pain points we haven't covered? 

Kevin Bocek
You know, it's the breadth of all the different types — especially when we think about machine identities — all the different types of machines that are using these digital certificates at this PKI.

You know, last night when I flew into Austin, it was on an email thread about a bank in Europe, and they were having two challenges. One, their new developers were moving more and more to the cloud. Their security team had never heard of some of the technologies that their engineering teams were looking to use in the cloud.

And then on the completely other end of the spectrum, they were having problems with printers getting new certificates on their network. Go figure … a bank, with both the cloud and the printers that all that need to have identities. And so it's this breadth, and really the heterogeneity, that we need to deal with. And it's only getting more and more complex, more diverse, which I think makes it really, really fun.

It does make it challenging also — to on the flip side — if I'm thinking like the adversary, this is actually when they get excited because when we slip up dealing with all these differences, or in someone like a developer using a new technology the security team has no idea about, or we've got something like a printer, which sits on the network and has full access and wow, looks like something that we should always be trusting and can do anything. That's when bad things happen. So this is very much about making sure that we’re not giving the adversary an opportunity to attack.

Matt Winn 
Only strong as your weakest point. And that brings up a whole other conversation —  maybe season three, we can cover those points around convergence of technologies, but also collaboration with those who manage and own those technologies.

Production team, let's take a note for season three episode. We'd love to have you all back for that. Now that we've introduced what PKI is, why it matters, what it does, some of the pain points and how automation is saving that, let's look further into the future, right? We have this name, PKI, from the 1980s. Let's fast forward ten plus years. What's on the horizon for this type of technology and what excites you? What does the future look like to you? And Vish, I'll start with you. 

Vish Patel 
One of the things that we know are on the minds of our customers and our partners like Venafi is our ability to make sure that the security benefits that we have enjoyed with PKI continue to be there.

And one of the threats is, frankly, with quantum computing, the ability to find weaknesses and break some of the algorithms is getting easier (although easier is a relative term). But, easier. And therefore there is a lot of focus on trying to make PKI quantum computing resistant, right? So that means stronger algorithms with the ability to protect the private and the public pieces that Kevin was talking about, because that's critical in keeping using the technology.

That's really the portion I see in the next ten years is having a lot of focus, a lot of  new ways to maybe address the same problems we’ve had. And really, all of the things we talked about will play into our ability to react — which is automation and agility and all the lifecycle management that we talked about.

Matt Winn
Interesting. Kevin?

Kevin Bocek 
So one of the things that's really cool, if you look back, I mean … the technology that we're using now was developed in the 1970s, so Diffie Hellman, many would know, came out of the seventies, the work that the Rivest-Shamir-Adleman (RSA) team put together in bringing forth the algorithm now that we use all from the seventies and eighties, one thing is all of that technology is actually only more and more important to the future.

So as we think about moving to more cloud services, we think about things like edge computing or IoT literally putting things out into the world, whether cloud or IoT or edge that might live for 5 milliseconds or might live for 50 years. All of that relies on this technology that we built saying, Hey, can something that we know … can we authenticate it? Do we know it belongs or not? 

For me, it's all the new ways that we're using this technology, PKI, which now we think especially a lot about machine identity — things like digital certificates, new types like spiffy identities, chat tokens, all that — rely on this technology as we put more and more out into the ether and we know whether it's good or bad, friend or foe. 

I mean, hey, the only way I know vicious cloud from my cloud is when it comes down to pick out the only way that Amazon knows it's mine or theirs. And it comes down to this technology — digital certificates, machine identities. So it's only getting more and more exciting out to the future. So yeah, let's come back next year and see what's changed.

Matt Winn 
Very exciting indeed. So another bonus question for both of you because that's super interesting. All of it's been interesting, but that to my mind brings a question of sustainability and scalability. Going back to the “I” — with the proliferation of everything digital — is the infrastructure sustainable in its current form? 

Kevin Bocek 
It is — the secret that we talked about. The secret sauce, of course, is the automation is driving that faster and faster ability to be able to make changes. Whether I need to make a change because of post quantum cryptography, whether Google or Apple or someone else decides we need to go from 90 day certificates down to 30 day certificates, or whether because we've been breached, which we've seen, we've got that automation to be able to make a change and — really, really important — this is something that people forget that we know, that we've made the change correctly.

That's something that we oftentimes forget about. We do super cool things, but actually, then, did it work, right? And if not, then how can we make it? And of course, how can we fix it without sending a whole bunch of people out to try to fix it? So yes, especially today, the “I” in infrastructure is very much about automation.

I think I'd say that we can't forget about security because if we're not protecting these systems/services where they run in the cloud — or if sometimes we have them in mountains hidden — if we're not protecting that … because literally everything in our digital world we know as good or bad, friend or foe, stems out of this for not protecting that. Yeah, then it's a really, really bad day on the stock market and the economy and we'll be getting onto your social media app as well. 

Matt Winn
It's a situation. Vish, anything you want to add?

Vish Patel
In addition to what Kevin mentioned, the other thing is scalability and the ability to handle the volumes — and having the service when you need it.

I mean, because it's so pervasive, right, in just about everything that we do in terms of the logical access and the network, you have to make sure that the “I” is sturdy enough to handle all of that. And we know that the industry has over the years started to, as you say, use them a lot more and more (cloud services) in addition to kind of having data centers.

So it's more of a hybrid model, but that model allows us to still maintain security at a specific level that we want, and yet have the scalability to handle all of the different volumes and response times and things like that that are key in order to be successful at this. Because if it's not available when you need it, it won't work.

Matt Winn
What's the point? Very good. Okay, so let's wrap things up and put things into context. Vish, we’ll have you go first, as we always do at the end of these episodes, we have to answer the burning question — it really is kind of the summary of it, right? So, PKI: What did these three letters mean for Internet security?

Vish Patel
Yeah, it means quite a bit, from my perspective. It means that ability for somebody who's using the Internet to have, for lack of a better word, trust in knowing where they're interacting (with what website), if they are, let's say, approving a payment … did it actually, was it from the right source, going to the right destination?

So, to me, it really does mean the ability for us to do things online at the time that we want to do it, and in a secure manner that we can actually trust that it's going to execute the way we think it is. 

Matt Winn 
It's still about people. It's still about people. Kevin, same to you. Burning question: What does PKI mean for Internet security? 

Kevin Bocek
Yeah, what it means is that cloud service, is that device good or bad, friend or foe? We feel that each and every day when we log onto our web browser on our phone, on our computer, we see that little padlock glow — that is PKI, that is machine identity, that is digital certificates at work saying, yep, that service that lives out there in the cloud really is who it says it is.

And that's what it comes down to — it’s … does it belong? Is it good? Is it friend or foe? And we're going to be only using only more and more of it as we move to more cloud services, edge and IoT. And that's one of the things in our partnership between HID, our customers are looking to us as the experts to provide that, and they're looking for us together to provide that as a service.

So as a dial to that, they can plug in their engineering platform team, so all those collapse — all those amazing new capabilities that they're building with machine learning, artificial intelligence — all of those are going to know the good or bad, friend or foe. So when that large language model calls an API, which makes something bedazzling on your mobile phone, yeah, it's always … that is PKI. That's a machine identity at work.

Matt Winn
The journey continues. Very cool. Well, gentlemen, thank you both very much for joining us, and especially for flying in. I know it's still relatively somewhat morning, so there's time to get your breakfast tacos while you're in Austin. But all joking aside, really, thank you both for coming in, of course, for sharing your expertise and perspective on this topic. Really, really appreciate it, as always. 

Even bigger thanks to you, our listeners, for joining us for this episode. We truly do enjoy creating this podcast and hope that you equally enjoy listening. And of course, we'll be back very soon with yet another episode covering yet another topic shaping the security and identity industry. 

So on that note, to be the first to know when new episodes are published, be sure to subscribe to HID Connects. Doing so will ensure that you stay connected. And, of course, you can subscribe wherever you get your podcasts. And while you're there, be sure to rate and review this podcast. Ideally, positive reviews, but all feedback is welcome, and while you're there, make sure you subscribe to us on YouTube so you can watch the video version of this as well, and check us out on our social channels.

And in the spirit of connection, we always want to hear your questions and topic ideas for future episodes. Just drop me a line at [email protected]. So until next time, thanks again for listening. May your identities forever be secure.