In this Help Net Security interview, Deepika Chauhan, CPO at DigiCert, talks about the importance of maintaining high trust assurance levels for businesses in today’s digital landscape.
How does DigiCert define “digital trust,” and why is it essential for businesses to maintain high trust assurance levels in today’s digital landscape?
Our world today is hyper connected. Devices are everywhere. People are online constantly. Sensitive data has moved to the cloud. Even core operational technology is now being re architected as connected infrastructure.
Digital trust enables us to build, participate in and grow the connected world we live in. It reduces the risk of business disruption, secures attack surfaces and improves agility, and it drives digital innovation with real-world impact. Digital Trust is the foundational infrastructure that enables us to have the confidence that all the things that we now do online — whether these are interactions, transactions, or business processes — are secured and trustworthy.
A comprehensive digital trust framework has four key pillars:
Robust standards are necessary to define trust and make it interoperable. For example, you may decide to use industry-standard digital certificates to provide tamper-proof identities, for all your users, devices and workloads.
Rigorous operations and compliance are necessary to establish and continuously validate that trust, leveraging a certificate authority that has proven operational maturity and stringent auditable controls.
Enterprises need to manage trust across the organization. They have thousands or millions of certificates and cryptographic assets with different validity periods deployed across a sprawling digital footprint. They need discovery, automation, notification and integration tools to manage this effectively.
Finally, enterprises need the ability to extend trust into their ecosystem and supply chain to leverage the full benefits of trusted digital transformation. This could be to their partners, supply chain and APIs.
We’re eager to learn about your latest collaboration with Oracle. Can you share the exciting details of this announcement?
We’ve announced a partnership with Oracle Cloud Infrastructure that will add native availability of DigiCert ONE on OCI, bringing together OCI’s secure, scalable cloud infrastructure with the best-in-class benefits of DigiCert’s digital trust portfolio. Because of the cloud-native architecture of DigiCert ONE, it provides fast time to value with simple deployment so that customers can protect all that their digital assets in the cloud.
With DigiCert ONE, customers can secure users, devices, servers, documents, software and more with a unified architecture that centralizes management of digital trust initiatives. DigiCert ONE is a modern, multi-tenant, cloud-native SaaS platform, with the flexibility to be deployed in customers’ private cloud or on premises, if required.
OCI provides a cloud infrastructure with built-in, always-on security that delivers compliance with rigorous security protocols and operations. It also delivers high performance and reliability with simplified, transparent pricing and flexible options to help customers meet their unique business needs, whether on-premises, in the public cloud, using multiple cloud vendors or a combination.
PKI and digital certificates are common approaches to achieving digital trust. Can you explain the role of PKI in securing the digital landscape, particularly in the context of the Global 2000?
Public Key Infrastructure (PKI) plays a crucial role in securing the digital landscape by providing a secure method for exchanging information and verifying the identities of parties involved in digital transactions. From the bottom of the ocean to the edge of space, PKI establishes digital trust.
PKI is used to establish trust between parties in digital communication, authenticating the identity of users, devices and workflows, while ensuring that data transmitted between them is protected against eavesdropping, tampering and forgery. This is achieved through the use of digital certificates that contain cryptographic keys that are used to encrypt and sign messages.
For the largest and most influential companies in the world comprising the Global 2000, centralized PKI management is particularly important. These companies handle vast amounts of sensitive data, including financial information, personal data and intellectual property. Centralized PKI management helps ensure that this data is protected from theft or unauthorized access, minimizing the risk of financial losses, reputational damage and legal liabilities.
At DigiCert, our roots are in PKI and digital certificates. We provide the foundational infrastructure for organizations and individuals to have confidence when doing anything online. Another way to look at it is to think of DigCert as the invisible plumbing of the internet. A common misconception is that PKI is just used for Web security; however, the reality is PKI is a perfect component for a much broader digital ecosystem, including users, devices, content in various forms, legally binding document signatures, software that runs in every digital application.
DigiCert customers are using PKI to achieve digital trust for a wide variety of use cases. These include securing connected medical devices for improved patient care, improving user trust in election data, protecting collection and analysis of device telemetry for improved retail operations, and automating user and device authentication to corporate IT services. For example, if you live in Europe and have a smart TV, it is secured by DigiCert.
We’ve seen a steady amount of attacks recently on the software supply chain, raising the need for digital trust. What are some of the most common vulnerabilities that arise from poor code signing processes, and how does DigiCert address these issues?
Modern software development processes, like DevOps, are highly automated. An engineer clicks a button that triggers a sequence of complicated, but automated, steps. If a part of this sequence (e.g., code signing) is manual then there is a likelihood that the step may be missed because everything else is automated.
Mistakes like using the wrong certificate or the wrong command line options can happen. However, the biggest danger is often that the developer will store private code signing keys in a convenient location (like their laptop or build server) instead of a secure location.
Key theft, misused keys, server breaches, and other insecure processes can permit code with malware to be signed and distributed as trusted software. Companies need a secure, enterprise-level code signing solution that integrates with the CI/CD pipeline and automated DevOps workflows but also provides key protection and code signing policy enforcement.
DigiCert addresses these issues with its secure SaaS platform, DigiCert Software Trust Manager, which uses advanced security controls and techniques to limit access of private code signing keys to authorized signers. Software Trust Manager stores signing keys in a secure offline location when they are not being used, protecting them from theft or misuse. It provides comprehensive auditing and reporting capabilities, which allows organizations to track and monitor code signing activities in real-time. This helps to identify any potential threats or issues, enabling proactive response and mitigation.
Software Trust Manager targets the manual key management problem to ensure secure code signing at every stage of the software build process for a trusted DevSecOps experience across the organization.
With the rise of remote work and digital business processes, how has the demand for signature trust in electronic document signing workflows evolved, and what steps has DigiCert taken to meet these growing needs?
Digital transformation and remote work have increased the need for digital communications and transactions, and individuals, teams and organizations have increasingly looked to digital document signing. In fact, most documents today are signed electronically and digitally binding signatures for transactions are particularly of strong interest within the EU and have the attention of regulators, who require high levels of assurance of the identity of the signer. The EU’s electronic identification and trust services (eIDAS) regulation has very specific requirements for digital signatures to be accepted and held up in a court of law. DigiCert provides various options as an EU-Trusted Services Provider to help customers. We see similar movements in Japan and other countries to require higher levels of assurance on digital signatures.
Recently, our solution helped a large Asian country improve trust in its national elections. We implemented remote identity validation of the poll workers, who were then able to cryptographically sign the ballot results and upload them securely to the cloud. This improved the speed of the count, which was also tamper-resistant.
DigiCert Document Trust Manager enables organizations and leading e-signature workflow solutions to obtain trusted, compliant digital signatures that deliver more flexible signing and sealing experiences across a wide range of use cases.
In the rapidly evolving digital landscape, how does DigiCert stay at the forefront of innovation and continue to provide cutting-edge solutions to ensure digital trust?
DigiCert actively participates and drives many digital trust standards. We lead many efforts and regularly create requirements for the CA/Browser Forum. We played an important role in the Connectivity Standards Alliance’s release of Matter 1.0 (and we were the first Root CA for Matter), we are defining standards for electric vehicles, the financial industry, EU trust, we’re involved in post quantum cryptography initiatives, and much more. With those standards in place, we have a very rigorous compliance program, with 25+ audits every year to make sure that not only are we meeting the baseline requirements, but that we are setting the industry benchmark of how you should be compliant and secure against some of these controls.
Our service is available globally, and we have customers in more than 180 countries. Our support is world class, with a Net Promoter Score (NPS) for support in the mid-to-high ‘70s. The average NPS for SaaS companies is around 40. We have a 24/7 365 follow-the-sun delivery model, and so combined with great standards and great support, we have a platform that can extend to every industry, country and use case.
DigiCert’s investment in standards, compliance and operations sets the benchmark for a comprehensive approach to defining and establishing digital trust. We provide of all this work into our DigiCert ONE solution, the platform for managing digital trust. We also provide technology to extend trust into rapidly growing ecosystems such as supply chains for software and devices, postquantum cryptography, content integrity and more.