Redirecting you to
Podcast May 24, 2023

Root Causes 305: The Fifth Pillar of Certificate Lifecycle Management

In our episode 143 we introduced the Four Pillars of Certificate Lifecycle Management. Now, two years later, we introduce a fifth pillar of CLM.

  • Original Broadcast Date: May 24, 2023

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    We’re going to start with a little trip back in time. In our Episode 143, we introduced a concept, which at the time we called “The Four Pillars of Certificate Automation.” And those were, just as a reminder for everybody: Discovery – finding certificates and bringing them into the system and knowing what they are; deployment or provisioning – getting the certificate; ordering it and deploying it out in the world; revoke and replace – sometimes called Lifecycle Management where you do the other things that you have to do with your certificates to keep them current and refreshed and secure; and then renewal – where you take your certificates that are expiring and getting them renewed. And those four pillars, we’ve had a little picture in our webinars which you may have joined us on where there are four pillars, and then on the top there is a cap, a penumbra. It kind of looks like a classical building, like a classical temple or something. And that cap on the top was visibility because those pillars supported visibility but visibility also enabled the pillars.

    And so, that was a concept you and I built. We ran a bunch of webinars about it. We’ve talked about it with a lot of people. We’ve had these graphics that have floated around. They’re in assets. We’ve seen other people take this idea, even though I’m pretty sure you and I were the first people to advance it, and we’ve seen it show up in other discussions of the CLM space by other people who aren’t Sectigo. And that’s really sort of moved into the dialog in a pretty significant way. But it has been more than two years, right? And the world changes.

  • Jason Soroko

    Absolutely it changes, and you know who’s changed is the practitioners, the people who actually do the Certificate Lifecycle Management, not out of the minds of the people who work in the CLM industry or Certificate Lifecycle Management vendor space. This is in reaction to IT administrators, people who are really on the ground doing the things, and they’ve changed some of their practices, Tim. And it’s a good thing. Because right now, in the vendor space – imagine all the different technologies you’ve got to work with now as an IT administrator.

  • Tim Callan

    Yeah.

  • Jason Soroko

    Unbelievable. I remember working in and around these kinds of folks, and it was very, very Microsoft focused. Microsoft stack of technologies, and so therefore, you typically had one log to look at if something went wrong, and you could remediate based off of, you know, just a handful of logs and you knew where to go and get them. And that was about a million years ago.

  • Tim Callan

    Oh yeah.

  • Jason Soroko

    Things have changed. There’s a lot of places to look now, and the technology stack and the vendors you’ve got to deal with, I’ve got enormous sympathy for anybody who has that hard job to do. So if you throw in something super complex like Certificate Lifecycle Management, just as a whole topic and how it’s so foundational and fundamental to identity, security and all these incredibly important topics within IT, well you want your tools to… you know you’re going to be dealing with a lot of different vendors, but you want all those tools from all those vendors to be their messaging and their logs and remediation steps and essentially all the different workflows of, how do I react to things when things are happening? How do I know when things are happening? How do I audit when events occur, whether they’re human done or machine done? Well, a lot of systems today now have techniques and APIs and tools and UIs and all kinds of things that enable this form of IT workflow automation.

  • Tim Callan

    Right.

  • Jason Soroko

    And some of the technology stacks that are out there, that’s all they do. That’s all they do, is actually perform these – okay, an event happened so I’m going to trigger something else, right, or I’m going to fill a log or I’m simply going to send a Slack message or an MS Teams IM message to an administrator so they can react to something in real time. Certificate Lifecycle Management – it was really a little bit slow to the game. As an industry, as a set of vendors, we were very, very focused on the certificates, making sure they’re managed property, making sure that your renewals are happening, making sure you have discovery – all those pillars you just talked about, Tim.

    And you know what, I think we’re getting another pillar - -

  • Tim Callan

    Another pillar!

  • Jason Soroko

    - - which is, you know what, we’re going to keep it real simple. Maybe we’ll come up with a flashier term, you know, but it really is all about this IT workflow automation.

  • Tim Callan

    I agree. IT workflow automation is right.

  • Jason Soroko

    I would say at least maybe two to three of the other temple pillars in the diagram that you and I talked about, they’re about automation. Renewal is about automation, and these are important things. So, this is another pillar that is a different form of automation. It’s not automating the cert, and it is also a form of integration into whatever technology stacks you have that are computer automating or automating messaging to your administrators, whether you use MS Teams or Slack or any of these other things.

  • Tim Callan

    It could be those platforms. It could be, your PagerDuty. It could be your SIM.

  • Jason Soroko

    It could be your SIM.

  • Tim Callan

    It could be your APM solution. It could be your ITSM solution.

  • Jason Soroko

    There’s a whole pile of acronyms that we could throw out there, and I’m trying to be really - -

  • Tim Callan

    M-O-U-S-E.

  • Jason Soroko

    M-O-U-S-E. I am trying to be acronym agnostic here, and I’m doing it on purpose.

    And that’s why we used this really generic term of IT workflow automation, and that is because there’s so many forms of that that are out there. I think as the CLM industry is maturing and we are realizing we don’t exist in a vacuum; we don’t exist on an island; we exist in people’s real, real IT systems. And in fact, we are a fundamental part of it. We need to make sure that we are plugged into those kinds of central messaging units that are automating these kinds of steps, Tim, and I think it deserves its own pillar.

  • Tim Callan

    I agree with you. And let me add, I think that it is a two-way flow. Which is to say you need your CLM to drive those other systems, right? You need to, for instance, you know, you and I did an episode not that long ago about how certificates are chock full of events, and those events need to get plugged into your SIEM, right? But then, you want to drive in the other direction as well. So, for instance, I want to be able to order cert and choose to get a cert in your, let’s say, ServiceNow, but then that actually needs to trigger the CLM and have the CLM do that work. Or I want to discover a cert. I might discover a cert using, let’s say, my APM product and then I want those discovered certs to get hooked into the CLM where they can then be part of what’s under management. And so both platforms strengthen the work that the other one does, and both platforms can take information from the other and can push information to the other that drives the behavior of the visibility or the reporting that you want to see in that other one. Do you agree?

  • Jason Soroko

    I agree, Tim. I’m thinking of revocation events. Wouldn’t it be great if, you know, something – I think it would be interesting if – it’s an interesting concept that, you know the revocation event in terms of that two-way flow. You might think that that’s very fundamental. I think there’s going to be some people out there who might not want to have such a fundamentally big event automated through some system. Because imagine if something went wrong, something was measured incorrectly. You might want to have a human being part of the check-and-balance workflow to say, hey, is this truly something that needs revoked, right?

    But again, this goes right back to what I’m saying which is, this is not the CLM vendor industry inventing that. That really depends on what works inside of your IT system; what works in your IT workflow; what is automatable; and, what needs to have a human check-and-balance? Which is in itself a form of workflow.

  • Tim Callan

    That too can be part – when you look at the holistic workflow that you need there, you’re right, some of these things can happen on their own. You can have Program 1 triggers Program 2 and the program does what it’s supposed to do, or your workflow might be Program 1 triggers Program 2, and what’s it’s supposed to do is put this in front of the person and say, do you want me to proceed? Yes/no. Right? And that’s fine also. Likewise, the visibility thing. Tou got reporting in your CLM, you got reporting in your ITSM, you got your reporting in you APM, you got reporting in your SIEM. You may want to get different reports in different places for different reasons. And that’s okay. You might like the report better here, it’s more comprehensive over there, etc. or it’s focused in on what I want over here, it’s got all those particular items that I’m looking for, and there’s no reason why all of those dashboard/reporting/search/alerting engines can’t be adjacent and simultaneously operational and they can just populate each other with correct information that the other one uses that they have. And there’s no reason why we can’t have that as well, and that would just make every one of them stronger.

  • Jason Soroko

    You got it, Tim. You know, I think it’s worth going right back to the basics and talking about some really simplistic messaging that should be triggered within CLM as well. You know, we could go on and on about the complicated stuff that can sometimes be controversial in terms of how it might be implemented or it might be just complicated because the range of technology stacks that are out there, but I think some real basic ones are, hey, with 90-day certificates coming out, Tim, we can’t fail to not talk about that topic. You know, you might have new ACME services that you’ve now implemented because of 90-day, and you might want to be notified every 60 days just by an MS Teams message or a Slack message to an administrator to say, hey, by the way, you’re ten days away, you’re five days away or hey, today’s the day that you have to make sure that that cert gets swapped out or at least do a manual double-check, the fact that everything happened okay. At the very least, I think that the 90-day problem really starts to highlight the importance of this next pillar because some of these events that you might have been, oh, let’s just wait a year and, you know, I’ll put something on my calendar, right, in a year to warn me about a renewal that has to happen. Well, with 90-day, you probably want to utilize some sort of automated IT messaging that is talking to you and informing you about what’s coming.

  • Tim Callan

    Perfect example.

  • Jason Soroko

    So, it’s something as simple as that, but I don’t think that’s any less important as some of the other complicated things that you and I just talked about.

  • Tim Callan

    And again, this could come from multiple directions. Like, there might be a reason why I prefer to have my Slack notifications coming out of my ITSM platform rather than my CLM. And that’s okay. Or vice versa. Maybe I prefer to have this category of notifications come out of my CLM, and that too is okay, right? But these are other things that administrators will be thinking about, and it would be nice if they had some control and some choice, and they could really look and say, well which of these is best and why, and make sure that they’re using it appropriately.

  • Jason Soroko

    Give you a perfect example. You might have pushed a certificate with your CLM out to your F5 load balancer, and you want your F5 load balancer to confirm it.

  • Tim Callan

    Absolutely. So we may work on the wording. This is kind of a new idea. Just like if you go all the way back to our 143, you’ll see that some of our terminology has changed, even though the fundamental concept didn’t change. Likewise, we may somewhere along the line go back to and reference this episode, roughly in the ballpark of 300 and say, well, this is what we used back then. But either way, I think this idea, IT workflow integration or IT workflow automation has definitely become a very important part of how we need to think about the CLM space.

  • Jason Soroko

    It’s all about plugging into your technology stack, and CLM needs to do it. That’s the fifth pillar.