Digital Certificates

Spotlight: Automation Beckons as DevOps, IoT Drive PKI Explosion

In this Spotlight edition of the podcast, we’re joined by Brian Trzupek the Senior Vice President of Product at DigiCert. Brian and I take a look at the findings of a recent State of PKI Automation survey and the challenges organizations face as they look to manage a fast-growing population of tens of thousands of PKI certificates.

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google PodcastsStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 


Twenty years ago, Public Key Infrastructure, or PKI, had a pretty limited remit. Its first applications were securing email and physical access systems in security conscious environments like the military, intelligence community and government. With the explosion of the Internet, PKI became a foundational technology for securing web traffic and authenticating users to applications via technologies like SSL and TLS.

Brian Trzupek of DigiCert
Brian Trzupek is SVP of Products at DigiCert

Since then, both the scale and applications of PKI have transformed. Today, PKI and digital certificates are used to sign and secure electronic documents and – increasingly – to secure communications and interactions between billions of connected devices on the Internet of Things.  Moreover, as digital transformation and DEVOPS has taken hold within the enterprise, the demand for PKI to secure critical development and production infrastructure has exploded. 

Survey: 50,000 Certs on Average

In fact, a recent survey of PKI use in 400 enterprises worldwide found that the typical enterprise is managing more than 50,000 digital certificates, with most dedicated to securing users, servers, web applications, email and mobile devices. That’s a 43% jump year over year, according to the survey.

Not surprisingly, IT managers are feeling overwhelmed by the sudden growth in the population of certificates. 61% of those surveyed said they were concerned about the time required to manage certificates in their environment, while 47% reported having encountered “rogue” (or unmanaged) certificates. 

Automation to the Rescue

What explains the explosive growth of digital certificates? And what can organizations do to get on top of the job of managing their fast-growing PKI certificate population? To answer those questions, we invited Brian Trzupek, the Senior Vice President of Products at Digicert back into the Security Ledger studios. (You can check out our conversation on supply chain security in episode 216!)

In this conversation, Brian and I talk about the findings of Digicert’s recent State of PKI Automation Survey and the various ways that digital certificate use is proliferating within enterprises. We also talk about the dangers that lax certificate management courts, especially as the lifespan of digital certificates shortens and the scale of digital certificate deployments grows. Brian notes that organizations are increasingly looking to automate certificate management to reduce the strain on IT staff and to prevent disruptions linked to certificate expirations. 



Episode Transcript

[START OF RECORDING]

PAUL: This Spotlight edition of the Security Ledger podcast is sponsored by DigiCert. DigiCert is the world’s premier high assurance digital certificate provider, simplifying SSL, TLS and PKI, and providing identity authentication and encryption solutions for the Web and the Internet of Things. Check them out at digicert.com.

PAUL: Hello, and welcome to a Spotlight edition of The Security Ledger Podcast. I’m Paul Roberts, Editor In Chief at The Security Ledger. In this episode of the podcast:

BRIAN: We see this pool into things like DevOps, right? This dynamic infrastructure that is also server-based but can grow and shrink as capacity happens. And we see a lot of IoT. There’s enterprise identity and access management application servers behind these things. There’s a lot of document signing stuff going on, the need for digital document workflows and legally attestable ones with signatures, especially in Europe. So all of these things have pulled on PKI and required a lot more of these digital certificates to protect all of the surface area.

PAUL: 20 years ago, Public Key Infrastructure, or PKI, had a pretty limited remit. It was initially used in security conscious environments like the military, the intelligence community, and government to secure email communications or to authenticate users to applications. Since then, however, both the scale and applications of PKI have exploded. Today, PKI certificates are used to sign and secure electronic documents and online transactions and increasingly, the secure communications between connected devices on the Internet of things. Moreover, as digital transformation and DevOps have taken hold within the enterprise, the demand for PKI to secure critical development and production infrastructure has exploded. In fact, a recent survey of PKI use at 400 organizations globally found that the typical enterprise is managing more than 50,000 digital certificates, with most dedicated to securing users, servers, web applications, email and mobile devices. That’s a 43% jump year over year, according to the survey. Not surprising. It managers are feeling overwhelmed by the sudden growth in the population of certificates within their organizations. 61% of those surveyed said that they were concerned about the time required to manage PKI certificates in their environment, while 47% reported having encountered rogue or unmanaged certificates. What explains the massive growth in the use of digital certificates and what can organizations do to manage the fast growing population of PKI certificates? To answer those questions, we invited Brian Trzupek, the Senior Vice President of Product at DigiCert, back into the Security Ledger Studios. In this conversation, Brian and I talk about the many findings in DigiCert’s recent State of PKI Automation survey. We talk about the dangers that lacked certificate management can pose for enterprises.

BRIAN: My name is Brian Trzupek, I am the Senior Vice President of Product at DigiCert.

PAUL: Brian, welcome back to The Security Ledger Podcast.

BRIAN: Thanks for having me. I’m glad to be back.

PAUL: So we have you on the show this week to talk about some really interesting data that DigiCert has pulled together around the problem of certificate management. In particular, kind of the challenge that organizations are having with the growth in digital certificates. My first question to you is, first of all, for listeners who aren’t familiar with DigiCert, tell us what DigiCert does, and then tell us what you do at DigiCert.

BRIAN: Sure. Yeah. So DigiCert is the world leader in PKI technologies. Pretty much everything that is connected to the Internet and anything that is operating on a network relies on PKI for authentication, for integrity, for data protection. And we are the company that is the world leader in providing those technologies to solve those problems. And my role within DigiCert is I am the Senior Vice President of Product. And so all of the things that we’re doing to address the various aspects of the PKI market, whether it’s the public facing SSL certificates or automation technologies or code signing technologies, DevOps, the different places that are being used, all of those product groups kind of roll up into my organization, and we just help kind of push that whole roadmap forward for how we’re helping customers solve these problems.

PAUL: And tell us a little bit about you all put together this survey, taking a look at digital certificate management, really across industries, and tell us just a little bit about how the idea behind this came about.

BRIAN: Yeah, so it’s interesting, right? I mean, if you look at the PKI, kind of industry, it’s kind of an interesting territory out there. There’s a lot of confusion, I think as people kind of think about it and say, well, how does this work? And we are seeing some trends happen where the lifetimes of certificates are getting shorter based off industry compliance and things like that. We’re seeing them used much more frequently in a lot of kind of settings that maybe they hadn’t been used before. And so this kind of creates a problem. And we kind of wanted to go talk to customers and talk to people who aren’t customers but are in the space and say, how is this impacting you, right? And so we went and talked to 400 enterprise organizations and asked them how this is impacting their job and kind of let’s verify some of the assumptions we’ve talked about. And where are you guys actually seeing challenges? Where are you seeing successes and what’s the future look like for you? How is this going to change what you’re doing? And I think that was the nature of what we tried to do with this survey was get answers to some of that.

PAUL: So kind of top line take away from this survey you found in the survey of 400 IT managers that, on average, these enterprises were managing, and I got this number right, 50,000 digital certificates. Is that right?

BRIAN: That’s right. Yeah. They’re managing a whole lot. And I think it’s the nature of who we ask, too. Right. You’re looking in enterprise. And I think we’re seeing transformation. Heck, just kind of look at the world right now. And everything shifted to online and remote services and QR codes in restaurant. And you don’t think about it. But behind all of that stuff, and that shift to digital is a shifting security perimeter for organizations as well as more technologies to allow people to remotely access them, whatever it is. And so I think you see some growth because of that. And then the larger kind of mega trend that’s been happening of people moving their security perimeter for the organization to embrace cloud and go through cloud transformation or hybrid cloud environments that drastically increases the surface area for the things they’re deploying, the number of servers they’re running, the number of services that are happening, how things are authenticating, and all these things fundamentally rely on certificates. I think you see this growth and this concentration that’s kind of pinned to a lot of these trends and things that are happening out there.

PAUL: What types of functions are these certificates supporting? So obviously we think about digital certificates, obviously backing Web servers and Web traffic or email traffic and kind of routing identity for those types of exchanges. But when we’re talking about 50,000, obviously, many more applications, what are some of the things that are really accounting for this population, this very large population within enterprises?

BRIAN: Yeah, that is a great question. So you’re right. Like the items that you kind of listed off, that’s kind of the bread and butter we’re all used to that search being on servers and being used on shopping carts and all those things. But kind of growing beyond that, we see this pool into things like DevOps, right. This dynamic infrastructure that is also server based but can grow and shrink as capacity happens. And all those things. We see a lot of IoT where it’s kind of a whole other podcast, but IoT has kind of shifted in the last seven years from merely just wanting a secure connection to something or provide device identity to now want device identity, secure connection, firmware signing. Right? There’s a lot more complexity that PK is being used in IoT itself, but then bringing back up out of IoT, there’s enterprise identity and access management, the application servers behind these things. There’s a lot of document signing stuff going on as people are embracing those. And again, back to this change with remote work, the need for digital document workflows and legally attestable ones with signatures, especially in Europe that has just mushrooms, right. That’s turned into a gigantic thing. So all of these things have pulled on PKI and required a lot more of these digital certificates to protect all of the surface area.

PAUL: You all found in your survey that what you called kind of leaders and laggards that basically there were organizations out there that were actually pretty on top of this challenge of managing certificates and others that were really struggling. Talk just a little bit about kind of what separated the leader organizations from the laggard.

BRIAN: I think Paul, the first step is realizing you have a problem, right? That’s kind of what happened here.

PAUL: We need, like, a twelve step program.

BRIAN: Yeah. Right. And there’s the folks that are in the know they understand the complexities and they understand kind of the ingress of all these certificates into their environment. They’re coming on everything right. They take an enterprise, you get a phone system, they’re coming with Certs on them. You’re getting WiFi cameras, they’re coming with Certs on them. You’re getting servers and laptops. It’s endless. This array of things coming in. And it’s funny I’ve had customers describe it to me. I love how they describe it. Where the problem of all these starts coming in and just knowing they’re coming from everywhere, but not knowing where they are. They describe as these little landmines that are just going to blow you up at some point. And you just don’t know they’re there until they blow up. Right? And so this is what I think they’re looking at. How do I get my hands around finding all of those landmines so I can understand and assess which ones do I care about? If that blows up, I am never going to care about it. But this one over here, well, that’s super important. If that blows up, we need a process around that we need some technology around that because that can never blow up. Right. And so I think there’s customers that kind of have that realization and maybe kind of feel self defeated at the same time because it is such a large problem. And then I think on the other side of it is the folks who maybe don’t see that, right. They have it. But they don’t necessarily have the view of that whole problem. And so they’re like, yeah, I think we’re doing okay. The website’s staying live, execs are happy. I think the systems are going okay until they blow up, right. I think we had something like two thirds of respondents say that they had outages related to these certificates on production systems and things like that. So I think everybody eventually learns this lesson. But we definitely saw this thing where the companies that were more involved in the problem space and understood it felt that they were also doing worse because they had perspective of the whole problem than the organizations that maybe weren’t covering all of that. Right. And viewing that whole problem. They’re like, I think we got this under control. So it’s just a very interesting contrast.

PAUL: Yeah, and anybody who’s ever managed anything online that uses certificates probably has had the experience of forgetting about them, because most of the obviously, for the most part, they do kind of work perfectly in the background and keep everything humming until they don’t, in which case everything breaks instantly and I’ll speak from personal experience. I’ve gotten burned there, too. And it is one of those things where it’s kind of like any kind of critical infrastructure. Basically, it’s invisible to you until it stops working. In which case you realize how critical it is. One of the findings of this survey that you did of these 400 IT managers is that nearly half, which I guess would be a majority, too. But nearly half said that they in their management of their certificate population had frequently discovered what you guys referred to as rogue certificates, which sounds malicious, although they aren’t necessarily. But talk about this rogue certificate problem. What are these certificates? And in your experiences from the survey, what do we know about how they work their way into an enterprise ecosystem where, in theory, the only certificate should be managed certificates?

BRIAN: Yeah, I think that’s the point, right. You kind of have these IT organizations and the ones that are kind of more down that life cycle of management, they have a view that okay, we do have managed certificates, and we’ve got some things under control, and there’s a system for this. Even in that use case, like I was talking about just a minute ago, there’s so many ways that Certs can come into the environment with the things you’re buying, the software that you’re purchasing and loading all the different hardware that’s coming in and devices that are connected. All this stuff can bring in certificates. But not only that, there’s also these kind of rogue IT processes, if you want to think of it that way. Where, like, the marketing departments a lot will happen to stand up some promotional website, and then they also need a certificate. So they just go obtain that certificate so they can get the promotional website up and they deploy that thing. The promotion runs great. That website sits there and is doing its work. And then a year later, the cert expires, and IT never knew that that Cert was procured. They tangentially even knew that the domain existed because it was some vanity marketing domain. The point is, they’re not even maybe checking the domain. They’re maybe not checking even the resources being used to provide that maybe it’s wholly external in some service providers network. It’s not even in the corporate network, but yet this becomes a piece of their business, right? It’s providing some promotions and maybe some customer capture endpoints or something. And so this is where we see these rogue certificates come in, and there’s a lot of processes by them that brings them into that network. And then the challenge is obviously you didn’t know it’s there, right? Now you’ve got something you’re dependent on to provide some aspect of your business. I have no idea where that thing came from, so I’m certainly not tracking it because I didn’t even know it was there. And then it explodes and we have trouble. So I think this was the number one thing that the respondents reported as their problem. These rogue certificates, they just burn everybody.

PAUL: Are we talking about kind of the just the quick and dirty, let’s encrypt type certificates or not necessarily? These might be managed, but just by somebody else?

BRIAN: Yeah, it really could be anything, Paul. So you could get somebody putting some cheap cert like you’re talking about there, it could be going somebody buying a full blown cert from yet another provider that that IT organization doesn’t have a relationship with. So they don’t have anything that had happened. And maybe they don’t have the toolset and things inside their environment to find and locate all these certs. But I think that’s kind of on the publicly trusted certificate side of the equation. When you think about as we ask these respondents, how many percentage wise of certs they were managing that were publicly trusted, meaning web browsers will trust them for transactions versus private, meaning only their environment trusts them. It was just under half were the private certificates. So their problem is also kind of of their own making, right. They have these private certificates. And what’s interesting is with those private certificates, they deploy those out. Maybe they have a Microsoft CA running internally or EJBCA or something that’s connected to some service, but oftentimes especially in the DevOps kind of category, you’ll be signing payloads of servers to make sure that they have integrity as they run. They haven’t remained unchanged as they’re operating. You’ll be signing authentication connections with PKI between those servers and those payloads as you’re deploying them out into Kubernetes or something. And those are all private certificates, and they’re very functional, and they keep that environment secure for them. But those go out too. They expire at some point too. And so when you look at it this way, the whole problem is, well, let’s manage all the things that I buy or are purchased for public trust. Let’s manage all the things that come in on the back end that I’m introducing that are used in a private trust model. And then all the things that come in with all the devices and all the software from everywhere else that can be a mix and match of the two things. So the scope of it is pretty interesting.

PAUL: You’re listening to a Spotlight edition of the Security Ledger podcast. This podcast is sponsored by DigiCert.

PAUL: Yeah, I think this dynamic exists in so many different contexts, which is that you have many people within your organization who are not kind of read in on the PKI or certificate management problem. They’re really just whether it’s marketing or some other department, application development, just trying to get their job done, and they kind of don’t see the big picture of risk, whether it’s business disruption or something else around PKI certificate populations, right. That’s just not part of their job description. Automation is one way to take them out of that loop in some ways, and also get rid of the downside of loose certificate management. When we’re talking about PKI automation, certificate automation, what are we talking about exactly as apart from what organizations or what many organizations do now to manage your certificates?

BRIAN: As we talk to customers as we look at what the problem space is, there’s a lot of components to it to really do it. It’s not like you can just say, hey, let’s automate the request of that certificate, or let’s automate the installation of that certificate onto a device. That’s great. That’s good. But when you listen to the problems like rogue certificates, and we got private and public and ingress of all these other devices on my network, it’s larger than just automating things and connecting them to be deployed and update. Right. It’s the first step is finding them. I need an inventory of these things. What is inside of the places I care about, identify the properties, the IP addresses, the domain names, the clusters out in Azure or whatever. Identify all the places you care about what is there and that’s kind of the server based stuff, right. Because then there’s this other dimension Paul, that I’m in enterprise, what’s on my user’s laptops, like have I provisioned search through active directory that is now being used on those laptops to connect to WiFi or VPN or all these other use cases? Those are going to expire, too. I need this ability to see all these things in all these different places within my network and within my user base that is on my network. And now I kind of have that map, right. And I can understand, okay. Here’s when things are going to be expiring. Here’s what’s out there. Here’s the field of stuff. Here’s some user certificates, some private certificates, public certificates, IoT certificates. Here are all these things. Now I can start to implement policy as an organization and say, well, what do I want to do with these? Well, there’s this class of things that I’ll never care about, so just hide them. I don’t want to ever worry about those again. Quit cluttering my dashboard, right? And then there’s this class of things where it’s like, no, that is our four most prized services in the company. If those things ever went down, we’re talking people are losing jobs. So, let’s go talk about those, right? And so you have this prioritization in these organizations once they have the data to figure out where are the highest risk areas, right. And risk being assessed by how they assess risk in their organization. But they start kind of coming down and saying, okay, well, let’s get some processes in place because there’s other things related to that service besides the certificate that they probably care about, too, as a high risk process. Let’s associate this with that. And then they can start to look at it and say, okay, well, let’s get automation in place around the notifications. And let’s get those things into our ITSM systems or into the places where we’re going to handle enterprise change management. And when they’re in there now, maybe this is an automated thing where the change window opens and let’s go generate those keys. Let’s go create those certificates, request them from a CA, wherever that is, and install it onto the device, test it and make sure that it works and close that ticket. But ultimately, that’s kind of what they’re looking at for automation is just being able to discover, manage that inventory, get some notification about this thing, and then automate the process of renewing that or requesting that and configuring that and testing that server to see that it works.

PAUL: One of the things your survey raises the need to really do that in a centralized way that many of the companies that you surveyed had multiple departments that were trying to manage certificates separate from each other, maybe just within their area of purview. But there was no corporate wide or organization wide certificate management process. And I guess the implication of that is there probably should be.

BRIAN: Yeah, It’s interesting. I think it was like one third of the customers had three or more departments managers. Right. And what’s interesting about that is if there’s any enterprise customers that are listing right now. I love you folks, but this is the things I hear from them is, hey, we’re the PKI group, and we manage all the certificates centrally as the customer, right? And then as you’re doing some discovery with them or inventory assets, and they’re like, where did these come from? I thought you said you were managing them all. No, we don’t know where these came from, who did this? And where are they coming from? There’s this other group over here, and they’re managing this universe of certificates. And oftentimes these days, it’s related to DevOps. That seems to be the bad guys these days. They’re doing all kinds of things on their own. And then the two groups talk, and it’s this kind of turf war, right where it’s like, no, we’re supposed to manage the search, but, hey, we’re DevOps and we want to move quick. We want to manage our certs, and you kind of have the Sharks and the Jets thing go on and they figure it out. But that’s kind of the nature of what we see is there is confusion there’s not necessarily, even when they think there’s a centralized resources, maybe not a centralized resource.

PAUL: So we’ve talked about some of the consequences of poor certificate management or unsuccessful certificate management, namely, downtime, disruptions, and productivity, reputational harm and angry customers. That type of stuff. Obviously, we know that the bad guys also target certificates. They use them to sign malicious code or to impersonate companies as part of cyber attacks. Is that part of the risk landscape as well for loose certificate management that some of these certificates may find their way into the wrong hands?

BRIAN: Yeah, that’s an interesting conversation. I think the short version is generally speaking from the publicly trusted certificate side of the house, there’s validation procedures, there’s authentication procedures, there’s stuff in places, depending on the type of certificate. Certainly, like an EV certificate is going to have the most strict validation, verifying people’s employment, copyrights and legal things about the company. That would be an extremely hard vector for somebody to exploit. And as you get down to kind of like the lower end where you’re talking, maybe like a let’s encrypt. There’s still a validation mechanism there. It’s doing domain based validation to ensure that that server can request it. But who actually has ownership of that server? If I hacked to that server and then I can request a certificate, I can still get it right. So I think there’s some of those things. But there have been some notable attacks in the past where gaining access to private certificates or, more importantly, the keys for those certificates being used for authentication or being used for mutual authentication between servers. When I said authentication the first time, like authentication into a network versus machine to machine. But when you’re doing those things, obtaining that key and or certificate that can provide a real challenge. Right. So I think when you’re talking about PK automation and you’re talking about the scope of the problem, that’s the other thing is key protection, that’s a layer of this problem that I think some of those customers that are on the leading edge, especially, like in the financial services world, they really understand key protections. They’ve got HSM hardware security modules all over the place. They’re protecting keys very securely, and that is going to mitigate those kinds of risks. And that’s what I think it comes down to is like, what’s the risk of the asset you’re trying to protect? And then what do you want to do to protect it? Obviously, in financial services, you have an API out there that’s going to be doing billions of dollars in transactions. You probably want to protect that can that certificate with everything you possibly can if you’re running a public website and it’s giving MLB Sports scores, but it has to have SSL on it. It’s probably not the same risk factor.

PAUL: So, Brian, one of the findings of the survey was that enterprises manage a third more public certificates managed by public certificate authorities, like DigiCert than private certificates. Are there meaningful differences between how companies should be securing public versus private certificates?

BRIAN: What we did in the research here didn’t get that granular to answer that. But from my observations, being in this industry for 20 years is that customers have various ways of managing these technologies and looking at both ends of the equation. If you look at the public certificate kind of path, there’s that validation aspect, and the purpose of validation is to provide some assurance that the organization or individual requesting that certificate is who they say they are has the authority to do that owns the asset they’re trying to get that certificate on, and then you give it to them. That means there’s some work to do. It’s not just an automated issuance certificate. It’s one of the things that I think DigiCert has done a uniquely good job out there in the market on is where we do provide automation. We also allow the customers to obtain certificates of that high quality, but we do clever things where we will cash off some of that authentication. We’ll allow them to prevalidate portions of it. So when they actually need the certificate in real time for that thing that’s happening at that moment, they can get it in near real time. They don’t have to wait for that whole validation process, which can go off the rails sometimes because there’s humans involved, and there’s different things that happen. And so I think there’s stuff that happens like that where we can help customers be able to obtain things quickly but still have high assurance and high security. And then you kind of go down to maybe like the let’s encrypt side of it. I think when you’re a smaller organization, I’m a mom and pop shop, and I’ve got a single web resource that might be a viable solution for me. But the challenges come in just as you start growing as a company, what we see and the most common complaint we hear about specifically Acme, not to pick on let’s encrypt, but just Acme as a protocol for requesting those certificates is the enterprises don’t want to have let’s say they got 10,000 servers, right? It’d be great. Go put certain bot on 10,000 servers and have them take care of themselves. Enterprises don’t want that because they don’t want to open 10,000 holes in their firewalls on those servers for certified to reach out 10,000 times. They also don’t want those things unattended changing themselves, perhaps during a production window or something and having any risk of going down where they’re not monitoring and managing that. That’s a very scary thing for an enterprise. Right? So it almost makes that an unusable solution in their context. And so when it comes down to is you actually need kind of more configurable automation that is more dynamic and can sit in the context of behind a firewall and allowing a lot of things to automate through a central point that is communicating externally that they can monitor and manage and now have one hole in the firewall instead of 10,000. And so I think there are interesting things that we see like that that on the surface, you’d say surf, that’s a great solution. But when you think about the practicality of doing that in an enterprise within change management, change, Windows testing, and all the things that you have to do, it’s not great. And then from the tax surface management perspective, having that many holes in your firewall also not awesome.

PAUL: Okay. Final question, even though it’s kind of two questions bundle in one. But obviously the survey is the state of PKI automation. So I guess what is the state of PKI automation, as you guys see it? And for organizations out there that might be saying they raise a really good point about digital certificate, and we probably need to automate what are some initial steps that they can take to get on that path?

BRIAN: Yeah, I think the state of automation is advancing quickly. We’ve seen on the publicly trusted side certificate durations moving downward in terms of ten years ago, I could get a ten year certificate and put it on my network and not think about it. Now. I can get a one year certificate. It just keeps changing. It’s going to get less and less and less here. And so I think what they’re trying to do is make the certificates lifetime and risk related to them from an industry perspective, kind of make them have a smaller window and that’s good. But you need to have automation to deal with something that’s changing that frequently. I think DigiCert historically has had some good solutions for the user certificate management and automation of distribution and configuration and doing the things that happen there for end users and desktops and devices. And that’s been an interesting spot. But we’re seeing that really spark up and get competitive out there as well, too, which is great. I think for the whole industry that people are focusing on that aspect now and then DevOps is kind of a third big bucket that continues to grow kind of unbounded. Right? And there’s all these different things happening with, well, how do we manage that? And in DevOps, the challenge kind of switches to that key management as a primary and a secondary of the search management there because of the nature of how you’re deploying in some cloud somewhere. And so I think that’s what we see that this continues to increase in importance. And as we talked to people in the survey, they were saying that they’re looking at management solutions within the next six to twelve months to start chipping away and figuring out these problems and getting a hand on it. And I think that’s what we’re really looking at as a company is we’ve got many automation solutions. We’ve already talked about user certificate space, IoT, a publicly trusted SSL. We’re actually deepening this automation now, right. And we’re working in technologies here to make it easier for people to solve some of the challenges that we’ve talked through here and really kind of tie that together and just give them the ability to come here to digit manage all of these certificates, whether they’ve been issued by DigiCert or not. Right? All those different rogue certs and things that find their way into the network. Let’s get them all where you can see them. And that’s what we’re trying to do is help customers really get to the bottom of that problem because the problem isn’t shrinking. It’s only continuing to expand.

PAUL: Brian, are we ever going to get to a point where we have fully automated PKI management where the humans drop out and it’s all managed by software?

BRIAN: Yeah, that is just such a good question. I think there’s great industry debate around that exact question. There’s different viewpoints on what’s going to happen. I think you’re going to continue to see automation play a big role here, but I think there’s always going to be a role for humans in this process.

PAUL: Yeah, well, it’s like the cashiers at the drugstore or the supermarket, right? It’s slow, but you can see the inexorable shift, right? Like fewer cashiers, more kiosks. But still humans, right. They’re still there, right. Brian Trzupek, thank you so much for coming out and speaking to us on the Security Ledger podcast. It was great having you on.

BRIAN: Thank you for having me. I really appreciate your time.

PAUL: We will do this again.

BRIAN: Absolutely. I’d love to.

PAUL: You’ve been listening to a Spotlight edition of the Security Ledger Podcast, sponsored by DigiCert. DigiCert is the world’s Premier high assurance digital certificate provider simplifying SSL, TLS and PKI and providing identity authentication and encryption solutions for the Web and the Internet of Things. Check them out at digicert.com.