Why you are getting it wrong with Certificate Lifecycle Management

Sometimes it’s hard to be in a space that you care about so deeply and have dedicated not only the last twenty-plus years of your life but also based your entire personal life around the creation and growth of a business. Some called me crazy for placing my entire professional career on the line to focus on something as niche as PKI. It does mean that I get to not only spend my time thinking about solving problems and helping customers but also about how things can be improved. In the cybersecurity space that sometimes means not just taking the road less traveled, but also blazing your own trail that you know is needed. That does mean that sometimes you are left waiting for others to realize the new path and the realization you can see so clearly.

A few years ago, we set out to change the way organizations operate and secure their PKIs. Tools at the time either solved the wrong problem (CLM) or consisted of paying someone else to bear your burden at an inflated price (managed PKI solutions). The issue with CLM tools is that they aren’t really PKI tools – they are tools to help automate the OUTPUT of the PKI, the end-entity certificates for devices, appliances, and users. Their reporting, workflows, and automation, while helpful to individual business systems had a massive problem – they ALL assumed the PKI was available, resilient, healthy, secure, free of vulnerabilities, and configured according to best practices. When you take a moment to look at what the CLM products are really doing it’s not hard to see that they provide no value to the PKI itself.

Now, don’t get me wrong, end-entity certificate management is an important business problem and CLM tools certainly have their place. However, modern enterprises were still left with PKI failures, vulnerabilities, failed pen-tests, and widespread business-impacting outages when their PKI components suffered issues. All this time, what did CLM vendors do? Nothing. After all, what could you do but put out the fire and ignore the issue until next time?

Well, that is where our trail blazing efforts come in. We knew this was not how organizations should be running their PKI and business-impacting outages are becoming more frequent and more costly. In addition, the risks associated with unaddressed cybersecurity vulnerabilities led to increasing risks and costs that had to be dealt with an entirely new methodology. That is where PKI Spotlight was born. Bringing Certainty to Security through an entirely new category of tools.

Since launching PKI Spotlight, we have been seeing wins when we get a chance to put PKI Spotlight in front of organizations. The ability to showcase our Patent Pending Is-Alive ™ real-time resilience monitoring, along with an industry-leading list of features to these companies immediately connects with urgent needs and security concerns they are facing. But we knew going into this new space that organizations were accustomed to living with these risks and pain points, or perhaps, falsely assumed their CLM solution was all that they needed. So, we knew it would take innovation, passion, messaging, and advocacy for them to see there is a solution to their needs.

Today, I am pleased to share that Gartner just published an update to their CLM research series titled “Effectively Manage Your Organization’s Certificates” (Document G00804504) and Gartner has for the first time added an entirely new category called “PKI Posture Management” and named PKI Solutions’ PKI Spotlight as the founding pioneer in the space.

Gartner Quote:

PKI posture management. Enterprise CAs must follow strict guidelines around certificate life cycle operations such as issuance and revocation, protection of cryptographic material, administrative processes, auditing, and change management. Third-party tools can be responsible for assessing CAs’ and hardware security modules’ (HSMs’) security posture, hygiene, and compliance with industry guidance and specific regulations. This functionality is currently emerging.

End Quote

While it is great to be recognized for creating and advancing the protections of PKI, we know there is a lot more to do to help organizations around the world. That includes continuing to share the message that CLM is not enough. Organizations should, by all means, address the end-entity lifecycle issue, but they should turn their attention to the larger, looming, more critical, and impacting issue of PKI Resilience, Security Vulnerability, Security Posture Management, and Best Practices/Governance in a real-time, automated manner. To that end, we promise we won’t stop innovating and expanding PKI Spotlight. We have a lot of future innovations coming to PKI Spotlight.