CyberNews Q&A Interview

Editor’s Note: Recently, CyberNews interviewed our own Mark B. Cooper, President and Founder of PKI Solutions for an article about the company and PKI Spotlight, the industry’s first and only solution that provides real-time monitoring and alerting of the availability, configuration, and security of all of organizations’ PKI environments – all consolidated into one easy-to-use dashboard. Below is a transcript of the interview with CyberNews.

 

Mark Cooper, PKI Solutions: “the days of ground-up, 100% in-house solutions are long gone”

With recent global events altering the way companies approach cybersecurity, it has become clear that “company-owned” specialists and internally-built IT structures are no longer sufficient.

 

Businesses must turn to experts from the outside and seek solutions among commercial products, especially when it comes to encryption and authentication processes. But this doesn’t guarantee a bullet-proof functioning system either.

To discuss which security solutions are a must for modern organizations, Cybernews sat down with Mark B. Cooper, the President and Founder of PKI Solutions, whose revolutionary software gives companies confidence in their identity and encryption systems.

How did PKI Solutions originate? What has your journey been like so far?

PKI Solutions started eight years ago when I left my role at Microsoft, where I focused on Microsoft ADCS PKI for a decade. I’ve been known as “The PKI Guy” throughout the industry since then. My goal was to go back to consulting and spend my time working with organizations around the world on properly designing, deploying, and operating their PKI. At PKI Solutions, we have established a strong consulting services brand and we’re now expanding our company to offer products that tackle the very real problem organizations face in managing and operating all their PKI and HSM environments – on-premises and in the cloud.

Can you tell us more about your PKI Spotlight solution? Which features make it stand out?

The distributed nature of PKI poses operational challenges that are not addressed by certificate lifecycle management or monitoring products. As a result, most organizations deploy their PKI, cross their fingers that nothing goes wrong, and wind up fighting fires every time their business identity or data encryption solution is impacting their ability to function. PKI Spotlight is an entirely new approach to the management and operation of a PKI. Now companies can consolidate and monitor all of the activity and configuration from across a spectrum of PKI platforms and environments – whether on-premises or cloud. PKI Spotlight provides organizations with a single pane of glass view. Then, it integrates the intelligence to address best practices and configuration recommendations in real-time. Nothing has existed to bring all of this together before. When you then enable this intelligence to send alerts or integrate with enterprise helpdesk and SIEM solutions, organizations can regain confidence in their approach to identity and encryption.

What are the main challenges associated with the Public Key Infrastructure?

PKI was designed with the assumption that it would always be operated securely, and compromise is impossible. The reality of the world that we live in now shows us that with the proliferation of PKIs, organizations need to overcome the core design assumptions and ensure that this incredibly flexible technology is incorporated into the modern security matrix. Additionally, there is not enough expertise in the workforce to meet the growing demand for PKI architects, administrators, and specialists. Combined with a lack of instrumentation and automation, every organization is struggling with how to properly secure their infrastructure and ensure their PKI is providing the value they need and expect.

Do you think the recent global events altered the way organizations approach cybersecurity?

Absolutely. Organizations have been moving to a greater hybrid model of on-premises and cloud, as well as adopting zero-trust concepts. This enables organizations to be more dynamic and resilient in any situation. The ability to pivot from a state of identifying and deploying new business tools to a more defensive posture is enabling organizations to understand their threat profile and adjust accordingly. I think it is also reminding people of the importance of strong identity and data encryption to ensure remote adversaries are properly defended against. Most organizations will never face a nation-state-level cyberattack, but an indiscriminate nation-state attack is entirely possible.

When it comes to customized cybersecurity systems, do you think it is something businesses of all sizes should invest in, or is it only a necessity for large enterprises?

Every modern organization has a cybersecurity system, and, to some extent, every single one of them needs to be purpose fit and customized to the environment. However, the days of ground-up, 100% in-house solutions are long gone. There is no possible way for an organization to remain flexible and knowledgeable enough to build its own in-house solution. However, we are seeing the implementation of what Gartner calls the Cybersecurity Mesh Architecture, which places best-of-breed solutions into a matrix with a single orchestration or management platform over the top. Our approach with PKI Spotlight is to provide a centralized platform over the best-of-breed PKI ecosystems that organizations are using in their environment.

Why do you think certain organizations are unaware of the threats hiding in their own systems?

Money, tools, and assumptions are the short answer. I don’t think any organization is deliberately ignoring the issue, but there is usually an economic or process limitation that forces them to accept their own realities and address the areas they can. In the PKI space, it is very often a case of tools and time. There hasn’t been the tooling to know what threats are in their PKI, and there isn’t enough time in anyone’s schedule to spend all their time looking for it in the various parts of the PKI. Lastly, we find many organizations have assumed parts of their environment are secure and never bother to look further. We see that with PKIs, where departments invest a lot in the design and deployment of the solution but assume it will never change and will be secure forever – with no oversight!

What kind of threats should businesses be prepared to take on in the next few years?

The continued move to the cloud and hybrid solutions means organizations will be struggling with addressing single sign-on, 2FA, and digital identities across platforms more than ever before. As these solutions are potentially internet-facing, getting it right will be more critical than ever before.

Talking about casual Internet users, what security measures should become widely adopted for better online protection?

Everyone should be using the most effective security measures for casual users, including multi-factor authentication. Insist on it for any service you use, especially those with financial or privacy implications. Secondly, assume any information you receive over the web or email is suspicious until proven innocent. I know it’s a hard thing to practice and believe in, but a healthy dose of cynicism in internet information is a good security posture to adopt.

What does the future hold for PKI Solutions?

I believe that we will be successful in pioneering this new approach to instrumentation and visibility of the PKI ecosystem and enable organizations to gain a single pane of glass view across their diverse enterprise. We will continue to innovate our feature pipeline for PKI Spotlight and demonstrate how we are translating our decades of PKI expertise into new tooling and automation for organizations. We are making a difference and doing it in a way that scales across the entire PKI ecosystem in a way that only a software solution can.

Read the original article on CyberNews.

About ThePKIGuy

President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.

2 Comments

  1. Doug Breitnauer on April 25, 2022 at 7:03 am

    I have an issue where the ‘Issuer Statement’ is greyed out on my Enterprise CA certificate as well as the Subordinate Issuing CA certificates.
    However, the Issuer Statement does show up on the certificate from my Offline Root CA. Below is an example of the latest CAPolicy.inf I am using: [Version]
    Signature=”$Windows NT$”
    [PolicyStatementExtension]
    Policies=InternalPolicy
    [InternalPolicy]
    OID=1.2.3.4.440.5801.357.5
    Notice=”The Issuing Certification Authority is an internal resource. Certificates that are issued by this Certificate Authority are for internal usage only.”
    URL=http://pki-issuing.EntSubA.DEV.local/pki/cps.txt
    LoadDefaultTemplates=0
    AlternateSignatureAlgorithm=0
    The certocm.log shows:
    401.1317.946: : Opened Policy inf: C:\Windows\CAPolicy.inf
    401.851.0:: 0x8007000d (WIN32: 13 ERROR_INVALID_DATA): LoadDefaultTemplates
    401.1119.0:: 0x8007000d (WIN32: 13 ERROR_INVALID_DATA): InternalPolicy
    401.1218.942: : Built Policy: InternalPolicy: The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)
    401.1605.0:: 0x8007000d (WIN32: 13 ERROR_INVALID_DATA): InternalPolicy
    401.1629.944: : Policy Statement Extension: InternalPolicy: The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)

    Any insight is greatly appreciated.

    • ThePKIGuy on April 26, 2022 at 9:46 am

      Hard to tell for sure with the copy and paste of the capolicy.inf, but it appears your file is using smart quotes rather than standard ASCII style quotes which is causing the invalid data. I would open the capolicy.inf file in notepad, look at a quote (such as in “$Windows NT$”) and then delete the quote and type a replacement quote in. You will most likely see a different style. The ones in your post appear to be slanted which tells me that are not ASCII quotes. This can happen if you copy a capolicy.inf from a website, word document or other source and don’t clean up the formatting.

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.