PKI Revelations Episode 2: The Genesis of Project Moonshot

PKI Spotlight - Realtime PKI Monitoring and Alerting

Editor’s Note: This is the second blog post in a series of posts from us that will focus on our PKI Revelations.

 

How did Project Moonshot get started? Here’s the back story.

 

The PKI Solutions team has been working side-by-side with you in the Public Key Infrastructure trenches for many years and we’ve seen how IT teams at organizations of every size are struggling to capture the security intelligence that they need to get visibility across their entire PKI ecosystem in real-time to make smart, quick decisions to protect their organization’s data. Over the years, we’ve been called in to help on a wide range of PKI issues that have arisen due to lack of this level of security intelligence

 

For example, one of our customers experienced a failed HSM in their electrical grid service PKI. Due to a lack of available tools, the error was not detected for six weeks which resulted in the loss of high availability. Another company had a CA operating in a zombie state - running, but with no functioning CA services as that had crashed, but not stopped the service. Undetected for seven days by standard network and application monitoring tools, the company experienced a network-wide outage affecting all remote workers as a result of the CAs failure to sign a new CRL – all due to an inadvertent software patch. Yet another issue organizations faced was when Microsoft announced the details of the PetitPotams vulnerability in ADCS where most organizations were unable to effectively review their PKI to determine if they were at risk, and worse, if the vulnerability had been exploited in their system. And, in addition to technology challenges impacting the PKI directly, other changes like when a company’s internal PKI expert leaves the organization for a new role, the organization is left with little remaining visibility or expertise to run their PKI securely. Effectively, they need automation and subject matter expertise on-demand.

 

It’s clear that IT teams everywhere need help and better security intelligence right now. Almost every organization bases their Identity and Access Management solution on technology and systems that have a dependency on a resilient, secure, and well-governed PKI. Yet, despite how foundational PKI is to these systems, it is often removed from sight and mindshare in an organization.

 

This brings us to: The Genesis of Project Moonshot. What is Project Moonshot? It has been the code name for our soon-to-be-introduced PKI alerting and monitoring product that we’ve named PKI Spotlight. It’s our solution for a new way to PKI. Its goal is to enable organizations to see the unseen. Our objectives are to bring industry standards for visibility, monitoring, alerting, and governance to PKI and to the dependent IAM systems that rely on it. Our focus is Operational Resilience, Threat Detection, Security Posture Management and Best Practices.

 

Let’s take a step back and talk about how this all got started. You all probably know me as “The PKI Guy”. When I was working with Microsoft, I led the PKI effort designing, implementing, and supporting ADCS environments for Microsoft’s largest customers and became Microsoft’s leading subject matter expert for ADCS and identify management. When I would travel around the world to work onsite troubleshooting PKI issues for organizations of all types, I would walk in the door and for some reason the IT teams would yell (probably because they couldn’t remember my name), “Great, there’s The PKI Guy! We need your help!” And, for better or worse, “The PKI Guy” name has stuck with me for more than 20 years. I've been doing what I do with PKI for more than two decades. I launched PKI Solutions as a consulting organization in 2014 to allow me to evangelize PKI and work with interesting customers and projects.

 

Over the years, we’ve worked with organizations all around the world and we kept seeing the same PKI challenges over and over again. One day, I realized that these PKI challenges all have a commonality to them and even if I took our entire team and said, “Let's all focus on one large customer’s environment to properly manage, operate, monitor, and govern their PKI” it would take every single day in perpetuity -- to try to solve these ongoing systemic problems – for one customer! Clearly, there's a problem that can't be solved just by throwing people at it. There's just not enough people. So, we asked ourselves, what are the collection of pain points and what are the right solutions to that problem?

 

Organizations like yours need reliable authentication and access systems – the corner stone of a strong IAM program. That means you must have real-time information, ongoing PKI monitoring to provide the security intelligence on what’s happening to your infrastructure as well as its security components – like PKI. Real-time information and holistic monitoring is key to achieving the best security and availability for your PKI.

 

However, the distributed nature of PKI poses management challenges that are not addressed by current products or processes. Sadly, there is also a significant lack of PKI expertise within IT teams due to the specialized nature of the technology. We try to help with that with our online PKI training courses, but there still is much work to be done here. These factors increase an organization’s risk to business disruption, lurking threats, and chances of making the news for the wrong reasons.

 

All of this thinking led us to this idea of creating a new concept around PKI monitoring and alerting. So, in 2020 we embarked on this journey of leveraging our subject matter expertise and productizing it to bring our vision to life for building an automation tool to solve organizations’ IAM security and operational requirements through addressing PKI problems to provide IT teams with better security intelligence.

 

Many organizations have no insight or visibility into the black box of PKI so they just don't know until it breaks. It's like you're running without a check engine light monitoring the engine coolant. You're just waiting until you crash on the side of the road because something has gone wrong with your engine. What we have set out to do is provide IT teams with that connection where you can tell, moment to moment every day, that things are operating and you’ll be able to detect any problems in advance.

 

Our new product, PKI Spotlight, is a new way to PKI that offers real-time availability, configuration, and security visibility of your PKI environment. All of this important information is consolidated, and at your fingertips though unified dashboards. This will allow you to help your organization achieve improved operational resilience, security posture management, threat detection, and incorporate PKI best practices that will protect your organization’s data now and in the future.

 

It’s time to give your security IAM systems the reliable and secure PKI your organization demands. It's time to see the unseen!

 

But, before I get ahead of myself … those details about PKI Spotlight will be the topic for the next blog post in our series. Stay tuned for more updates about PKI Spotlight: A New Way To PKI!

 

Interested in learning more now? Contact us here.

 

About ThePKIGuy

President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.

4 Comments

  1. Ivan on February 28, 2022 at 12:47 pm

    Is PKI Spotlight available now?

    • ThePKIGuy on February 28, 2022 at 1:31 pm

      Hi Ivan, thanks for the interest! We are publicly launching PKI Spotlight on March 14th. Stay tuned for more information and if you like what you see, let’s arrange a demo. You won’t be disappointed.

    • Sebastian on March 3, 2022 at 5:06 am

      Don’t forget to sign your binaries… We use wdac in every server. And if you wantto install an agent or something like that please sign your files. Great news and I’ll be waiting for join the service!

      • ThePKIGuy on March 3, 2022 at 11:03 am

        Of course! Our development process ensures the entire pipeline is signed for each build.

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.