The PKI Guy talks identity management with Jay Schiavo of Entrust Datacard

Q&A with Jay Schiavo, vice president of Entrust Certificate Services Markets, Entrust Datacard

TPG: How will nCipher Security strengthen Entrust Datacard’s offering to secure data and verify identities, and reduce risks?

JS: The acquisition of the nCipher general purpose HSM business allows Entrust Datacard to provide our customers with solutions that exceed expectations for high-assurance use cases while meeting the increased need for data security that stems from regulations such as GDPR and eIDAS. The addition of nCipher to Entrust Datacard provides us with the technology to increase data security across internal, cloud, and hybrid networks — and against more frequent and sophisticated cyberattacks. We are now able to deepen our offerings for emerging technologies including blockchain, crypto wallets, and IoT manufacturing

TPG: What advice would you give to enterprises about how to reduce cyber risks?

JS: Start by prioritizing your risks. There’s a lot of noise, and it will help to map out your business goals and catalog the most likely risks so that you know where to focus. Secondly, don’t feel like you have to reinvent the wheel — there are many  security frameworks available that will help provide structure to your security process — for example, NIST, OWASP and the Cloud Security Alliance. Finally, accept that security is a journey — infrastructure is not static, threats are not static, and there is always work to do. Your goal is to keep getting better, but don’t go in with the idea that you’re going to go from zero to perfect in one cycle (not that there’s really such thing as perfect in security!). Focus on prioritizing your risks regularly and improving your security posture a little bit each time

TPG: What do you recommend when designing and implementing a PKI?

JS: Spend time to understand all of the use cases for PKI in your organization, and determine the assurance level needed for each use case. You may need certificates for users, mobile devices, Registration Authorities (RAs), SSL, VPN, or code signing, just to name a few. For each type of certificate, you will have different requirements around assurance and lifecycle. For example, in-person vetting makes sense for RAs, but not for mobile devices. A well architected PKI will be able to manage multiple types of certificates, with different assurance levels — it’s important that your business and technical stakeholders consider the use cases and security requirements for each.

TPG: Where do you see identity management headed in the next few years?

JS: Cloud adoption continues to rise across enterprise IT applications and identity management is no exception. As more organizations migrate applications, they need to evaluate the primary technologies they use to store data, including user directories. Historically, user identity information was stored in-house, such as in Active Directory. Now, organizations will have to decide if they want to transition their user directories from being managed on-premise to managed in the cloud. This has implications for applications such as authentication and access management, which rely on tight binding to directories and need to support modern cloud identity management repositories.

A second identity management trend is the expansion of the types of identities the enterprise has to manage. Traditionally, employees were the primary user base. Now, organizations digitally engage with customers, partners contractors etc., so they need to accommodate new approaches to user identity management. And recent regulations — such as GDPR, CCPA and the New Zealand privacy bill requiring stronger security — are driving the need for even more robust identity and access management solutions to balance security, user experience, and operational efficiency.

TPG: So many companies have concerns about cloud security. What are your recommendations?

JS: At Entrust Datacard, we believe in the zero-trust and zero-factor framework. This means “trust no one” and incorporate a trusted identity assurance platform that helps you establish and maintain trust within your user base, transparently across all applications — including on-premise and cloud-based. Here’s what this looks like:

• Establish Trust: How do you know your users are who they say they are? How do you know their devices haven’t been compromised? Incorporate solutions that allow you to identity proof your user and device before you issue an identity.
• Secure Access & Transactions: Connection and transaction requests between parties must be validated with trusted identity. These include securing network access, website and portal login, cloud applications, and workstation login — all with modern authentication approaches like, mobile, biometrics and analytics to maximize security and minimize user friction. Also, rather than single-point solutions, consider sophisticated single sign-on solutions to enable a truly omni-channel experience that increases security while also improving the user experience.
• Maintain Trust: Hackers have learned to insert themselves in the middle of legitimate transactions after they’ve been initiated and approved. Our solutions allow you to continuously authenticate identities and amounts throughout a transaction. If suspicious activities are detected — such as anomalies in user behavior or changes in amounts — you can challenge or shut down the request.

There are several deployment options, including on-premise, hosted, cloud, hybrid cloud. Regardless of how you deploy, security will be a requirement. With cloud, it’s important to be clear about what you are responsible for securing versus what the cloud provider will secure. Unsecured S3 buckets on AWS have been a common cause of data leakage, and part of the reason for that may be that organizations just assumed that the cloud provider would handle the security part for them. Regardless of where you are deployed, you will need to do some amount of security configuration

TPG: Tell us about your authentication options. Where is the future of authentication?

JS: We offer authentication solutions that secure applications, networks, computers, doors, and more — across many and varied types of user populations. We can tailor solutions to best fit user and business needs. From mobile onboarding new customers to printing a cost-effective grid card on the back of a frontline worker’s badge, we provide flexibility that gives our customers choice, and allows them to balance user experience, security and cost without making any sacrifices.

The future of authentication is ensuring a secure, yet truly seamless and transparent user experience. Password-less authentication is a major objective for our clients, both to address security risk with passwords and to streamline digital interactions — providing a frictionless experience for employees, customers, and citizens.

TPG: What are your thoughts on the consolidation of Hardware Security Module companies?

JS: We see this as a part of the broader trend of consolidation in cybersecurity.  Given the increase in threats, greater regulation and emerging use cases, HSMs are a growth market and players in the space are going to continue to look to be able to build their solution portfolios, technical capabilities, and go-to-market reach through internal investments and acquisitions. In its comments posted on December 11, 2018, the European Commission concluded that the merger of Thales and Gemalto with their respective general purpose HSM businesses would have led to very high market shares and eliminated competitive constraints. It is clear that these are the only two general purpose HSM businesses in the market that could have combined to create that level of impact.

TPG: How will nCipher Security and its products change as result of the acquisition?

JS: There will be no immediate change to nCipher’s industry-leading HSM products. Over time, you will see a greater focus on emerging delivery models and use cases.

TPG: How is Entrust Datacard planning to address nCipher’s support of products other than Entrust Datacard solutions – such as EJBCA and Microsoft ADCS?

JS: There will be no change to support of other products. Entrust Datacard believes in the value of an ecosystem of products and solutions, and we want to ensure that existing and future customers have the ability to choose the solutions that offer them the best value for their money and the nCipher’s broad technology partner ecosystem consists of top solutions in PKI, credential management, digital signing, payments, encryption, code signing, key management, and more.

TPG: Does Entrust Datacard see itself as a provider of Certification Authority solutions including HSMs, or does it see the HSMs with nCipher as independent kit for the PKI and other markets?

JS: Both. The advantage to customers of Entrust Datacard as owner of nCipher is that they will have increased flexibility to determine how they want to apply our portfolio of products. Some customers will prefer to have fewer vendors and will look for integrated solutions. Others will want to design their own solutions and purchase the components that are optimized for their use case. We can work with either scenario. Furthermore, the expertise of Entrust Datacard in delivering solutions as a service adds an additional layer of flexibility for those customers who do not want to host some or all of the solution. The combined company is uniquely positioned to deliver the highest levels of trust and help customers reduce risk, demonstrate compliance, and enable new digital initiatives. HSMs have provided high security value for PKI components and the applications that consume digital certificates for many years, and will continue to do so. And the spectrum of applications that use HSMs has dramatically increased over the years, and includes everything from application and database encryption, to code signing, to cloud applications such as CASBs and Bring Your Own Key, to digital payment credential provisioning and management, to the IoT, blockchain and more. nShield HSMs and nCipher’s associated technology partner ecosystem will continue to evolve to service that wide range of use cases where trusted cryptography and strong key protection provide high value to customers