Sectigo: “The market is increasingly demanding automated solutions”
In this interview, Javier Fernandez, Enterprise Regional Sales Manager, discusses the current state of play in SSL/TLS certificate lifecycle management.
Here, we explore how the leading cybersecurity solutions company addresses the challenge of balancing security with user convenience. Javier Fernandez, Enterprise Regional Sales Manager at the company, gives his perspective on how digital certificates and other advanced technologies play a crucial role in user authentication.
Sectigo, a provider of SSL/TLS certificates with more than 1.3 billion certificates issued, is dedicated to developing solutions that help protect websites and online transactions from encryption and spoofing, protecting digital identity and simplifying access to services without compromising security.
– Could you briefly explain the impact of cyber threats on the demand and development of SSL/TLS certificates?
Sectigo, with more than 20 years in the market, originally focused on SSL/TLS and is a public certificate authority. With the growth of cyber threats, digital security has become crucial. Sectigo issues certificates that secure websites and goes further with user identity and authentication solutions.
Google recently removed Entrust from its browsers, which significantly affects the certificate authority market. This means that billions of users will no longer trust Entrust certificates, forcing customers to migrate to other authorities. This move could be repeated with other browsers and companies, leaving Entrust in a difficult situation in the SSL certification arena. Despite this, almost all websites use digital certificates, essential to protect against cyber threats and establish a trusted digital identity on public services and financial platforms.
– How has artificial intelligence impacted the field of digital certificates, both in terms of developing solutions and addressing potential vulnerabilities?
In reality, artificial intelligence does not truly have a big impact on our work. For the most part, AI can be used by both cyber attackers and system defenders to develop specific tools. In our case, we are mainly involved in digital identification, ensuring that users and applications are who they say they are. Therefore, so far, AI has not significantly influenced our business. Although it could facilitate the lifecycle management of certificates, allowing us to identify services needed at specific times, in general, it is not directly related to our current solutions.
– What are the challenges Spanish SMEs face when implementing digital certificates on their websites?
Mainly, the main challenge for small businesses is the lack of awareness. Nowadays, awareness of the need for digital identification is widespread, especially in procedures related to public administration where certification is required to guarantee authenticity. However, in the small business sector, the problem lies in the lack of resources and know-how to properly implement and manage SSL certificates or other digital certifications.
The challenge is not only to obtain the certificate but also to manage it effectively. Many times, small businesses do not have the resources to regularly monitor the expiration of certificates or to renew them promptly. This can result in operational problems and loss of customer confidence.
To address this situation, we offer SaaS solutions that enable businesses of all sizes to centrally and efficiently manage their certificates. This application provides a platform where they can monitor and manage all their certificates from a single interface, whether they are large corporations or small businesses. Thus, regardless of size, all companies can meet the digital security requirements needed to operate in today’s market.
– How do you envision the future of quantum cryptography in terms of security?
For us, quantum cryptography represents a very significant market. It is one of our main reasons for being here, as we seek to provide solutions to our customers when this technology is ready. The implementation of quantum technology and supercomputers means that anyone could decrypt a digital certificate and extract information from a transaction in minimal time. Currently, common attacks involve intercepting traffic between users and banking applications to obtain data, but with quantum computing, the time needed to decrypt certificates is drastically reduced. Whereas today it can take years, with supercomputing, this is reduced to minutes.
Our solution lies in preventing these threats. For example, through certificate lifecycle management (CLM), we offer cryptographic agility to adapt to these changes. With quantum technology, the lifetime of digital certificates tends to shorten to minimise the risk of prolonged exposure. We allow our customers to change certificates at any time to avoid security issues, such as exposures or encryption vulnerabilities.
– Could you highlight some of the most innovative and distinctive features of your certificate management platform?
Along those lines, as a company, we focus mainly on the enterprise environment. From Sectigo’s perspective, we can differentiate two key areas: the issuance of digital certificates as a certificate authority and the internal management of these certificates. Technologically, we stand out for our agility in cryptography. Our tool allows us to discover and monitor the location of digital certificates from the perspective of the user, machine or any service. From there, we automate the deployment and use of these certificates.
For example, within our portfolio, we integrate with leading system security vendors. This makes it easy, for example, to deploy a service on Amazon, Azure or Google, where we can automatically manage certificates for containers or applications. Previously, certificate management used to be manual and tedious, with the risk of stolen or unrevoked certificates allowing unauthorised access to services.
Our goal is to centralise and automate this management from a single point. If a device or PC is compromised, our solution can automatically cancel the corresponding certificate. Previously, when an employee left the company, their certificates used to remain active inadvertently, but now we can automatically revoke them when the user is terminated.
The market is increasingly demanding automated solutions, eliminating the need for tedious and error-prone human tasks. Our technology allows us to react proactively to critical situations through automatic integrations, ensuring that the entire workflow is parameterised according to the needs of each company.
– How has this issue evolved since the beginning of the pandemic? With the rise of teleworking, certificates and user authentication have become very important. What changes and challenges would you highlight in this context?
Of course, one of the main effects of the pandemic is precisely that. Before, everyone worked from their PCs in the office with minimal security controls, as they were connected through controlled cables or Wi-Fi. Nowadays, with telecommuting, people take their devices everywhere: PCs, phones, and tablets. This increases the need for tighter security, where simple username and password are not enough. Digital certificates are required for both devices and users.
On the other hand, the dispersion of users means offering more services from the office. Before, a VPN was sufficient to access everything, such as email. Now, there is a need to secure browsing with SaaS services that provide basic security. All this implies a steady growth in the use of digital certificates, both for users and for the services provided to them.
In addition, the market is adopting solutions such as SASE and SDONE to adapt to this new reality of remote working and digital security. There has also been a significant increase in cloud services and IoT, which now require more rigorous certification.
From a regulatory point of view, we comply with European digital certification regulations, such as eIDAS in Europe or the ESIGN Act in the US, which allows users to be authenticated in a recognised way across Europe.
– Turning now to digital signatures, what advantages and innovations does Sectigo offer compared to its competitors?
From the point of view of digital user certification, it is all about regulation. If you want to be a certification authority, you have to guarantee the security and management of private keys. In that sense, we don’t offer more than the rest. The certificates are essentially the same. What sets Sectigo apart is our ability to manage the certificate lifecycle in a unified way. This makes it easier for companies to perform tasks such as certificate validation, discovery or revocation quickly and efficiently. The advantage is that from our console, whether for our certificates or those of third parties, you can view and manage everything.
From the point of view of certificate authorities, the real innovation is to provide tools that comply with established regulations. Not everyone needs certificates, but we are all governed by the same rules in terms of innovation and efficiency in issuance and revocation. The key is the tool we provide to facilitate these processes. That is our innovation: centralising and simplifying the certificate lifecycle, while keeping compliance as a top priority.
– How do you implement emerging technologies such as biometrics in user authentication?
We facilitate the service for which you request and receive the certificates. We guarantee that you are who you say you are when you sign these certificates. From there, we integrate with any solution you need for authentication within your company. If you use a Windows system, we automate getting the certificate and deploy it to your machine.
From that point, you decide the access controls for users on the network. We adapt to any solution you already have, such as biometric systems or MDM solutions. We do not directly provide a biometric system; instead, we certify your digital identity through machine certificates, user certificates or a combination of both. If you have a mobile device that needs control, we integrate with your MDM solution. So when you connect to the network with your user and device, you will have your digital certificate installed and will be able to access services that require digital authentication.
– A crucial issue that concerns cybersecurity solution providers is the friction with users when verifying their identity. How does your approach balance this need without affecting the customer experience?
Of course, it does, because the more barriers you put in place to access a service, the more complicated it is for the user, right? From the field of digital identity through certificates, these processes musn’t negatively affect day-to-day life. For example, a certificate on your device that authenticates without you realising it. But when we talk about the user directly, if you used to use a username and password, now you have to select a certificate. It’s a bit like with @key for public services, where we simplify as much as possible.
In the corporate environment, integrating this involves different levels. From home, the certified corporate device validates without problems. If I’m asked for a certificate to authenticate myself on the network, I have to select it to prove my identity. So, does it affect? Yes, but as I mentioned before, it is part of technological progress. Years ago, filing taxes was complicated; today, using digital certificates is easier for those of us who are familiar with it. Education and simplicity are key to minimising complexity and improving the user experience.