DigiCert invests heavily in the certification of tomorrow
April 2019 by Marc Jacob
Digicert, a company known for validating and issuing Symantec TLS / SSL certificates, has established a trust guarantee for browsers such as Google Chrome. After the acquisition of the Swiss company QuoVadis, DigiCert strengthens its position in Europe and France by offering products and services dedicated to the European market. DigiCert is also working in areas such as strengthening blockchain security and sovereign identities, IoT, machine learning, and threat-resistant encryption protocols for quantum computers. Recently visiting Paris as part of a European tour of its teams, John Merrill, CEO of DigiCert, was kind enough to answer our questions exclusively.
GS Mag : You are a private provider of digital certificates and well-known for having worked on security problems coming from distrusted Symantec certificates. You recently announced the complete acquisition of QuoVadis, the swiss Trust Services Provider. You present your company as the World leader for TLS/SSL, IoT and PKI solutions. Can you explain briefly the utility of these solutions?
John Merrill : DigiCert helps companies of all sizes and types deploy TLS/SSL certificates and other PKI-based implementations for scalable authentication, identity, encryption and data/system integrity. Companies choose our TLS/SSL certificates for their websites because of our deep product roster, our best-in-class technology and global customer support, and our leadership within industry standards and innovation initiatives. In addition to using our TLS/SSL certificates for websites, enterprises use our PKI solutions for a variety of things, including securing IoT devices, network access control and device/user authentication, VPN, secure email, mobile-to-mobile authentication, and more.
We acquired Symantec Website Security in late 2017, and in 2018, we invested heavily into modernising our global technology, updating data centres and improving our processes in a way not seen for a long time in our industry. This investment ensures DigiCert provides the best technology and localised support anywhere in the world for fast certificate issuance and fast secure page loads, platforms for automating certificate management, and integration into popular developer and cloud platforms that our customers use. We’ve also made regional investments, such as the purchase of QuoVadis, which allows us to serve companies doing business in Europe with EU-sanctioned products and services, and with European-hosted technologies and customer support teams. After all, all business is local.
DigiCert’s IoT solutions are increasingly used by manufacturers and others across a variety of industries. For example, DigiCert manages PKI for large industry initiatives to secure devices such as smart televisions, smart meters, cable boxes, USB Type-C charging cables, medical devices, aeronautics and air traffic control and so on. We are continually adding new customers because we can help them architect the best PKI solution for their use cases and our systems can scale to meet their requirements for huge volumes of certificates.
GS Mag : What is your strategy to answer emerging markets threats, especiallly IoT market ?
John Merrill : Fundamentally, DigiCert addresses the core needs of IoT device security that include authentication, encryption, identity and data/system integrity via digital certificates. DigiCert has built a modern infrastructure capable of handling the large scale of certificate-based deployments required for the IoT, and we’ve already issued billions of certificates for such devices. Because of this and our in-house expertise, many large device manufacturers and industry consortia turn to DigiCert to operate their PKI. We are also partnering with university researchers and other technology companies — including Microsoft, ISARA, Gemalto and Utimaco — to innovate tomorrow’s solutions, such as encryption protocols that are resistant to quantum computing threats.
Digital certificates provide device-to-device and user-to-device authentication to ensure only authorised devices are able to connect to a company’s network, and certificates also encrypt data. Companies use code signing certificates to ensure that their IoT devices only run authorised code and can also use this for secure patch management and secure device booting. For IoT security, it’s all about scaling security solutions and building the right programs, and we believe we can do that better than our competitors. DigiCert is also conducting research and development within other emerging markets that require strong identity vetting, authentication and encryption, such as blockchain.
GS Mag : Many Intelligence experts think that Quantum computing, artificial intelligence and Internet of things generate a ‘growing threat’ for national security all over the World. You work on the protection against these threats. Could you say us more ?
John Merrill : We live in a unique time where the technology being developed could radically improve the way we live, while also presenting real threats to individual privacy and security. Most experts predict quantum computing could, in the next 10 to 15 years, break the popular encryption algorithms that all of us depend upon now for secure online communications (RSA, ECC). Though it seems far away, the long lifecycles to adopt new technology, combined with the fact that IoT devices built today will be in use 10 or 15 years from now – think automobiles, medical devices, financial applications and systems – make it necessary for companies to test and adopt these technologies now.
The U.S. National Institute of Standards and Technology (NIST) is running a project to solicit and select quantum-resistant algorithms. DigiCert is taking a leading role in this, working with companies such as Microsoft and ISARA to develop hybrid certificates that position traditional algorithms alongside new quantum-resistant ones. We are also working with Gemalto and Utimaco to prove how to use hardware security modules (HSMs) to secure the keys. Our work is helping companies future-proof their certificate deployments to reduce potentially costly replacements if they fail to prepare now.
GS Mag : How do you consider security in Europe, and especially here in France ? How will you be able to meet french business and administration needs ?
John Merrill : DigiCert believes that while technology is global, business is local. Europe in particular has localised needs and a strong focus on privacy and data protection, which we can meet alongside our industry-leading, modern technology. DigiCert does not make money off data but works to protect data. DigiCert’s recent acquisition of Swiss-based QuoVadis strengthens our already healthy position as the leading provider of certificates for the European market, including for nearly all European banks.
The QuoVadis acquisition helps us offer customers EU Qualified Trusted services and products, which include heightened identity requirements. With the September 2019 deadline for organisations to comply with the EU Payment Services Directive (PSD2), banks and other financial institutions will need these certificates and we will be able to provide them. DigiCert is the only global CA that operates as an EU TSP.
In France, specifically, we are able to offer TLS/SSL and other solutions to our customers directly as well as through valued partners, including our Platinum Elite Partner SSL 247. We are continuing to work on integration in a way that our reseller and hosting partners can offer EU qualified certificates and other services to their customers.
GS Mag : Ending these questions, what is your main message to our readers ?
John Merrill : As the global leader, DigiCert feels a great responsibility to be a good steward of online trust and to earn the business of our customers and partners. This includes making it easy for them to do business with us and fulfill their goals. Over the past year we’ve invested heavily in our technology, people and processes to modernise and scale our offerings in a way unmatched by competitors and not seen in our industry to date. This ensures that we lead in areas of industry standards and solutions for our customers to simplify their important work, from deploying and managing TLS/SSL and other digital certificates and PKI infrastructure, to developing many of tomorrow’s solutions through our R&D initiative, DigiCert Labs. Some of the areas we are researching include strengthening the security of blockchain and sovereign identities, machine learning, and strengthening IoT security.
DigiCert is also driving automation in digital certificate management and deployment of solutions, and partnering with leading companies to strengthen our offerings. DigiCert is focused on strong identity validation to protect data in transit to ensure people know who they are interacting with via high-assurance TLS/SSL certificates on the web, or in the case of the IoT, providing device authentication for protecting machines.