Google, Venafi, and the Linguae Franca of TLS Certificates
Digital certificates – specifically SSL/TLS certificates – are both the backbone and the lifeblood of digital transformation. That sounds a bit like hyperbole, but let’s think about it for a second:
“Backbone?” As the foundation for authenticating that vast numbers of machines talking to each other in networks of all types, TLS certificates establish the internet's backbone of trust.
“Lifeblood?” As the majority of applications, services, APIs and raw data sources move to the cloud, TLS certificates are the lifeblood that allows commerce, information, and personal communication to be understood and decoded.
We need them. But still we tend to dislike them.
Why is this? Because SSL/TLS certificates are complex concoctions of cryptography, permissions and critical metadata that need to be carefully configured, tracked and maintained. If we get them even a little bit wrong, outages occur and our businesses stop.
These outages are more frequent than we imagine and routinely affect large and well-resourced organizations.
A Machine Identity Language
Part of the inherent complexity of TLS has to do with the way digital certificates “talk” to different elements of the integrated systems they enable. Certificates need to “understand” encryption algorithms and signature hash algorithms, as well as different extensions like .pem (Privacy-enhanced Electronic Mail) and .p12 (PKCS #12, a Public-Key Cryptography Standard published by RSA). They need to “differentiate” between private and public Certificate Authorities (CAs) and “comprehend” concepts like roots and intermediates and endpoints.
Attending this complexity, the number of TLS certificates protecting sites and services has exploded in the world at large. A recent survey by Tech Validate showed that IT security professionals who started using Venafi found, on average, 57,420 additional SSL/TLS keys and certificates that were previously unknown to them. Another current Venafi customer recently commented, “We’ve had a 10x growth in certificates” in the last two years.
Along with that, the uses and configurations for these certificates are rapidly evolving:
- They are becoming ephemeral and much shorter-lived
- They need to be issued and managed by fast, fully human-free systems
- They need to be injected dynamically, through APIs, into just-in-time development cycles
According to recent research by Gartner and Forrester (complimentary copies available through these links), Venafi leads the industry in rethinking how machine identities are managed in the melee that is digital transformation.
To sum all that up: Venafi helps over 400 of the world’s largest companies protect millions and millions of TLS-based machine identities every day. These identities come from over 40 public and private CAs and are consumed by hundreds and hundreds of different technologies: from load balancers to firewalls, from inspection devices to WAFs, and from CI/CD tools to application servers and more.
The Linguae Franca
Venafi is able to do this important work is by providing a common language – a linguae franca – that translates the complex “language” of machine identities across certificate authorities, technical standards, identity-consuming devices or systems, and across cloud platforms.
One of the most common sources of TLS certificates is internal or “private” CAs. But choices on how to prop up and manage a private CA are limited time consuming and expensive. To help us solve that, we now have Google Cloud’s Certificate Authority Service (CAS).
Google Cloud’s introduction of a new CAS lets developers and application teams eliminate many of the challenges that come from running and maintaining PKIs. Google Cloud’s new CAS is highly available and scalable on Google Cloud Platform (GCP). The service is designed to be simpler to deploy, tailored for your needs and enterprise ready – all part of Venafi’s vision for Machine Identity Management.
This is great news for security, network operations, DevOps, and cloud engineering teams that use the Venafi Trust Protection Platform to secure their business-critical applications. Now any organization using Venafi can integrate Venafi’s speed, ease of use, and powerful automation with hundreds of applications, cloud services, and security systems through an agile, cloud-based PKI. Whether you use F5, NGINX, Kubernetes, Ansible, Vault, Terraform or any combination of these technologies, you’ll be able to merge the power of Venafi’s ecosystem with Google Cloud’s CAS immediately.
The Venafi Platform and Google Cloud’s CAS work together to simplify and automate Machine Identity Management at any scale. Security, DevOps, cloud engineering, and operations teams can now:
- Seamlessly use Google Cloud CAS as part of their Machine Identity Management service offered throughout your business
- Scale, adapt, and drive new levels of speed everywhere the business needs machine identities
- Consolidate or migrate old PKIs
- Gain full visibility into the demand, usage and workflow of certificate services
- Automate certificate lifecycle immediately with hundreds of integrated products and services in the Venafi Ecosystem
- Reduce risk with intelligent policies that makes it easy for security operations to provide consistent service, automated workflow, configurable approval and authorization, and detailed logging
- Support the full certificate lifecycle from request, issuance and renewal to revocation
“These are times of rapid change,” says Kevin Bocek, Venafi’s Vice President of Security Strategy & Threat Intelligence. “Security teams need a modern, cloud-delivered PKI as part of their Machine Identity Management strategy. From Kubernetes to mobile devices, Venafi customers have the speed and agility with the new Google Cloud CA Service they need to succeed.”
Venafi provides a common language that helps the Google Cloud CAS translate across the diverse languages of machines, certificates, governance policies and applications. And best of all, they do it easily and seamlessly, at the blinding speed digital transformation requires.
Read Google’s blog post about their new Google Cloud CAS and its integration with Venafi.