Sectigo Exec: ‘This Is Not Your Father’s Digital Certificate Landscape’

‘This is a very dynamic world, and enterprises need to be agile,’ Sectigo Chief Compliance Officer Tim Callan says at XChange+ 2021 in San Antonio.

Digital transformation can transform a business, but it also comes with new vulnerabilities hackers can exploit. And one of the often-ignored exposure areas for an enterprise are digital certificates used for encryption, according to Sectigo Chief Compliance Officer Tim Callan.

Take quantum computing, Callan told a crowd of solution providers as part of XChange+ 2021, a conference in San Antonio this week hosted by CRN parent The Channel Company.

Tech giants from IBM to Google are in the quantum investment race, and enterprises are excited to unlock new computing power. But the new computing architecture will result in the obsolescence of traditional encryption algorithms such as Rivest–Shamir–Adleman (RSA) and elliptic-curve cryptography (ECC).

[RELATED: SonicWall Breached Via Zero-Day Flaw In Remote Access Tools]

“All the RSA and all the ECC encryption used in the world will be no good,” Callan said. “And we’re all going to have to swap out all of our certs in the next, let’s say, two years. For sure. Not a question. There’s big things coming. This is not your father’s digital certificate landscape.”

“This is a very dynamic world, and enterprises need to be agile,” he continued.

Callan’s speech was part of the Roseland, N.J.-based public key infrastructure services provider’s pitch to solution providers to join Sectigo’s partnership program.

Sectigo has historically been a retail channel play, Bonnie Simmons, the company’s enterprise channel sales leader, told the crowd.

The company, founded in 1998, has been in a growth period. In September, San Francisco-based private equity firm GI Partners acquired Sectigo. Two months later, Sectigo bought secure sockets layer (SSL) certificate providers Xolphin and SSL247.

The company has issued billions of certificates, more than 700,000 customers and a 99 percent enterprise customer retention rate, Simmons said. Sectigo’s emerging partner program grants 30 percent total margin for registered opportunities.

“This is something new to the channel,” she said. “A lot of this has not been resold before.”

Simmons told CRN that Sectigo has invested in growing its partner program at least since she joined the company in 2019. Prior to Sectigo, she served as director of security vendor management at PCM Inc. and national security channel operations director at ePlus Technology.

“The channel is the only way you get to scale with enterprises,” she told CRN.

Derek Nwamadi, CEO of Quantum Symphony, a Dallas-based provider of services including cybersecurity, enterprise resource planning and cloud computing, told CRN in an interview that he became a Sectigo partner about six months ago.

He said the company won him over because certificate security is an area that can fall through the cracks of his customers’ security and networking teams, making Sectigo’s services attractive to add to his portfolio.

Sertigo’s services include certificate deployment, discovery, visibility, revocation with automatic replacement and renewal of certificates nearing expiration, with options for customization.

Nwamadi said that in addition to quantum computing, advancements in artificial intelligence and machine learning will also have enterprises revisiting their strategy around certificates.

“It’s amazing how many organizations don’t take this seriously,” he said. “The larger they are, sometimes, the worse off they are.”

Digital certificates have been used in major hacks in recent years, Callan told the crowd. The “Heartbleed” security bug discovered in 2014 resulted in attackers gaining the private key of the SSL certificate on vulnerable websites.

“Every certificate that had ever run on a current version of Apache had to be presumed to have the private key stolen,” he said. “There was not even a way to tell if it could or couldn‘t. And the majority, more than 50 percent of the certificates in use were considered exposed. One day. Out of the clear blue.”

Security threats involving certificates continue this year. In January, Mimecast announced that a sophisticated threat actor had compromised a Mimecast-issued certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services.

The myriad ways to expose private keys mean enterprises need ways to change a large amount of certificates quickly, Callan said. In March, Sectigo discovered people were uploading private keys to its certificate revocation list (CRL) interpretive tool.

“We went through and we revoked thousands of certificates within 24 hours,” he said. “We had no choice.”

Certificates are “all little ticking time bombs that are sitting out there in the enterprise ready to ruin someone’s day,” he continued. “You never know when your day is going to be ruined.”