The PKI Guy talks key management with Rashmi Jha of Microsoft

Q&A with Rashmi Jha, senior program manager for Active Directory Certificate Services, Microsoft

TPG: What is your involvement with Active Directory Certificate Services?

RJ: I am the product manager for Active Directory Certificate Services. I own and influence the product’s design and features for vNext and existing releases too.

TPG: What is Microsoft’s Azure Key Vault role in PKI?

RJ: Azure Key Vault is a secure store. It gives the assurance that the private key of the certificate got created and stayed secured from inception to its delivery. It also keeps these certificates refreshed by auto-rotating them in timely fashion.

TPG: What is Microsoft’s focus and goal with key management in Azure?

RJ: Enterprises are often reluctant to adopt the cloud due to fear of losing control of their keys to the kingdom and they are not sure whether they will have full transparency on the operations done on the keys. Azure Key Vault addresses these fears and gaps. It provides a central place to secure the keys and secrets, enable audits, and gives clear transparency to the actions taken on the enterprises’ assets

TPG: How important is key management and Key Vault to Microsoft and its customers?

RJ: We know how valuable it is to have key management on-premises. This concept of protecting keys and managing them just increases to a whole new level when enterprises shift their workloads to the cloud. For Microsoft, Azure Key Vault is the service which delivers this promise in the cloud. Microsoft has been successful in providing key management solutions on-premises to our customers and plans to do the same in the cloud or make it better and easier in the cloud using Azure Key Vault.

TPG: What problems are you addressing with Key Vault? 

RJ: Azure Key Vault as a product has two goals: 1) to provide enterprises with the hardware assurance through HSMs that they had on-premises in the cloud, and 2) to store and manage secrets (keys, certificates, passwords) etc. It is a secure store that keeps all the data encrypted at rest with a key in HSM. This secure store also provides features such as keeping the secrets refreshed, rotated and additional feature set such as central place for auditing, verifying compliance requirements, etc. This page will be a good read if you need more info: https://azure.microsoft.com/en-us/services/key-vault/

TPG: How can organizations benefit from ADCS and setting up a public key infrastructure?

RJ: ADCS works for 90% of the scenarios out of the box. Organizations have varied infrastructures that require certificates such as client authentication, internal server to server authentication, Wi-Fi, S/MIME, etc. It becomes very difficult to outsource the entire list of certificates. It has been much more efficient to install an in-house certificate authority (CA) with its list of services—CEP, CES, OCSP, NDES—and leverage it. This gives enterprises and organizations far more control and removes third-party dependencies.

TPG: What are the biggest threat factors to organizations and their data today? 

RJ: I can give a one-hour lecture on this! The world is very complex today. An organization will have a large variety of client types and server devices. At the same time, they might have some servers in the cloud or on-premise. All of this combined is a maze of different incompatible components put together in the organization’s architecture. Irrespective of this complexity, I believe even the smallest threat factor can be quite expensive to an organization if not addressed and handled in timely fashion. What I observe is that people put lot of focus on the threat factors but they forget that whatever they do, there is going to be a breach and a few things are going to break down. My recommendation is, along with the threat factor analysis, also prepare yourself to face such a situation. It might be OK to be breached for one hour, but definitely not OK to be breached for one month.

TPG: What are the biggest benefits of public key infrastructure?

RJ: I started working on PKI 14 years ago and since then, I have been hearing that PKI is dead. But lately, I think people are acknowledging that it is not dead but very much alive. PKI provides the distributed trust that is becoming more and more important in this world of complexity where several players are working together, whether it is web PKI or IoT PKI or a National ID. PKI, if done correctly, still provides identity management and authenticity with great assurance. I frankly don’t know how you would do this otherwise. You might come up with another mechanism but then I always see the bootstrap problem of trust is solved using PKI. They might call it something else, but it is still some form of PKI.

TPG: What three things can organizations do to better protect their data?

RJ: Separate their data from the secrets/keys that protect this data. Keep the data encrypted using keys and then ensure that these keys are encrypted at rest. You should only have the data and key decrypted during the actual operation. This will result in a minimal attack surface. Use the right policy to generate these secrets/keys. For example, having a password as ‘test123’ doesn’t help even if you are doing #1 and #2. Another example:  Every secret and keys should be rotated because their strength is only so much. For example, a deterministic person using the right compute power can break certain types of keys in a certain amount of years. It might be a performance hit to increase the size of the key but certainly you can ensure that it is rotated.

TPG: How do you see identity management changing?  

RJ: Identity has become the central piece of whatever we do in our daily lives. It reminds me of a cartoon from a while ago: “The Internet doesn’t know if you are a dog,” but today the Internet and services you are interacting with, know that you are a dog and which breed of dog you are! That’s how identity management is changing. It is not sufficient to know you are x but we thoroughly need to know that you are x and you have a, b, c claims but not y and z.

TPG: How do you think encryption will evolve?

RJ: Encryption will be there by default whether it is communication or data at rest. In today’s era, encryption shouldn’t be a decision that we make about whether we should do it or not. It should be just done or provided by service providers by default. ADCS introduced Elliptical curves more than 12 years ago and the wide adoption is still missing. It has been static for a while. I think now it is going to gain momentum and even the requirements as to which curves will be enforced. GDPR and other compliance will awaken to such specific requirements due to backdoor fears between the governments.

TPG: What is the future of cryptography?

RJ: I hope with more research and quantum crypto lurking on the horizon, there is hoard of evolutionary things to come our way in the cryptography world. We are just on the cusp of a huge wave of changes.

TPG: What is Microsoft doing with PKI and Azure?

RJ: That’s a great question as I always wanted to deliver this message to our valued customers. Microsoft focuses on solving customer’s problems they face today and what they are going to face tomorrow. For example, “I want to ensure only authorized folks have access to highly sensitive data and I want to focus all my devices whether Linux, PC, smartphone, printer, etc. are authenticated on the network…and that my data is always encrypted at rest, etc.” We can clearly observe that none of the problems are about PKI, but what really matters is that the end-to-end scenario is secure as well as easy to deploy, configure, and manage. Hence, at Microsoft we have been taking each problem and solving it whether it be with Intune or Microsoft Information Protection. The best solution is when PKI is not in the face of the customer. As a product manager on Azure too, I measure my success on a scenario when my enterprise’s IT admin or developer doesn’t need to be an expert on cryptography/PKI.

But I do realize PKI is now several decades old and so is ADCS. They solve a myriad of problems which is going to take a very long, long time to be solved in the cloud world. That’s why I’m looking at how to facilitate leveraging this wonderful product in the cloud/Azure. This is at a nascent stage and I would love to hear your feedback and thoughts on how you would see the continued usage of ADCS in Azure.