Interview with Jason Sabin, Chief Security Officer of Digicert
Security is a very important yet often overlooked component to online safety, especially with how easy it is to access sensitive data over bits and bytes and through vulnerabilities that have been exposed through code leaks. Jason Sabin came into his role at DigiCert, a certificate provider offering SSL, TLS, and PKI expertise, through unconventional means, but he's passionate about what he's done. It's been great to learn about his business and DigiCert's core competencies.
Can you tell us about your company and how you came to join?
DigiCert provides essential identity and authentication services for e-businesses. Classically, we have done SSL certificates for web servers and code signing certificates. Lately, we've expanded to serve the Internet of Things (IoT) market with high-assurance certificates that protect private data from prying eyes. These certificates help to encrypt, authenticate, and provide identity services to organizations for business systems and products. Before I joined DigiCert, I was a customer. I was always attracted to DigiCert’s focus on innovation and customer experience. I had a strong background in security and wanted to help.
What is the importance of having an SSL certificate?
TLS and SSL are a critical backbone of Internet communications today. Without them, you'd be open to a lot of vulnerabilities and problems. These certificates protect business and customer data from hackers and snoopers, and for anyone looking to do business today, authentication and encryption are needed. Digital certificates provide the primary and most scalable method to do that. This is especially true with recent Google steps to soon mark non-HTTPS sites as not secure and to give a boost to search rank results using SSL - the web is moving into encryption by default. It's becoming an important theme that anyone should have a certificate on their website, smart device, internet-connected system. It's not just e-commerce anymore. We want to be effective in helping companies achieve scalability security that the people they support can trust.
What is the difference between the many different SSL certificates offered by DigiCert? How does someone make an educated buying decision?
We offer a wide variety of digital certificates: some are SSL plus, wildcard, multi domain, device, wifi, etc. We offer different types of certificates depending on what types of validations are needed and the use cases. Sometimes it can be overwhelming but we're solving so many different problems with our solutions. We provide tips on our website (digicert.com) to help people pick the right certificate for their needs. We also offer an award-winning certificate management platform, named CertCentral®, to help companies manage even millions of certificates at a time. We have customer service 24/7. A lot of time, people just call us, and they appreciate that when someone picks up the phone, that person is an expert in SSL/TLS/PKI so they can help them with the certificate they need to buy.
What exactly is "code signing" and how is that different from other SSL certificates that you offer?
Digital certificates are often used for what I call three cornerstones: authentication, encryption, and signing. Signing validates executable binary software apps. DigiCert SSL certificates show users that the websites they are visiting has been verified as owned/operated by the company listed in the certificate, and these certificates also encrypt the data sent between the user and the website’s server. Code signing is the process of validating software products. You want to make sure you install executable software from a company you trust. If companies don’t use code signing certificates, users do not have a way to verify if the executable they want to download and run is legitimately from the company they intended. Likewise, companies that use self-signed certificates, rather than ones issued from roots trusted in the browser (such as DigiCert), risk their users seeing warning messages that the software may not be secure.
How is DigiCert involved in the Internet of Things and what solutions are available?
We're definitely very involved in helping organizations secure their IoT deployments. A lot of companies realize IoT security is a critical aspect of their offering. Authentication, encryption, and signing are important for the IoT so we offer solutions to integrate certificate management into a company’s ecosystem and product offerings.
Can you tell us a bit about the PKI solutions that are offered?
We offer PKI solutions for IoT environments, enterprise customers, and emerging specific needs such as healthcare exchange, securing public Wi-Fi, etc, via digital certificates that can meet the massive scale of large enterprise and IoT use cases. Some customers need to issue millions, or tens of millions, of certificates and don't have the expertise to do that. We help them build a solution using DigiCert technology and innovation to create a seamless experience for them. Some people need to manage the entire certificate life-cycle and landscape via a smart portal called CertCentral®. Customers want to easily procure certificates, manage them, monitor them, and check them for problems, and we help them do that. We pay attention to our customers, regardless of the size of their account, always talking to them to understand the problems they are having and quickly jumping on that to find a solution for them.
How big is the whole company? Where are you based out of and do you have other offices?
We have many security in-house experts and outside consultants. Across DigiCert, we have SSL/TLS/PKI experts and people who can address customer questions. We have about 200 employees, and over 115k customers in 185 countries. This summer, we bought Verizon's SSL business, expanding our reach even further particularly in Europe and Asia, catering to big enterprise providers and telecom arenas. We're headquartered in Lehi, Utah, but we have additional facilities, partners and presence around the world.
How did you come from being a software engineer to working as a chief security officer at one of the most established security companies?
I knew I wanted to be in computers when I started writing code in the 5th grade. I'd write code and try to break that code. That carried out with me throughout my career and I built security products and tried to break them to find weaknesses. I’ve always had that mindset to find weakness to resolve them and fix them. I'm a different CSO with a background in engineering/R&D, building up and architecting software. whereas most CSOs have worked in IT and system administration. . Both paths bring valid perspectives. Mine helps me in my role to build systems and platforms that simplify certificate management.
I've filed over 50 patents and over 30 have been issued throughout the course of my career. Most have been in cloud computing, mobile IoT security, and identification. I've been designing new technologies around security and identity, most recently dealing with automating and simplifying certificate management tasks such as certificate inspection, discovery and analysis.
Do you find Google's emphasis on increased SSL for rankings changing how you approached the marketplace, and did you see new customers as a result?
We've definitely seen a lot more customers, not only the increased use of SSL/TLS within browsers, but within IoT and healthcare. We're seeing an increase in the number of people who are interested. We want to increase customer experience to make users more secure; Google's changes are leading to a greater awareness to protect all parts of the website and not just login pages and shopping carts, protecting the entire browsing session, and we definitely encourage more encryption. It doesn’t change how we approach the marketplace, except that we’ve invested heavily in our systems and people to meet the strong growth demand that we continue to experience.
How do you respond to various vulnerabilities that are exposed within OpenSSL? What's DigiCert's policy with respect to making sure all certificates are secure, and how do you make sure these changes are invisible to the end user?
We're very on top of these developments and work proactively to communicate with our customers, even if they don’t affect digital certificates. Not many of these vulnerabilities affect certificates, but since customers look to us as SSL/PKI experts, we always communicate alertsand provide tools to help administrators know what to do. For example, our DigiCert® Certificate Inspector provides real-time information via an intuitive dashboard so administrators can find all their certificates, check configuration and make sure they are meeting best practices. We try to help customers with all of their certificate needs.
Are you involved in analysis of other Internet breaches (XMLRPC, etc), and what does that process involve?
We definitely keep track of those, but we focus on the SSL and TLS landscape because customers primarily look to tour expertise on these matters. For me as a chief security officer, we always analyze breaches and vulnerabilities. Directly yes, we pay attention, but customers are usually looking to us to be their go-to guys primarily for SSL/TLS vulnerabilities and problems.
What would you suggest to someone wanting to start a career in security? How do you recommend they learn more about the area to become good at it?
Often, a lot of people go through the traditional track of IT. I went through a different track of product development that was very valuable: to be very curious, to be a problem solver, someone interested in how things work. When you check problems and vulnerabilities, it takes a very creative mindset to help mitigate the issue. I suggest that people study computer science, engineering, and mathematics to gain those problem-solving skills. You can learn the technology skills to be able to use software that finds bugs and vulnerabilities, but you also need to have a general curiosity to dig to identify the root of the problem.
I unknowingly began my career path well before I got my first job. As a junior high school student, I was always looking to explore from a code kind of view. For example, there's a thing called an SQL injection attack, and I asked how that worked and analyzed it. I was able to see where the data has been passed through the code path and can see the exact point that caused the problem of those attacks. I loved analyzing that and trying to determine how that broke.
For someone wanting to discover XSS (cross site scripting attacks), they can learn about how that occurs and apply their newfound knowledge to other instances. Some people today may just want to patch the system but they don't understand how those problems are executed. I like to explain how these vulnerabilities work so that it can be applied to lots of instances.
What's the plan for DigiCert over the next 5 years?
We're definitely focused on our aggressive growth, we've been growing like crazy and will continue to be the leader in innovation in the industry and focus on customer support. This helps us outpace our competition and gain massive amounts of market share - new customers and new markets (e.g. healthcare and IoT). We want to be the go-to provider for all types of security. In five years, we expect to be much larger but still providing the best service and personal touch we possibly can.
Is there anything else our users should know?
I look at the world and how it's changing especially with IoT; it's changing an entire lifestyle for consumers. It’s also changing how enterprises are doing business and how businesses operate. Without strong security in place, we'll run into serious problems in the future. We are seeing a lot of hacks on IoT devices and some are scary, such as breaching an infusion pump at a hospital, people hacking into baby monitors or taking over self- driving cars. As such, security plays a critical and necessary role. We are definitely focused on helping companies resolve issues and build IoT security into their infrastructure. Gartner has recently predicted that PKI will emerge as one of the most relevant authentication methods and we are already seeing the validity in their prediction. We have customers coming to us needing IoT security, and PKI is well-positioned to solve many security issues facing the next generation of IoT products. As a go-to provider of IoT security solutions, we feel very confident of our growth prospects and our ability to provide the best certificate-based security solutions. The smartest companies are coming to us, and we’re working with them. It’s an exciting time to be involved in security, especially because we can now build security that will make our world a better place to live in future years – if we do security right now.