Meet Our Guest
Gaurav Sharma
Channel Director UKI & META at Keyfactor
Gaurav Sharma is Channel Director for UKI & META at Keyfactor, bringing nearly two decades of experience in the cyber security channel to his work on public key infrastructure and certificate lifecycle management. Previously at BlackBerry, he has spent the last 18 months specialising in one of the most overlooked areas of cyber security, helping enterprise organisations and channel partners gain full visibility of their certificate estates and build the automation capabilities to manage them at scale.

ONE-PAGER
Digital Trust Explained with Keyfactor
Best Practices & Lessons Learned
This one-pager captures the four key lessons from episode 24 – covering certificate automation, the importance of discovery and visibility, the risks of certificate expiry, and how to start preparing for post-quantum computing. A practical reference for any IT or security professional responsible for digital identity management.
Episode Transcript
Adam Myers:
Hello and welcome to our podcast, Tales from the CyberLab. My name’s Adam Myers and I’m the Sales Director here at CyberLab and I’ll be your host for today. Joining me is Gaurav from Keyfactor. Welcome!
Gaurav Sharma:
Well, thank you Adam and thank you CyberLab. Glad to be here and glad to be sitting here and looking forward to this podcast. I mean, to be honest, it’s taken me a bit of a preparation, but I’m still here.
Adam Myers:
And we’ve got a fancy new studio, so all our guests out there, we have had an upgrade and I’m super excited to show you this today. So the podcast is onto some really great things and thank you for everyone who has listened and subscribed so far. So Gaurav, could you just tell us a bit about your role and what you do on a day-to-day basis?
Gaurav Sharma:
Yeah, no, absolutely. So Gaurav Sharma, so I’ve been with Keyfactor for just over 18 months now. I’ve been in cyber security channel for probably closer to two decades. I used to work for Blackberry before I joined Keyfactor. Keyfactor is an interesting technologies and I’m sure we are going to talk about this as we progress, but a lot of people, obviously cyber security is very wide term now. There are a lot of aspects of cyber security. I mean, it starts from the application layer, goes down all the way to the infrastructure layers. Keyfactor actually is working on a very interesting component of cyber security, if I may say that, which is called PKI, the certificates. And again, this is something new to me, but over the last 18 months, I have learned a lot and I have come to a conclusion or come to a point where I can say that this is one of the crucial part of the whole cyber security offerings or cyber security that the CISOs and CIOs are trying to protect. So it’s the initial gatekeeper for an enterprise to protect.
Adam Myers:
Yeah. And I guess like certificates, for example, it’s management of those and the impact if you don’t manage them well.
Gaurav Sharma:
Oh yeah.
Adam Myers:
So we’ll cover that at some point shortly, but I think that’s a big area. For a lot of people who are doing more of the day-to-day in their role, they probably are using certificates and PKI, as you mentioned them, and probably not knowing, they’re probably getting a spreadsheet somewhere. And there’s actually sophisticated tools and technologies available.
Gaurav Sharma:
And again, Adam, what we must understand is with the proliferation of the digital service, almost everybody has got a digital surface now, which means that you need digital identities. So PKIs do get associated with the digital identities. Now, the more digital identities I have, the more certificates I need. And going back on, and this is very well articulated in terms of how so far people have been managing those certificates. It’s been literally on, and I’m not talking about thousands of certificates, literally managing on Excel sheets. Now they are certain rules and regulations changing. Obviously the regulators have taken some firm’s stances in terms of how they can secure those certificates, how they can make sure that certificates do not became a single point of entry for the spammers, for the vectors to get into the network. And one of the things which has come up, and this has started obviously, and this has been going on for some time. One of the thing which came up very recently was with NIST coming out and putting up guidelines for the public certificates. So TLS-based certificates that they believe reducing the lifecycle of those certificates from 398 days, which was last year to 47 days in 2029 could definitely help secure or at least put a mechanism in place where they get renewed more often than before, which means people who are managing those certificates on an Excel sheet needs to have a mechanism in place. So they’ve got two options, either to hire an army of people to keep managing it or get it automated. And I think that’s what is creating a lot of buzz in the market and there is a requirement for tools for platforms which can support them with.
Adam Myers:
And just for our audience, you mentioned NIST there – we can carry out any NIST assessments for you and we can sort of pull in our consultants to help support that if you are looking for those assessments. And yeah, Keyfactor obviously being a big part of that in terms of the strategy. So I guess our first topic, so Gaurav, we hear the phrase digital trust a lot, but what does it really mean in practical terms?
Gaurav Sharma:
So digital trust is, as I mentioned, it’s about authentication. So I am Gaurav, you are Adam and I’m talking a very layman term. We know each other because we’ve got either our mobile numbers, we talk to each other, we can see each other face-to-face. Now in the digital world, the only way people, machines can understand each other is using some sort of identities and that’s identity is certificate and that’s where it’s become complicated because now you see you’ve got connected printers, you’ve got IOTs, you’ve got OT and you’ve got all digital watches and everything is digital now. So that means every single digital device or an application contains multiple certificates to sort of authenticate themselves into proving that if they want an information from you, they provide you the certificate and then they are certificate authorities with sorts of validate that this is a legitimate certificate. So this is how the digital world today works. Now imagine if somebody comes and pretends Adam has got off. So let’s say a person comes in and starts pretending himself or herself it’s Gaurav, the only way you can sort of validate that is by checking driving licence or some aren’t proof and that in the digital word is a certificate. So if a certificate gets in a way hacked or nothing will stop. It just, you will not know who is actually managing it.
Adam Myers:
So in a way you use it, I love stories and analogies. So you mentioned a driving licence. It’s basically that check to say you are who you are.
Gaurav Sharma:
Exactly.
Adam Myers:
And I guess the challenge for a lot of our listeners and businesses right now is that these digital identities have scaled rapidly probably over the last sort of 5 to 10 years, where now maybe historically that was easy to manage. It’s now becoming just wildly out of control to make sure that you’re doing these checks regularly to make sure it is what we think it is.
Gaurav Sharma:
It is exactly. And again, as I briefly mentioned about the certificate lifecycle management, the reduction of the life cycle of a certificate, that has also sort of driven the push in terms of how do we make sure that those certificates, those identities are secured, they’re renewed on time, that they are automated and controlled and monitored.
Adam Myers:
Yeah. So there you’ve got this timescale is shortening and the number of digital identities increasing, you’ve got this point where it’s becoming a little bit unmanageable and that’s where Keyfactor is doing that heavy lifting and the automation side of it is taking that challenge away for people on the day to day.
Gaurav Sharma:
So Keyfactor, so we mentioned that. So Keyfactor is a 20 years old company, which we don’t do anything else. I mean, this is the bread and butter for Keyfactor. So we issue certificates, private certificates, which are typically SSL-based certificates. We also do a lot on the CLM side of it. So Certificate Lifecycle Management. So we’ve got our own platform that we have invested in and grown for ever since CLM itself was a concept that since then we’ve been doing this. And again, last year we acquired a company called InfoSec Global, which is into crypto agility. So it has got a product, it’s called a child seg, which is helping a lot of organisations in order to discover those cryptogility solutions, sorry, crypto agility assets*.
Adam Myers:
Yeah, amazing. So I guess expanding the conversation, so where do certificates and public key infrastructure (PKI) actually sit in a modern organisation?
Gaurav Sharma:
So I said, I think they sit, so anything which is digital, you would find certificates then. So give you a typical example, an iPhone, I mean, how many certificates do you think sits in an iPhone? Take a wild guess.
Adam Myers:
I don’t know. 20?
Gaurav Sharma:
So it’s probably more because as well. And the reason is because of the application that comes in. So every single, again, going back on the point of how do you identify it. So every single app that sits, which works in the digital world needs an identifier and that identify becomes a certificate.
Adam Myers:
Yeah. So again, it’s just you’re constantly, everything is trying to identify one another, isn’t it?
Gaurav Sharma:
Yes.
Adam Myers:
And I guess how do you manage that? And I guess what’s the impact if you don’t manage it well? Does that have a big knock-on effect into the security and impact of I guess just day-to-day?
Gaurav Sharma:
Yeah. So there have been incidents in the past as well where there were certain organisations and there were lapses on the certificate side of a certificate expired without them knowing, which could result in health defines penalties and there are regulations which are extremely becoming strict. And so it’s becoming really important for organisations to be on top of these certificates that they have and make sure that they have a full inventory of those certificates. So that’s where, again, we come in and Keyfactor is extremely good when it comes to inventory and identifying those certificates.
Adam Myers:
So for our listeners, is there something as a first step maybe that our businesses could take if they’re, I don’t know, let’s just play the extreme that they’re in a spreadsheet at the moment and that list is probably, they probably don’t have visibility of all of them for one element. Where would the starting point be for an organisation that maybe should be starting maybe looking at something like Keyfactor?
Gaurav Sharma:
Yeah, I think the starting point is we start with identifying discovering the certificates within the network. So today we’ve been speaking to a lot of enterprise and you and I, we know that our teams have been working together and we are working on a few customers jointly where the approach from CISOs is all the same point: they lack the visibility. So for them to understand what exactly needs to be protected is a big question. So what we do is we go into the network, we go into and we start, we do discovery access, we do inventorizing the whole suite of applications or whether it’s network or infrastructure and we produce these reports for the certificates. But with the acquisitions that we have done recently, we also can do cryptographic assets. Now when I say cryptographic assets, because what’s happening is the identities could be related to certificates, but identities also means tokens algorithms and a lot of other things that get associated. Keyfactor is certificates, but that’s where we believe the value for CyberLab is and for other partners that we work together is the services that we are trying to generate for them because there is a value that we can together bring into the customer.
Adam Myers:
Because I guess there is that skills gap as well, isn’t it? Where the knowledge that you bring to this in terms of also like quantum brings a whole different sort of element to this, which at some point is going to happen with quantum mechanics and how that is going to develop. I guess that’s what you’re probably buying into as well. It’s not just the ability to have visibility of these things. It’s actually the skills of your people that come on and do that and help.
Gaurav Sharma:
No, 100%. So we went to our RKOA this year and Dan Michael, who’s the Chief Sales Officer for Keyfactor, he mentioned, he gave us a very good sort of… He shared something very interesting and he was like, if you all remember Y2K, what happened during Y2K was we knew what the problem was. We knew when it’s going to kick in. We knew this solution. So everybody was trying to work towards it. Now quantum is interesting because there are projections, they are predictions about quantum computers, supercomputers becoming so strong, but nobody for sure knows whether they are today. I mean, it’s going to happen today, tomorrow, day after, when. The question is a big when. We all know it’s going to happen. Now with Y2K, I mean, if I drive some sort of analogy there, Y2K, we knew the system would stop working. So the problem was severe. Here it’s further one step ahead. The systems won’t stop working. They will continue to perform. We just don’t know who is going to own them, whether it’s going to be us or somebody else is owning them because obviously, I mean, if the certificates are breached, there is going to be challenge on the owning side of it.
Adam Myers:
Because it puts a risk of the whole model, doesn’t it, really, of how it’s knitted together with the speed and the action of defence and attack. I guess you could end up in a world where passwords are cracked and things are cracked a lot easier.
Gaurav Sharma:
That’s what I mean.
Adam Myers:
Yeah. And if you’re not prepared already for that, you talked about Y2K, I don’t know, I was only 12 back then, but it was this compelling event that’s happening and we were preparing for it and it was kind of, if you’re into computers, we were all waiting for it to tick over. It was like, “Oh, this is getting a bit scary.” Where now there is an element of being ready for something, isn’t it? Where maybe that might evolve over time, but we need to maybe prepare and working with you guys is probably right.
Gaurav Sharma:
Yeah, 100%. Exactly.
Adam Myers:
Good. So I guess what actually happens when a certificate is not managed properly?
Gaurav Sharma:
Well, I mean, obviously the certificate is not managed properly, it does expire, which means an expired certificate is extremely dangerous because that allows that anybody can get into a network. And again, analogy, because I love doing that just for this as well. So imagine you’ve got a guard at your house and the guard goes out and keeps the door open. What’s goi)ng to happen?
Adam Myers:
Yeah. People are going to walk in, opportunities
Gaurav Sharma:
Yeah! So exactly something similar is going to happen, right? The trust isn’t going to be there. So websites could fail. There will be incidents where the public certificates fail, you will have websites failing, they’re not opening and because obviously they need to be authenticated and if they’re not authenticated, then there’s going to be a problem.
Adam Myers:
Yeah. And I guess impact of, I don’t know, somebody has not renewed that and a lot of it’s probably free visibility that they don’t even know that they’ve got something there and then there’s a little bit of finger pointing within organisations say, oh, whose responsibility was? It becomes very, very quickly.
Gaurav Sharma:
It becomes cumbersome as well.
Adam Myers:
Yeah, it does. So a lot of the business direction could be huge if you get that wrong. Yes, that’s true. That’s true. Good. So we briefly touched upon quantum computers. I guess the risk to organisations, why should they care about that now, I guess? Why should they pull this forward in terms of their risks and what that could mean?
Gaurav Sharma:
So I think that’s an interesting topic because quantum computers, there are certain predictions around, right? I mean, NIST is saying that by 2030, all the current set of PKI, the certificates that we’re using will become duplicated, which means there is going to be a challenge in terms of the new certificates and make sure that they comply to the PQ (post-quantum) era. Now what’s also happening here is in the world, as I said, I mean, it’s not about whether this is going to happen, it’s all about when is it going to happen, are we ready? Now, if I have to break down the whole post quantum or the quantum readiness journey into smaller steps, you would see the first and the foremost step for any CIO/CISO, for any organisation is to understand in terms of discovery or inventorizing it, what exactly do they have to get again a visibility of their network, of their application suite, of the infrastructure, and then start working towards how can they modify it, how can they upgrade it? And it’s not like an on and off switch where you find out something and then you can fix it. The fixing duration itself is going to take at least three, four, five years depending on how big the organisations are. We’ve done a joint paper with SPC last year exactly on this and it’s been acknowledged that this is becoming a very hot topic in today’s world. A lot of organisations have put some real big budget aside just to invest into understanding and gaining the visibility on their network in terms of cryptographic assets.
Adam Myers:
And I guess it’s like a migration path as well, is it? Is it like preparing for that, that it’s not just a on/off that we flip a switch and we’re ready. It’s kind of like a period of time that you’re going to invest with key stakeholders within the business to say, “This is the path and the journey we need to take to be ready for quantum computers is what that means, I guess.” Okay. So into topic six. So if any organisation feels overwhelmed by certificates or PKI, where should they start? What would be your tip there?
Gaurav Sharma:
So for me, I think, and again, from our joint conversations with the end customers and for in the last 18 months, what I’ve understood is the first and the foremost step for any organisation is to start with the discovery, to understand exactly the number of certificates. So again, we can split it into two parts. One is discovering the certificates, the other is discovering the whole cryptographic asset. So start from there, understand the number of certified authorities you have, whether how are you managing your certificates today? Are you doing it manually or you are automating it? Because there has to be a clear path in terms of automate. So obviously discovering the certificate, remedify in terms of those which are not managed, automate the whole process and start monitoring them. So in case if they are certificates that you don’t need, you don’t need to manage them and then you can get rid of them.
Adam Myers:
Yeah. I guess there’s a good key takeaway I think I heard in the call was that treat digital trust as a platform, not as a project. Is that something you agree with? It is true, it is true, it is a platform. I would say the whole journey could be a project, but yes, the digital certificate, the whole certified lifecycle management, it’s a platform and it’s a beautiful opportunities for our partners. We are seeing a lot of partners coming up in terms of offering their services, tagging their services along. Again, what we are trying to do is we are trying to build an ecosystem where we are bringing in the co-sell motion with the partners or bringing them early on so they can be a part of the whole journey starting from discovering all the way up until helping the client in terms of transformation of their current infrastructure into PQC compared infrastructure.
Amazing. Yeah. And if there was on takeaway from this podcast that you can give to our audience and I don’t know, top tip, what would it be and if you could share?
Gaurav Sharma:
Well, I would say that the top tip for me is start now, know it before they know you don’t. So in a way that people, there are going to be situations where we will find out, I mean, people can find out that you’ve got an expired certificate, you need to be prepared. I mean, an expired certificate could be really bad. So business wise also, obviously regulatory wise, you can face penalties, the customers can face penalties, but business wise, also it’s a loss of revenue and I’ve talked about millions of revenue.
Adam Myers:
Amazing. What an episode and our first guest in our new studio, so thank you so much!
Gaurav Sharma:
Well, we’ll get here and the audience is good. Thank you so much, Adam. Thanks for inviting me here.
Adam Myers:
Amazing. So that concludes this episode of Tales from the CyberLab. Join us next time for a brand new episode. Until then, Stay Secure.







