When it comes to cybersecurity there are two types of ‘certifications’ that really count. Here, we explore the realm of digital certificates as well as the security certifications available as professional qualifications.
Search online for ‘security certifications’ and you’ll either be faced with a list of accredited training bodies, ideal for those looking to obtain a professional qualification in their field, or pages about SSL and digital certificates.
Though very different, the results are equally important to those tasked with the job of protecting their organisations from cyberthreats – so we’ve spoken to experts about both.
Tasked with outlining the three main types of SSL digital certificates issued by GlobalSign, a trusted certification authority (CA), was Doug Beattie, Vice President of Product Management at the firm.
The first, Domain Validated (DV SSL) Certificates, require a CA to check an applicant has the right to use a specific domain name – but no company identity information is vetted.
Organisational Validated (OV SSL) Certificates are issued to those affiliated with a company or organisation, while Extended Validation (EV SSL), as the highest class of SSL available, requires companies to go through more due diligence and validation.
EV SSL certificates activate both the padlock and the green address bar in all major browsers.
Beattie said: “They’re really useful for e-commerce sites, insurance companies and healthcare where identity is really important to know before you just start submitting personal data and things like that. You really want to know who you are talking to.”
As cyberthreats show no sign of slowing in their evolution, ‘trust’ is more important than ever. People want, and deserve, to know they’re not inputting sensitive details into a system which is compromised or potentially could be.
Beattie said it was important that people could trust the website and digital signatures – certificates – have an important role to play.
He said: “As cyberthreats start to grow it’s becoming even more important to police the scope of documents and applications that are signed and to continually improve and enhance the validation process that these companies go through, so the bad guys don’t slip through the cracks.”
One area which GlobalSign see emerging as a new challenge is the Internet of Things (IoT).
Beattie said: “This is going to be an explosive growth area for us in the coming years. We’ve really revamped our whole CA infrastructure over the last two years. “We’ve an entirely new set of systems – they are in our London data centre – and those are prepared to issue thousands of certificates per second.”
Advice to enterprises and organisations
“There are a lot of different, maybe contradictory, security requirements within larger enterprises and they need to set up decent policies and procedures for requesting and managing the certificates,” Beattie said.
Wisam Yaghmour, Regional Director at HID Global, has also discussed digital certificates.
He said: “As the need for end-to-end security continues to increase, organisations are adopting digital certificates for their digital signing capabilities and secure email for enhanced auditability.
“Digital certificates have also become more attractive due to providing a simplified user experience, with two–factor authentication eliminating the need for multiple passwords and tokens. And, with cloud authentication and credential management further integrating mobile devices, tokens, cards and machine-to-machine endpoints, digital certificates will draw upon the trusted cloud services to deliver and manage certificates across thousands of devices as environments become smarter and more connected.
“Digital certificates add trust in the Internet of Things (IoT) and are becoming a core component for combating cybersecurity risks in smart environments. With a greater focus on securing the IoT, organisations are increasingly looking towards digital certificates to add trust in the IoT by issuing unique digital IDs to printers and encoders, mobile phones, tablets, video cameras, building automation systems and a broader range of ‘things’ within the enterprise.”
The other ‘certificates’ – professional security certifications
In a world where cyberthreats are ever-evolving, there is a real need for trained security professionals. Professional qualifications are a ‘hallmark’ of quality in many industries. But does this apply to cybersecurity?
Mike Ahmadi, VP, Transportation Security, DigiCert offers his views.
“When I started in the security business the topic of security certifications was occasionally brought up, yet I paid little attention to the notion of getting a security certification because the marketplace was simply not demanding any at the time.
“It was not until around 2008, when hacking began to turn into the equivalent of a spectator sport, that organisations began taking the need for security a bit more seriously, and consequently they began considering what was the best use of their financial resources in tackling security issues.
“There were (and still are) essentially two main issues that organisations wanted to address as they looked at security.
“One is how to address a known attack on their systems, and the other is how do you show the world that you are meeting some level of due diligence as you prepare for security challenges.
“These needs led to a few issues that needed to be quickly resolved. The first was how does an organisation determine who to hire to help them with security issues?
“Since most organisations are not at all familiar with what causes security problems to begin with, it was even more complicated to determine who was best able to come to that determination and solve it.
“The other was how you answer questions like ‘What have you done to secure your environment, and why do you feel it is the right choice?’
“This is where certifications come into play, and, by far the most well-known today is arguably the CISSP (Certified Information Systems Security Professional) certification, which is called out as a basic requirement in just about every major security job today.
“I finally caved in around 2010 and decided to go for this certification and I have to admit it was not an easy test to pass. I did gain quite a bit of knowledge while preparing for the test and though I am not convinced it made me a sharper security expert, what it did do is serve as evidence to those that chose to hire me or work with me that I knew something about security and likely much more than any non-security professional in the organisation.
“Additionally, because CISSP is so globally recognised as one of the premier (if not the premier) security certification, organisations that hire those with CISSP security certifications can always point to those they hire for addressing security issues that have the certification as being evidence of due diligence.
“Honestly what it boils down to is establishing credibility and risk management. Those with certifications are not necessarily more highly skilled, but those that hire professionals with certifications can at least rest assured that they have a good starting point.”