The Good Tech Companies - Modernizing PKI for Zero Trust and Microservices: Insights from Rakesh Keshava

Starting point is 00:00:00 This audio is presented by Hacker Noon, where anyone can learn anything about any technology. Modernizing PKI for Zero Trust and Microservices. Insights from Rakesh Kashava by John Stoy and journalist. In the ever-evolving digital landscape, the foundation of secure communication and trusted identity, public key infrastructure, PQI, is being pushed to ITS limits. As systems become increasingly decentralized, workloads more ephemeral and attack surfaces more dynamic, legacy PKI models are proving inadequate forth realities of zero-trust architect and service-based computing. Mr. Rakesh Koshava as a software architect in the field

Starting point is 00:00:39 cybersecurity with over 17 years of industry experience, is a fellow of the institution of electronics and telecommunication engineers, IETE, full member of Sigma Shee, a senior member of IEE, an IEE Day 2025 ambassador, and currently serves as chair of the ACM-Fremont chapter, fosters collaboration and knowledge sharing among professionals, researchers, and students in the Bay Area. He is the Namedinventor on multiple U.S. patents in the areas of cryptography, identity-centric security, and automated key lifecycle management, with his work cited extensively by leading global technology firms. His professional journey reflects a strong balance of research excellence and practical industry impact across enterprise security, cloud systems, and eye-driven

Starting point is 00:01:25 security solutions. He believes the future of digital trust. He believes the future of digital trust. lies in modernizing public key infrastructure, PKI, to align with the velocity, granularity, and dynamic risk profiles of today's systems. He advocates that PQI must evolve to become agile, automated, and context-aware, capable of supporting hybrid cloud, zero-trust architectures, and distributed digital ecosystems. Rakesh emphasizes that PQI should not only protect static assets but also dynamically secure ephemeral identities, workloads, and agent-to-agent communication across. modern environments. His vision places P.K.I at the center of digital trust, ensuring it matches

Starting point is 00:02:05 the complexity and pace of the systems it is meant to secure. The breaking point of traditional PQI, traditional PQI was never designed to operate in a world where workloads are created, scaled, and destroyed in minutes, says Mr. Rakesh. The old approach of issuing long-lived certificates manually and storing them in static locations simply cannot support today's infrastructure. A clear sign of this shift is the reduced certificate validity enforced by major browser vendors. Public TLS certificates, once valid for up to five years, are now capped at 398 days, with growing pressure to go shorter. This trend reflects a broader industry realization, short-lived credentials reduce the risk of compromise and make automated rotation and necessity. For internal

Starting point is 00:02:50 PKI, the shift is even more dramatic. Organizations are experimenting with certificates that expire in 24 hours or even less. This approach strengthens security posture but creates an operational challenge. Legacy PKI systems can't handle the volume or velocity of issuance and renewal at this scale. Zero trust starts with identity and PKI delivers IT Zero Trust as a model, demands continuous verification of identity, regardless of location, network, or assumed privilege. That means every user, device, application, and service must prove its authenticity at every point of interaction. PKK is the engine behind that proof, Mr. Rakesh explains. It enables secure, cryptographically verifiable identity for both human and machine actors. Budenly if it's designed to

Starting point is 00:03:39 work dynamically, in a zero-trust context, trust isn't established by being, inside the firewall, or on a certain subnet. It's established by cryptographically asserting identity and that's precisely what a certificate does when issued based on real-time policy and usage context. What defines a modern PKK MR? Rakesh outlines several characteristics that differentiate modern PKK from its legacy counterparts. Ephemeral by design, certificates must have short validity ranging from a few hours to a day requiring regular rotation. This reduces exposure and enforces re-verification. Policy-driven automation, issuance, renewal, and revocation processes should be fully automated and controlled by business and security policies, not manual intervention or

Starting point is 00:04:25 static configuration. Identity-bound credentials. Certificates should not rely on network metadata like IPs or DNS names. Instead, they should be bound to trusted identity claims such as workload roles, verified service accounts, or authenticated users. Observability and auditability. Certificate activity must be logged, monitored, and auditable in real time especially for high sensitivity systems. Cross-domain scalability. PQI should seamlessly support distributed workloads across multiple data centers, cloud environments, and regions without single points of failure. Cryptographic agility. The infrastructure must support future proof cryptography, including a transition path to post-quantum algorithms without needing full redesigns. Where modern PQI adds

Starting point is 00:05:12 value beyond public web services, modern PQI is now a strategic asset in securing internal systems. Its use cases include secure communication between services over encrypted channels with mutual certificate validation, validating internal API calls using signed certificates rather than static tokens, ensuring authenticity of software releases and internal configuration files, establishing encrypted tunnels between regions or isolated environments, issuing certificates to developers or administrators for privileged access automated and role aware. In all these cases, Mr. Rakesh notes, certificates serve as digital passports that can prove, securely and independently, who or what a system is. But for that to work reliably, the issuance and trust process must be

Starting point is 00:06:00 fast, contextual, and revocable. Why short-lived certificates should be the default one of Mr. Rakesh's strongest recommendations is to adopt short-lived certificates across internal systems. Instead of rotating secrets manually or relying on long-term trust, short-term credentials force revalidation, enforce hygiene, and support dynamic scaling. If a certificate only lasts 12 hours, you don't need to worry about revocation lists or expired keys hanging around for months, he says. Short-lived certs reset the trust boundary continually and that aligns with the realities of modern operations. He advises starting with seven-day lifespans and gradually moving toward daily orov and hourly expirations, combined with policy-based auto renewal and

Starting point is 00:06:42 enforcement. A visual roadmap showing PKI's evolution from long-lived certificates to short-lived automation and fully modernized Agile Trust. The diagram above captures the strategic progression of PKI from its traditional routes to a modern, dynamic trust framework suited for today's security landscape. On the left, we see the classic PKI model, where certificates air long-lived, manually issued, and bound to static systems like servers or host names. This model assumes a stable environment and low issuance frequency which no longer hold true in distributed systems. In the center, the modern PKI stage introduces short-lived certificates and automated renewal, shifting trust from static assets to real-time identity verification. This leads to the final phase, PQI modernization,

Starting point is 00:07:30 where trust decisions airfully integrated with system life cycles, security policies, and cryptographic agility. At this stage PQI becomes context-aware, as credentials are tied to workload role. roles, service accounts, and authenticated identities rather than static IPs or DNS names. It is auditable and observable, with certificate activity continuously monitored in real-time. It is scalable across clouds and regions, avoiding single points of failure while supporting hybrid and multi-cloud environments. It is also cryptographically agile, designed to transition seamlessly to stronger and post-Quant algorithms without disruption.

Starting point is 00:08:08 In this state, certificate management is no longer a background test. task but an integral part of the security fabric. It lays the foundation for zero trust by ensuring that every connection, request or process can be cryptographically verified on demand. Common pitfalls in PKI modernization despite the urgency, many organizations fall into predictable traps when attempting to modernize their PKI systems. Mr. Rakesh outlines four of the most common and how to avoid them, treating PKI as a one-time deployment. Many teams install a CA and assume the job is done. But PKI is not static. It must evolve continuously policies updated, keys rotated, issuance volumes monitored, and vulnerabilities mitigated.

Starting point is 00:08:52 Neglecting integration with system life cycles, certificates should be issued and revoked in tandem with the systems they secure. If a certificate outlives the system it was issued to, it becomes a risk. Integration with provisioning and decommissioning processes is critical. Lack of proactive revocation strategy. Revocation is often misunderstood or delayed. Without automation and proper observability, expired or misused certificates may go undetected especially in internal environments. Hard coding cryptographic algorithms. Building systems around fixed primitives like RSA 2048 or SHA-1 leads to rigidity and risk. Modern PKI must support crypto agility, allowing smooth transitions to stronger or quantum-resistant algorithms as standards evolve.

Starting point is 00:09:38 Crypto standards don't change often, Mr. Rakesh says, but when When they do, the cost of inflexibility is enormous. Designing with agility from the start is the only safe path forward. A practical path to modern PKIMR. Rakesh emphasizes that modernization doesn't need to be overwhelming especially if done in phases. 1. Inventory existing certificate usage across internal systems, workflows, and APIs. 2.

Starting point is 00:10:05 Shorten certificate lifespans gradually and implement auto-renewal processes that don't rely on manual intervention. 3. Tie issuance to identity and role-based policies, ensuring credentials are only issued to authorized actors. 4. Monitor and audit all certificate activity, including failed requests, unusual usage patterns, and renewals. 5. Plan for crypto agility and post-quant migration, even if just in test environments, to future-proof your infrastructure. PKI is not just a back-end utility or compliance checkbox. It's a core enabler of trust in today's digital ecosystem. As businesses adopt zero trust, accelerate digital transformation, and secure increasingly complex systems, modernizing PKK is no longer optional, it's foundational.

Starting point is 00:10:52 Trust in 2025 and beyond will depend on systems that can prove who they are, what they're allowed to do, and whether they're doing it securely, Mr. Rakesh concludes. Modern PQI is how we enable that trust at scale, in real time, and with confidence in the future. The views and opinions expressed in this article are solely my own and do not know. necessarily reflect those of any affiliated organizations or entities. Thank you for listening to this Hackernoon story, read by artificial intelligence. Visit hackernoon.com to read, write, learn and publish.

The Good Tech Companies - Modernizing PKI for Zero Trust and Microservices: Insights from Rakesh Keshava

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.