Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

UK education digital trust procurement: what changes for IAM teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: UK education and research institutions now have streamlined access to PKI, TLS and certificate lifecycle management without separate procurement through a national framework selected by Jisc, according to DigiCert, but the practical issue is not the contract itself but whether shared procurement actually improves certificate governance, lifecycle control, and trust boundaries across large, federated environments.

NHIMG editorial — based on content published by DigiCert: DigiCert and Jisc to advance digital trust in UK education

Questions worth separating out

Q: How should institutions govern certificate lifecycle management in shared procurement models?

A: They should separate buying access from control ownership.

Q: Why do certificates create governance risk in federated education environments?

A: Because certificates often span many services, teams and institutions, while responsibility for them is fragmented.

Q: What do security teams get wrong about certificate-based trust?

A: They often assume the cryptography is the control.

Practitioner guidance

  • Inventory every certificate domain Map certificates by application, workload, device and owning institution so you can see where digital trust actually exists and where it is duplicated or unmanaged.
  • Assign clear renewal and revocation ownership Define which team owns issuance, who approves renewal, and who can revoke certificates when a service is retired or a collaboration ends.
  • Tie procurement to lifecycle evidence Require audit-ready evidence for renewal intervals, certificate inventory accuracy and revocation execution before treating a framework purchase as complete.

What's in the full analysis

DigiCert's full post covers the operational detail this post intentionally leaves for the source:

  • The framework terms and procurement mechanics that govern how Jisc members access the service
  • The specific positioning of PKI, TLS and certificate lifecycle management inside the agreement
  • The quoted statements from Jisc and DigiCert on why the framework was selected
  • The sector context for UK education and research institutions using shared procurement models

👉 Read DigiCert's announcement on Jisc's national digital trust framework →

UK education digital trust procurement: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Shared procurement can accelerate standardisation, but it does not standardise governance by itself. A national framework can remove friction from buying certificate services, yet the underlying risks remain local: inventory, ownership, renewal cadence and revocation discipline still sit with each institution. That means federated buying only becomes security value when it is paired with consistent operating rules. Practitioners should treat procurement as an enabler, not a control.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who should be accountable for certificate revocation when services are retired?

A: The accountable team should be the one that owns the service and its trust relationship, not a generic platform function. If revocation ownership is unclear, certificates can outlive the system they secure, leaving a residual trust path that no one actively governs.

👉 Read our full editorial: Digital trust procurement in UK education shifts toward shared PKI



   
ReplyQuote
Share: