Notifications
Clear all
Topic starter
25/06/2026 2:49 pm
TL;DR: Zscaler’s scale story shows that legacy PKI cannot keep pace with cloud-native volumes, automation, and short-lived certificate issuance, according to DigiCert. The real issue is governance, because identity, encryption, and auditability now depend on trust infrastructure that must scale without human bottlenecks.
NHIMG editorial — based on content published by DigiCert: How Zscaler Scaled Cloud Trust with DigiCert ONE
By the numbers:
- Zscaler's platform supports more than 50 million users and hundreds of billions of transactions each day.
Questions worth separating out
Q: How should security teams govern PKI when cloud workloads scale rapidly?
A: They should treat PKI as identity governance infrastructure, not just cryptography.
Q: Why do short-lived certificates still need strong governance?
A: Short-lived certificates reduce exposure windows, but they also increase dependence on reliable lifecycle automation and policy enforcement.
Q: What breaks when mTLS is expanded without lifecycle automation?
A: mTLS becomes brittle when issuance and renewal are handled manually or inconsistently.
Practitioner guidance
- Inventory certificate lifecycle bottlenecks Map where certificate issuance, renewal, and revocation still require manual intervention, then quantify the backlog risk for each service tier.
- Separate root trust from operational issuance Keep root keys tightly isolated while using online intermediates for routine certificate issuance so scale does not weaken assurance boundaries.
- Treat mTLS as an automation dependency Do not expand mutual TLS into new service domains until renewal and rotation are API-driven and failure handling is tested under load.
What's in the full article
DigiCert's full case study covers the operational detail this post intentionally leaves for the source:
- The certificate authority deployment model used to separate root and intermediate trust responsibilities across the environment
- The operational details behind API-driven issuance, renewal, and rotation for high-volume service authentication
- The standards and assurance requirements referenced for global trust operations, including WebTrust and FIPS 140-2 validated HSMs
- The platform-level design choices that let one PKI foundation support multiple product lines
👉 Read DigiCert's case study on how Zscaler scaled cloud trust with DigiCert ONE →
Modern PKI at cloud scale: what it means for IAM teams?
Explore further
25/06/2026 3:59 pm
Cloud-scale PKI is now an identity governance control, not a backend utility. The article shows that once a platform supports tens of millions of users and massive transaction volumes, certificate operations become part of trust governance. Manual issuance and fragmented authority structures cannot sustain that scale without weakening policy consistency and auditability. The implication is that PKI ownership increasingly belongs in identity programmes, not only in infrastructure teams.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, according to The State of Secrets in AppSec.
A question worth separating out:
Q: How do identity teams align certificate governance with zero trust?
A: They should connect certificate hierarchy, lifecycle controls, and audit ownership to the same zero trust programme that governs workload and service identity. A unified model makes trust decisions repeatable across product lines and reduces drift between environments. If certificates are managed outside that programme, assurance becomes inconsistent.
👉 Read our full editorial: Modern PKI at cloud scale is now an identity governance issue
