The days of implicitly trusting connected devices that are behind the traditional enterprise firewalled network with its ‘hard’ perimeter are no longer.
Risk officers and security professionals should consider all connected traffic to be on a hostile network. This requires authentication at the user, device and application level and therefore digital identities comprise the new perimeter. If every endpoint is its own edge, it is increasingly challenging to secure networks thanks to the ever-expanding ecosystem of multi-cloud environments, own devices, IoT and unprecedented levels of remote work accelerated by COVID-19.
As employees access applications and networks remotely via myriad laptops, smartphones and employee-owned devices, it’s more important than ever to ensure that the people and devices accessing your network are indeed who they say they are. Enterprises seeking a singular authentication model are increasingly taking a Zero Trust approach to ensuring proper identity authentication, where trust is never granted implicitly and must be continually evaluated. In fact, according to a recent ESG survey, identity was the most common aspect of security associated with Zero Trust, cited by 60 per cent of organisations. Even so, some IT teams are wondering if you can really trust Zero Trust. Here are four concepts to keep in mind as you consider migrating.
Zero Trust is a set of principles, not a check-the-box activity
Zero Trust is a set of principles, not a vendor product. While technology is integral to Zero Trust, it is only a portion of a broader strategy that requires a shift in the way users, devices and applications connect to one another and over the network. With Zero Trust, a digital identity approach creates a strong mutual authentication that incorporates granting detailed access and permissions to each user, device and process in the network. With that strategic model in mind, organisations can then apply the necessary authorisation, assurance, analytics and administration capabilities in combination to support this cohesive identity architecture.
Public key infrastructure is foundational to Zero Trust
User and device authentication are the starting point. In the past, enterprises would turn to more complex password requirements or multi-factor authentication (MFA) to provide a deeper measure of security, but these methods have their own vulnerabilities. Yet, passwords are easily stolen and criminals can just as easily intercept the one-time passwords or soft-token authentication that MFA relies on.
Public key infrastructure (PKI) is the gold standard for identity authentication and encryption, and the National Institute of Standards and Technology (NIST) recently named PKI a key element of Zero Trust in its Zero Trust Architecture report. With PKI, organisations can ensure the strongest level of user and device authentication without impacting employee productivity or the user experience. PKI supports enterprises in securing business continuity by replacing passwords with user certificates, replacing cumbersome traditional MFA with instant authentication and automating the lifecycle of all identity certificates. Authentication is seamless to end-users and can be easily deployed to every employee device and system using automated tools.
Zero Trust requires governance, policy and enforcement through a centralised place
Not surprisingly, providing a highly effective degree of security and authentication to your enterprise’s diverse ecosystem of connected networks and devices is no simple task. Zero Trust relies not only on governance and policy but also on enforcement.
IT teams must ensure that no implicit trust exists across the entirety of increasingly complex network architectures, including public cloud, hybrid and multiple public clouds environments. Additionally, every user and device endpoint needs to be issued an identity, which then must mutually be authenticated across the network boundary it is in. On top of this all, IT teams are responsible for managing the entire lifecycle of those identities. The charter to deploy Zero Trust is daunting.
PKI’s mature and ubiquitous authentication capability makes it well-suited for the task. Yet manually managing identities is nearly impossible given the hundreds, thousands or tens of thousands of connected people, devices and systems in today’s enterprises. Armed only with spreadsheets and dogged determination, IT teams face the complex, time-consuming process of deploying and maintaining digital certificates one at a time across myriad device OSes and key storage paradigms used by enterprises today. Not to mention that manually managing certificates creates vulnerabilities, like the potential for service interruptions caused by expired certificates.
Organisations need an automated and centralised way to issue, revoke and replace certificates through a single dashboard that gives IT teams the power to automate certificate lifecycle management – from discovery to configuration, provisioning to renewal and revocation. This automated administration makes Zero Trust possible with zero touch.
Migration to Zero Trust can be step by step
Even with the help of automation and single-pane-of-glass management, migrating an entire organisation to Zero Trust may seem daunting. Fortunately, organisations don’t have to implement certificates en masse, all at once. IT teams can ease the transition by implementing Zero Trust on a step-by-step basis to make the process as painless as possible.
Secure servers and applications: Use SSL/TLS certificates to secure web and application servers, including those in DevOps environments and cloud environments.
Secure network access endpoints: Use digital certificates for the network appliances you rely on to protect your network, including firewalls, web-filtering, email gateways, virtual private networks and Wi-Fi gateways.
Secure device endpoints: Use device certificates to authenticate the identity of all provisioned computers, laptops, tablets and mobile devices, as well as own devices.
Secure email: Use S/MIME certificates to protect and authenticate the contents of email and email signatures across multiple employee devices and network access points.
Replace passwords for people with user certificates: Use PKI-backed digital certificates to provide the highest degree of authentication for your employees.
Zero Trust helps enterprises move beyond static firewalls to protect the constantly ebbing and flowing edge of identity at the user, device and application level. It is a set of principles governing an IT security philosophy that maximises protection from threats by controlling access and continuously authenticating identity, rather than a one-time activity or single vendor product. Digital identities as verified by PKI certificates are elemental to Zero Trust, and IT teams need a centralised, single pane of glass from which to manage the entire certificate lifecycle.
Jason Soroko is the Chief Technology Officer of PKI for Sectigo