How to Use PKI to Implement Zero Trust Security
The concept of Zero Trust is a security model where all users and devices are treated as untrustworthy, even if they are already inside a network. The term Zero Trust is credited to Forrester Research based on a security model they published in 2010, which challenged the norm at the time of defending only the network perimeter and questioned the assumption that anything already inside the network is not a threat. This concept has gained traction within the IT security community, especially with the proliferation of remote working, and is now widely adopted among enterprises.
Where to Start in Implementing Zero Trust
To effectively implement Zero Trust security policies, organizations need to have the right security infrastructure in place. Since the whole concept of Zero Trust centers around trusted identities, a key pillar for implementation is the widespread deployment of Transport Layer Security (TLS) to establish trusted device identities across the organization. TLS relies on digital certificates to verify the identities of servers and facilitate the confidential exchange of cryptographic keys between a server and a client. These digital certificates provide a cryptographically secure and verifiable way to enable authentication and encryption for machine-to-machine (M2M) communication in your network, regardless of location. When an organization has a private public key infrastructure (PKI) in place, they have an internal certificate authority (CA), which adds an additional layer of trust to those certificates. Organizations can customize their PKI hierarchy to meet their specific Zero Trust use cases. Here are some of the things that digital certificates issued from an internal CA can protect:- Network Devices – Ensuring network integrity can be as simple as implementing digital certificates for routers and network switches, creating a chain of authentication between devices and preventing impersonation attacks
- Smartphones, Tablets and Other Mobile Devices – Implementing certificates on mobile devices prevents unauthorized access to enterprise networks and resources by rogue devices or careless users while providing a seamless way of authenticating trusted devices
- Web and Application Servers – Installing trusted TLS/SSL certificates on your internal and external-facing web servers and load balancers at the source reinforces network integrity. It closes the door to a frequent target for cyberattacks and also delivers additional security for customers and other website visitors
- Windows/Mac Workstations – Providing each computer that connects to your network with a key ensures that trusted users are your only users
- Network Access – Streamlining and securing Wi-Fi and VPN access with certificate policies that don’t require a password makes the network more secure, while simultaneously improving ease of use
- The IoT Ecosystem – Assigning certificates to all connected devices ensures that only authorized devices have access to your network, minimizing the risk of a breach. Using PKI can usher in the Internet of Trusted Things for an organization