How to Use PKI to Implement Zero Trust Security
The concept of Zero Trust is a security model where all users and devices are treated as untrustworthy, even if they are already inside a network. The term Zero Trust is credited to Forrester Research based on a security model they published in 2010, which challenged the norm at the time of defending only the network perimeter and questioned the assumption that anything already inside the network is not a threat. This concept has gained traction within the IT security community, especially with the proliferation of remote working, and is now widely adopted among enterprises.
Where to Start in Implementing Zero Trust
To effectively implement Zero Trust security policies, organizations need to have the right security infrastructure in place. Since the whole concept of Zero Trust centers around trusted identities, a key pillar for implementation is the widespread deployment of Transport Layer Security (TLS) to establish trusted device identities across the organization. TLS relies on digital certificates to verify the identities of servers and facilitate the confidential exchange of cryptographic keys between a server and a client. These digital certificates provide a cryptographically secure and verifiable way to enable authentication and encryption for machine-to-machine (M2M) communication in your network, regardless of location.
When an organization has a private public key infrastructure (PKI) in place, they have an internal certificate authority (CA), which adds an additional layer of trust to those certificates. Organizations can customize their PKI hierarchy to meet their specific Zero Trust use cases.
Here are some of the things that digital certificates issued from an internal CA can protect:
- Network Devices – Ensuring network integrity can be as simple as implementing digital certificates for routers and network switches, creating a chain of authentication between devices and preventing impersonation attacks
- Smartphones, Tablets and Other Mobile Devices – Implementing certificates on mobile devices prevents unauthorized access to enterprise networks and resources by rogue devices or careless users while providing a seamless way of authenticating trusted devices
- Web and Application Servers – Installing trusted TLS/SSL certificates on your internal and external-facing web servers and load balancers at the source reinforces network integrity. It closes the door to a frequent target for cyberattacks and also delivers additional security for customers and other website visitors
- Windows/Mac Workstations – Providing each computer that connects to your network with a key ensures that trusted users are your only users
- Network Access – Streamlining and securing Wi-Fi and VPN access with certificate policies that don’t require a password makes the network more secure, while simultaneously improving ease of use
- The IoT Ecosystem – Assigning certificates to all connected devices ensures that only authorized devices have access to your network, minimizing the risk of a breach. Using PKI can usher in the Internet of Trusted Things for an organization
Zero Trust Security Needs a Solid PKI Foundation
Having the right private PKI foundation in place is critical for Zero Trust security because it allows you to establish trusted machine identities and encrypts the M2M communications across your organization. However, the lifespan of these digital certificates has been shrinking in recent years. To reduce the burden of keeping up with hundreds or thousands of certificate renewals every year, many enterprises have begun to outsource the complexity of managing their private PKI by adopting solutions that deliver managed PKI-as-a-service (PKIaaS).
Digital certificate management platforms can instantly enroll, approve, issue, revoke and renew all your certificates from a single pane of glass. Not only does this help companies implement strong Zero Trust security policies, but it also streamlines their operations and reduces costs.
Mrugesh Chandarana is a Senior Product Manager in Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.)