Authenticate Everything With PKI and Zero Trust
Even four months after discovery, the scope of the SolarWinds hack isn't entirely known; authorities and the public continue to discover new areas where the hackers were successful. The latest such discovery is from the public emails of a top U.S. government Department of Homeland Security (DHS) official. Reuters reported that suspected Russian hackers, using the SolarWinds vulnerability, gained access to the acting secretary of DHS and members of the department's cybersecurity staff. As we noted in our review of the fundamental steps necessary to protect your organization, authenticating everything and assuming no network perimeter is one of the key strategies to bolster protections from these types of cybersecurity threats and/or intrusions.
What Does Authenticate Everything Mean?
To establish an authentication strategy, assume there is no network boundary – do not rely on just the firewall and other network perimeter security measures to authenticate anything connecting to your network. A device, user, systems, services or any other actor is not automatically trusted and requires multi-factor authentication for any privileges to transact. This is a vital part of Zero Trust security, which has many components but, if done correctly, usually requires implementing Public Key Infrastructure (PKI) to authenticate anything that connects to your network. As noted in NIST 800-207, implementing an enterprise PKI is a key component in a Zero Trust architecture. There are multiple options for implementing an enterprise PKI that cater to an organization's requirements — they usually vary with complexity and size. So regardless of the size and complexity, PKI implementations are tailored to authenticate all devices, users and other actors on a network.
As part of designing a Zero Trust architecture, organizations must define and implement an enterprise PKI that can cater to the authentication and encryption of all devices and users. It requires thought on the strength of security, appropriate scope and adaptability for future needs while maintaining a practical balance between management, scalability, ease of implementation and ease of use. This definition and design exercise usually results in organizations with Enterprise PKI that have most, if not all, of the characteristics listed below:
- Leverage the Cloud – Organizations design the Enterprise PKI to leverage the benefits of the cloud, which can scale, provide the highest availability and resiliency and operationalize best practices. Leveraging the cloud isn't as simple as deploying PKI software in the cloud, but with the right design, an enterprise can reap the benefits of a cloud service deployment
- Automation – With the volume of users, devices, machines, network endpoints and other actors operating and interacting within an organization, automating the digital certificate lifecycle is a minimum requirement. Without automation, organizations will find themselves with outdated manual techniques that usually result in security gaps and availability issues (e.g., inaccessible service due to an expired digital certificate).
- Rules and Policy-Based Management – Coupled with robust automation capability, an Enterprise PKI design must address the ability to quickly set up, manage and enforce rules and policies. Without this, the Enterprise PKI will lack the flexibility needed to stay current and evolve with new security threats.
- Crypto-Agility – To effectively respond to evolving standards, threat/vulnerabilities, compliance or regulatory changes or supply chain disruption, an Enterprise PKI should be able to initiate updates to targeted and mass updates/upgrades of crypto algorithms in use by all endpoints under management. With such agility, an organization can be confident that it can navigate a constantly changing cybersecurity landscape.
- Segmentation – With a diverse and increasing number of devices, endpoints and security profiles, Enterprise PKI deployment must segment its population under management into groups of actors with the same/similar profiles. This adds flexibility to target actions in response to security threats to affected devices, users and other network endpoints, thereby increasing the overall effectiveness of your cybersecurity efforts.
This approach to authenticate everything within the context of Zero Trust implementations requires organizations to abandon the practice of implicitly trusting devices, endpoints or users based on access to a network or relying on network-level authentication and enhance the practice of unobtrusive authentication and authorization pervasively across all devices, endpoints, users and other actors on their network.
Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).