Zero trust graphic

How PKI Helps Make the Cybersecurity Executive Order a Reality with Zero Trust

A Critical Component of Cybersecurity Infrastructure Comes of Age

The need was clear, if not overdue: from fuel pipelines to water treatment facilities, our nation’s most critical infrastructure has fallen victim to an ever-expanding number of threats. The White House Executive Order on Improving the Nation’s Cybersecurity Infrastructure — signed in May — aims to address the problem.

In particular, the EO calls on both public and private organizations to upgrade cloud services and implement Zero Trust Architecture to “keep pace with today’s dynamic and increasingly sophisticated cyber threat environment.”

The Zero Trust approach to cybersecurity trusts nothing automatically and requires that all transactions, both inside and outside the network, be authenticated using multi-factor authentication methods. Created in 2010 by then-Forrester analyst John Kindervag, Zero Trust has risen to prominence in recent years thanks to the increasing accessibility of the technologies that support it — and the rising stakes involved with contemporary cyberattacks.

PKI and Zero Trust

Public Key Infrastructure (PKI) is a key component of Zero Trust architecture. It is the gold standard for authenticating the users, devices, services and systems that connect to enterprise networks. It also allows for the encryption of machine-to-machine (M2M) communication in your network, regardless of location.

And it enables organizations to eliminate their reliance on clunky password-based authentication techniques like texted codes in favor of passwordless authentication methods with digital certificates.

No wonder the PKI market is expected to more than double in the next five years, reaching USD 9.8 billion by 2026.

Yet many organizations are put off by the apparent complexities involved with PKI implementation. PKI requires organizations to create, store and distribute digital certificates that map public keys to specific entities and can be used to authenticate them. According to the Ponemon Institute’s 2020 Global PKI and IoT Trends Study, the average number of certificates that organizations must manage grew to 56,192 — a 43% year-over-year increase. It’s a big job to entrust to spreadsheets and DIY in-house systems.

What’s more, the expertise needed to manage PKI certificates is often in short supply: 52% of the security professionals who participated in the Ponemon study said their top challenge was a lack of understanding of their PKI’s security capabilities.

Best Practices for PKI Architecture

PKI doesn’t have to be difficult. So-called PKI-as-a-Service (PKIaaS) solutions — hosted in the cloud, managed by external vendors and delivered through a SaaS portal — enable organizations to outsource the complexities of PKI while retaining visibility and control.

However, not all PKIaaS solutions offer the same levels of trust and protection. Those that follow best-in-class architecture, like HID PKIaaS, rely on a hybrid approach known as Hosted Private PKI. That means they combine cloud infrastructure for front-end certificate management with highly secure and audited data centers that generate and store the most important assets: the private root keys for each entity.

These keys are hosted in a dedicated Hardware Security Module (HSM) that is fully air-gapped and never online. The separation of roles is maintained by fragmenting and distributing them across Administrative Card Sets (ACS) and Operator Card Sets (OCS). And the HSM can be hosted on-prem by organizations that require it.

This approach is easily scalable and can be adapted to multiple security scenarios, while enabling organizations to maintain control of trusted assets.

And isn’t that what operating securely is all about?

To learn more about the business benefits of PKIaaS, read our eBook, Outsourcing PKI to the Cloud.

Image
Banner ad for case study collection

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.). 

RECENT POSTS

HID Origo™ 개발자 포털 소개

HID Origo™ 개발자 포털의 가용성에 대한 소식을 전해 드릴 수 있게 되어 기쁘게 생각합니다. 이 포털에서는 기술 파트너들에게 직원들의 물리적 및 디지털 경험과 기술이 혼재하는 앱과 API 통합을 구축하는 데 필요한 도구와 지원을 제공합니다.

10월은 국가 사이버 보안의 달입니다

매년 10월은 정부와 사이버 보안 업계가 협력을 도모하기 위해 지정한 국가 사이버 보안 인식의 달(NCSAM)입니다. 이 교육 기간 동안 유익한 정보를 통해 기업과 개인이 온라인에서 스스로를 보호할 수 있는 방법에 대한 인식을 고취시킬 수 있습니다.