The COVID-19 pandemic has disrupted our lives in many different ways, be that our personal, social or business lives. We now rely on the internet and online platforms to keep in touch with loved ones and colleagues, and to buy more services and products online.
For many businesses, COVID-19 accelerated projects to migrate systems to the cloud and to support remote working. With businesses migrating to online services and supporting unprecedented numbers of staff working remotely, the traditional perimeter approach and models to cybersecurity are no longer valid. This approach assumes all devices, services and users within the perimeter can be trusted, while all those outside the perimeter are not trusted. However, the perimeter has now, in effect, disappeared.
Compounding this challenge is the Internet of Things (IoT) revolution, which introduces a myriad of issues in relation to trusting those devices. We now have internet-connected TVs, lights, heating systems, cars and more — with the list of connected devices, smart or otherwise, growing every day.
Some of these IoT devices are connected to corporate environments: that smart TV in the boardroom, for example. These devices in turn are also often connected to the vendor’s platform for support, updates or additional processing capabilities. So, in effect, our corporate systems have to now trust an IoT device that in turn is connected to a vendor platform outside of our perimeter and our direct control.
In addition, not all IoT vendors invest appropriate time or effort into building security into their products. There are many examples of IoT devices having weak authentication, or with default credentials set into them, or vendors do not have appropriate ways to update devices with security updates. The growth in 5G networks will support the growth in IoT device, which will only further exacerbate this problem.
The standard three pillars of security — confidentiality, integrity and availability — needs now to be augmented with a fourth pillar. That pillar is trust. How can we trust the online services that we are using? How can we trust the systems we are accessing? How can we trust the device accessing our environment? And how can we trust the updates, messages and other interactions our computers conduct on a daily basis, often in the background and often without our intervention?
Trust is not something that magically appears. Trust by its very nature needs to be developed and nurtured over time. It is built based on positive interactions and reinforced over time by repeating those positive interactions. However, while it can take time to build trust, that trust can be lost quickly due to a bad interaction or event. In 1987, after signing the Intermediate-Range Nuclear Forces Treaty, the then-president of the United States, Ronald Reagan, when asked how could he be confident the Soviet Union would abide by the agreement, used the phrase “trust, but verify.” This phrase, a play on an actual old Russian proverb, “Doveryai, no proveryai,” highlights that one should not blindly accept trust at face value but look for supporting evidence that the trust is being maintained.
Digital certificates are a key foundation stone in building the trust that we need to conduct our personal and business lives in a secure manner. Digital certificates can help by securing data in transit across networks or while at rest. They can also provide a strong mechanism to authenticate individuals and devices, including IoT devices, to our systems so we can be assured that we are communicating and connecting with those we trust.
It is important to note that digital certificates on their own may not be sufficient to build and maintain the required levels of trust. In the past, badly managed digital certificates and their associated keys have been abused by malicious actors. Criminals have stolen certificates from reputable companies and then used those certificates to digitally sign software updates or perform other malicious activity.
In the post-pandemic world, we will continue to experience a rise in the number of people and organizations taking advantage of remote working, engaging in employing new online platforms and deploying IoT devices throughout homes and offices. This will lead to a surge in the number of digital certificates that an organization is going to have to manage. With the erosion of the security perimeter, these digital certificates will need to be issued, renewed, revoked and continuously managed to ensure their integrity. The sheer scale and volume of digital certificates to be managed will require organizations to employ scalable solutions to manage digital certificates seamlessly in the private or public cloud, on premises or through a CA-hosted management solution.
In the digital world we need to build trust, but we need to have scalable, automated platforms to manage and verify that trust.