The disintegrating corporate perimeter

Technology trends have shifted how IT professionals think about security at the corporate perimeter. Formerly walled-off operational technologies — such as factory floor machinery, utilities and industrial infrastructure, hospital instruments or industrial kitchens — have become connected and vulnerable to cyberattack. Applications and services have moved to the cloud, changing models of user access and shifting to on-demand orchestration, serverless computing and distributed data architectures. Devices have proliferated, with employees often connecting their own personal devices — from mobile phones to tablets and computers to tracked vehicles to corporate networks. These changes, which are collectively challenging the notion of the traditional corporate perimeter, are leading businesses to reshape the foundational assumptions governing user, application and corporate security.

Redefining application and IT access

Because companies can no longer rely on physical or virtual boundaries to define what is trusted or not, many organizations are adopting a zero-trust security policy. This “never trust, always verify” approach to security requires all access to networks, applications and services to be authenticated. As a result, identity and access managers are fielding significantly increased demands on their organizations:

• More access points that need authentication
• Increased volume of authentications
• Increasing authentication types (e.g., biometric or passwordless authentication)

Managing identity, integrity and encryption

In a perimeter-less environment, the number and types of things that need to be secured also increase. The role of the PKI administrator has expanded beyond traditional TLS web security to fielding new and expanding use cases across the organization:

• Identities of servers, devices users
• Expanding authentication and enrollment methods
• Integrity of digital signatures, documents, content and software, with audit trails for remediation
• Secure, encrypted communication
• Secure email

These PKI use cases are proliferating at the same time that certificate validity periods for public trust are shrinking. While shorter validity periods increase certificate security, the quicker turns increase the administrative burden of management as well as the surface area for risk of business disruption. Not surprisingly, this is driving increased need and attention for PKI management solutions that assist with governance of this broadening PKI landscape.

Securing connected devices

Connected devices, whether these are personal devices connecting to a network or operational technology coming online, increase the attack surface area that must now be protected. Network and operational technology security administrators not only need to consider how to provision device identity but also how to secure devices in operation — how to make devices more tamper-resistant, how to secure communication between them, how to govern how they connect to the network, how to bring together legacy (brownfield) and new (greenfield devices) and enable mutual authentication between them, how to monitor for threats.

Chief security product officers defining and building device-centered solutions, in turn, must consider the surface area that must be protected across the full device lifecycle — across chip manufacturers, device manufacturers, application developers, device operators and device users -— for the lifetime of the device.

Digital trust: the security model for the perimeter-less organization

The building blocks of digital trust — standards, compliance and operations, trust management and connected trust — are the foundational technology that enable companies to operate securely in a world in which a corporate boundary no longer defines what is trusted and what is not. Digital trust solutions enable companies to:

Manage identities

• Provision trusted identities to users, devices, servers and other IT resources to support user, network and device authentication needs
• Manage and automate certificate lifecycles and access workflows to support increasing IT demands and reduce human error

Manage integrity

• Govern integrity and non-repudiation of signatures, documents and content
• Establish software integrity and extend software trust to downstream users and throughout cloud and network operations

Secure connections and operations

• Secure user and machine-to-machine communication
• Secure device lifecycles for trusted operation and updateability

Monitor and remediate vulnerabilities

• Continuously monitor the cryptographic assets within the corporate environment and identify and remediate vulnerabilities.

Corporate-wide digital trust initiatives can establish a comprehensive, unified approach to security within a perimeter-less organization, addressing the way the disintegration of the traditional corporate perimeter is shaping the security demands within different IT departments.

Ask DigiCert

Want to learn more about DigiCert’s platform for digital trust? Email us at pki_info@digicert.com for more information or to set up a sales consultation.

Get the IDC whitepaper Digital Trust: The Foundation for Digital Freedom | DigiCert to read more about digital trust—what it is, how it works, and why it must be a strategic initiative for any organization, including yours.