PKI 01-28-2022

PKI as the Foundation for Zero Trust

Dr. Avesta Hojjati

Securing networks is more difficult than ever, and it’s not going to get any easier. Enterprises must manage hundreds of thousands of devices, users, systems and apps. That means that organizations have hundreds of thousands of potential vulnerabilities. Yet a single compromised password can bring down the entire network, and has in cases like the Colonial Pipeline, in which a single compromised password at the largest pipeline in the United States led to widespread fuel shortages, or the WordPress incident where a compromised password left the data of over 1 million of the hosting companies’ customers vulnerable.

Thus, the Zero-Trust mantra of “never trust, always verify” is becoming more attractive to protect networks from adversaries. In 2021, the Biden administration released a U.S. executive order on Improving the Nation’s Cybersecurity, which requires the Federal government to move towards a Zero-Trust approach. The Department of Defense is the first U.S. government organization to make the change, with the announcement of an office dedicated to Zero Trust that launched in December 2021. A DOD senior information security officer explained, "We feel like Zero Trust is the only solution out there right now that gives us a fighting chance on detecting these folks that may have a foothold on our network."

A Zero-Trust network requires verification of every access request by default. In a network of “never trust,” strong digital identities that can be verified are key to building a Zero-Trust infrastructure. However, organizations should have the right security solutions in place before implementing a Zero-Trust model. One of the easiest ways to implement Zero Trust is deploying a Public Key Infrastructure (PKI), which has provided a way to uniquely identify devices, users, systems and apps. We’ll dive into more about what Zero Trust is and how PKI can support it in this post.

What is a Zero-Trust approach?

As mentioned, Zero-Trust is a security approach in which constant validation is needed to access a network. In other words, zero users, devices, systems or services are automatically trusted — anything connecting to the network must be verified. Additionally, every time a user or device connects to the network it must be validated again. In a Zero-Trust approach, instead of verifying digital identity based on IP addresses, digital identities must be regularly verified based on adaptive authentication methods such as PKI, multi-factor authentication (MFA) and single sign-on (SSO).

The main benefit of Zero Trust is mitigating security risk, but other benefits include reducing complexity in the security stack and reducing the time it takes to detect a breach. The concept of Zero Trust was first ideated in 1994 by Stephen Paul Marsh, but a Zero-Trust architecture model wasn’t created until 2010 by John Kindervag. Now, a decade later, organizations are adopting it due to trends like remote work and increased reliance on the cloud.

What is driving the Zero-Trust trend?

Besides just the increase in attacks like SolarWinds, the transition to Zero Trust is fueled by remote work, cloud adoption and an increase in deploying devices. Remote work is increasing the number of devices connecting to the network and the number of users connecting remotely. Additionally, cloud solutions need Zero Trust because network infrastructures are no longer solely on premises, but are fully in the cloud or, more often, a hybrid approach, which requires a more secure posture. Zero Trust can help secure a hybrid environment by providing additional authentication measures. However, the switch to Zero Trust will not happen overnight. It’s a process that organizations are slowly beginning to adopt.

According one survey, about a third of organizations have already adopted a Zero-Trust strategy and 60% plan to adopt it in the next year. But having the right security solutions to support a Zero-Trust strategy is critical. This is where PKI plays an essential role.

How PKI and Zero Trust go hand in hand

Implementing a Zero-Trust architecture hinges on a secure way to verify identity. PKI is a tried-and-true way to provide digital identity for a variety of use cases. It can provide log-in solutions and form the foundation for identity inside Zero Trust.

Even though PKI may not cover every aspect of a Zero-Trust environment, it does provide a strong foundation for the authentication and trust that’s required. In fact, 96% of IT security executives believe that PKI is essential to building a Zero-Trust architecture. This is because PKI provides the authentication, encryption and integrity needed for a Zero-Trust model.

PKI delivers:

  1. Authentication of the identity of every user and/or device on the network.
  2. Encryption of all communications across the organization.
  3. Data & system integrity by maintaining the integrity of data coming to and from users/devices, automation tools to issue, revoke and replace certificates in a reliable, scalable and agile manner.

A common option for Zero-Trust security is to simply use MFA, but attacks like SolarWinds demonstrate that it can be sidestepped and exploited. That’s why PKI, in conjunction with MFA, is one of the more secure ways to implement Zero Trust.

Automation and visibility required

Automated PKI is a flexible solution which can support Zero-Trust initiatives. With an increasing number of certificates, automation makes it easy to manage a PKI infrastructure. Additionally, applications constantly need to be updated, employees onboarded and offboarded, or accesses moved. Manual management requires a heavy workload that increases the chance of human error and potential vulnerabilities.

Furthermore, most automation solutions also come with increased visibility over the certificate inventory. This is key to a Zero-Trust architecture because when verification is always required, knowing every digital certificate on the network is not just nice to know, it’s critical. Any unknown or undiscovered certificates could leave the entire network vulnerable.

Why DigiCert?

For years, DigiCert has been a leading high-assurance digital certificate provider. DigiCert provides TLS/SSL and PKI, and identity, authentication and encryption solutions for the web and the Internet of Things (IoT). DigiCert’s Enterprise PKI Manger provides PKI as a service, allowing IT departments to focus on their customers and not the operation of the Certificate Authority. DigiCert also has automation solutions to simplify the growing burden of certificate management.

Additionally, at DigiCert we have experience deploying a Zero-Trust architecture and we understand the challenge of simplifying identity and access management across large enterprises with hundreds of thousands of workers and connection points. DigiCert provides centralized certificate lifecycle management for identity and access verification so that organizations can build a certificate-based access security with automated workflows.

Finally, DigiCert is currently collaborating with the National Institute of Standards and Technology (NIST) on a Zero-Trust consortium to produce an example of a Zero-Trust architecture that uses modern best practices.

More information about DigiCert’s Enterprise PKI certificate management platform can be found at: https://www.digicert.com/pki/enterprise-pki-manager.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-27-2024

6 actionable ways to secure the IIoT at every stage

Tracking the progress toward post-quantum cryptography

The state of PQC since the publication of FIPS 203, 204 and 205