Trust Lifecycle Manager 03-07-2023

IAM Teams:
Three steps to achieving invisible authentication
at scale

Robyn Weisman
IAM Teams: Three steps to achieving invisible authentication at scale

In today’s environment, characterized by a perimeterless organization, identity and access management (IAM) teams are dealing with accelerating complexity. One common use case IAM teams must address is Wi-Fi and VPN network authentication without compromising security. Most employees have a minimum of two devices each, typically a company-issued computer and a personal smartphone. How can IAM teams authenticate these users and devices securely at scale? And in an environment that is rapidly transforming to hybrid work models, with remote employees around the world?

As an added requirement, they want to provide all those employees and all those devices with ready access in a way that is seamless — in other words a user experience that suggests there’s nothing to it. Like Kareem Abdul-Jabbar tossing a skyhook. Or Eddie Van Halen shredding a guitar solo.

Good luck, you’re thinking. At least Kareem only had to work with a basketball and a few defenders. And Eddie didn’t have to deal with millions of fans when he was first developing his signature style. IAM teams don’t have that same luxury. The complexity of a 2023 enterprise network may be less mind-blowing than the universe — but it’s catching up. As DigiCert CEO Amit Sinha said in a recent webinar Announcing DigiCert® Trust Lifecycle Manager, IAM teams are faced with so much complexity because “the volume and methods of authentication needed to protect corporate users, assets and data are growing so rapidly.”

We know this from our customers. For example, IBM has more than 300,000 employees in every time zone, Weibo “Weber” Yuan, chief architect and strategy lead at IBM, said in the same webinar. “The sun never sets on our employees, and we have over a million devices that need to be connected. In that mixture are all kinds using Windows, macOS, Linux, iOS and Android.”

Yet IBM and other DigiCert customers have succeeded in achieving this magical combination of secure authentication and seamless access, or as Yuan said, “We turned public key infrastructure to public key invisible.” We all know that making things simple is never easy. So how did IBM and other DigiCert customers achieve what we call invisible authentication?

They followed three basic steps. Let’s go through them.

Step 1: Relieve end users of authentication responsibilities

Today, most enterprises still rely on password-based authentication to provide access to VPN and Wi-Fi. Dean Coclin, senior director of business development at DigiCert, examines why using passwords is not a good strategy:

[A]s threats have evolved over recent years, passwords have had to get longer and more complicated. Unfortunately, they are also harder to remember and more stressful for users. Complex passwords do not create the best user experience, they are still easily compromised and they are costly.

As Coclin mentions in his blog post, 92% of IT professionals believe organizations need to move to passwordless systems. The most obvious way to do this is using digital certificates that enable IAM teams to set security parameters. However, it’s not enough simply to leverage digital certificates for VPN and Wi-Fi access, particularly if you expect end users to install them. One DigiCert customer found employee adoption of digital certificates to be in the low single digits, when the requirement to install them was optional.

This shouldn’t be surprising. Although employees may care about security, they may not have the IT skills to understand and manage certificates needed for securing authentication. And this doesn’t make for a good user experience.

Instead, you need to relieve your employees of this responsibility of managing the digital certificates on their devices and put it in the hands of professionals who focus on these issues. Moving from password-based to certificate-based authentication is a first step. Then, how do you make this seamless? Let’s look at step 2.

Step 2: Automate certificate provisioning and revocation

Let’s make this obvious statement now: No organization, regardless of size, can afford to manually manage digital certificates. The security risk combined with the potential for human error is simply too great. We saw the outcome of poor certificate lifecycle management (CLM) in the Equifax data breach, among others.

If you’re managing even a fraction of the million-plus client certificates that IBM handles, you know that automation is a necessary step. Not surprisingly, automation plays a starring role in the NIST SP 1800-16 framework. NIST states:

Automation should be used wherever possible for the enrollment, installation, monitoring and replacement of certificates, or justification should be provided for continuing to use manual methods that may cause operational security risks.

Without automation, IAM teams can’t manage, let alone scale, the rapidly increasing amount of device certificates being used to authenticate access to VPN and Wi-Fi. Think about the employee lifecycle, which encompasses:

  • Provisioning
  • Renewal
  • Position changes (which usually means changes in access)
  • Termination

By automating these processes, you get 100% adoption and provide for a better user experience. You no longer have to worry whether a new remote employee is having trouble with access to your VPN, because the certificate governing access is automatically provisioned along with their equipment. If the employee is in good standing, that certificate is automatically renewed before its expiration date. And the moment the employee leaves the company, that same certificate is instantly revoked, preventing them from accessing your network.

Automation also enables IAM teams to ensure that the digital certificates being used for Wi-Fi and VPN access adhere to strict corporate policies, and if a certificate or group of certificates is compromised, they can be replaced almost instantaneously. Automation not only reduces the burden on IT support, but it also improves security posture and ease of remediation.

Step 3: Integrate with IAM tools

Effective automation strategies also depend on integration with corporate IAM tools and systems. What about personal smartphones that connect to the network using UEM or MDM tools? Or last-mile integration with the applications your employees use?

In other words, providing invisible Wi-Fi and VPN access relies more on certificate management. In order to function well, systems need to integrate with:

  • Directory services (such as Active Directory). This ensures that employee changes automatically trigger a provisioning, renewal or revocation event.
  • MDM solutions (such as Microsoft Intune, JAMF and BigFix). This ensures that certificates can be provisioned to devices and a broader range of endpoints within the organization.
  • ITSM solutions (such as ServiceNow). This enables companies to use their own IT service workflows and windows for processing and managing change requests.

Many legacy certificate lifecycle management (CLM) solutions claim to provide multiple integrations, but they usually cost extra, require professional services to deploy or are dependent on third parties to keep them up to date. More importantly, these legacy solutions aren’t suited to IAM use cases because they don’t integrate with IAM platforms and aren’t architected for the certificate lifecycle of user certificates.

The DigiCert solution

Achieving the automation and integration needed to deliver invisible authentication at scale is not a do-it-yourself task. This is where DigiCert Trust Lifecycle Manager comes into play. Trust Lifecycle Manager delivers:

  • The necessary deep integrations with IAM and IT systems, with predefined certificate templates that make it easy to integrate certificate lifecycles with MDM, ITSM, directory services and other technologies.
  • Automation of the certificate lifecycle, so that customers can achieve their goal of instant provisioning, renewal and revocation. DigiCert’s OCSP-based infrastructure ensures that there are no delays in certificate checks that can occur with CRL-based solutions.

IBM’s Yuan delineates the benefits they have realized in collaboration with DigiCert:

We want to provide the best-in-breed services to our users so they can be productive, and now Wi-Fi and VPN services will be seamlessly provisioned to you with the digital certificate under the hood as the foundational piece. It has been hugely popular and given us great productivity. Now we joke that we’ve turned PKI from public key infrastructure to “public key invisible” because you never worry about failing to renew your certificate and losing the ability to access the company network.

Streamlining Wi-Fi and VPN access may not be as fun to watch as Kareem and Eddie in their primes, but achieving improved security while at the same time making it effortless for employees to access your network brings its own special bliss.

DigiCert Trust Lifecycle Manager is a full-stack digital trust solution that brings together CA-agnostic certificate lifecycle management, private PKI services and public trust issuance for seamless digital trust infrastructure that centralizes visibility and control over the full certificate landscape, reduces the risk of business disruption from outages, human error, and unmanaged cryptographic assets, and secures identity and access with automation and integration supporting a broad range of IAM use cases.

Learn more at


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min