Businessmen giving fist bump showing trust in Zero Trust

Can You Trust Zero Trust?

The days of implicitly trusting connected devices that are behind the traditional enterprise firewalled network with its “hard” perimeter are no longer.

Risk officers and security professionals should consider ALL connected traffic to be on a hostile network.  This requires authentication at the user, device, and application level and therefore digital identities comprise the new perimeter.  If every endpoint is its own edge, it is becoming increasingly challenging to secure thanks to the ever-expanding ecosystem of multi-cloud environments, BYOD devices, IoT, and unprecedented levels of remote work accelerated by COVID-19.

As employees access applications and networks remotely via myriad laptops, smartphones, and employee-owned devices, it’s more important than ever to ensure that the people and devices accessing your network are indeed who they say they are. Enterprises seeking a singular authentication model are increasingly taking a Zero Trust approach to ensuring proper identity authentication, where trust is never granted implicitly and must be continually evaluated. In fact, according to a recent ESG survey, identity was the most common aspect of security associated with Zero Trust, cited by 60% of organizations. Even so, some IT teams are wondering if you can really trust Zero Trust. Here are four concepts to keep in mind as you consider migrating to Zero Trust.

Four critical zero trust concepts

Zero Trust is a set of principles, not a check-the-box-activity

Zero Trust is a set of principles, not a vendor product. While technology is integral to Zero Trust, it is only a portion of a broader strategy that requires a shift in the way users, devices, and applications connect to one another and over the network. With Zero Trust, a digital identity approach creates a strong mutual authentication that incorporates granting detailed access and permissions to each user, device, and process in the network. With that strategic model in mind, organizations can then apply the necessary authorization, assurance, analytics, and administration capabilities in combination to support this cohesive identity architecture.

Public Key Infrastructure (PKI) is foundational to Zero Trust

User and device authentication are the starting point. In the past, enterprises would turn to more complex password requirements or multi-factor authentication (MFA) in order to provide a deeper measure of security, but these methods have their own vulnerabilities. Yet, passwords are easily stollen and criminals can just as easily intercept the one-time passwords or soft-token authentication that MFA relies on.

PKI is the gold standard for identity authentication and encryption, and the National Institute of Standards and Technology (NIST) recently named PKI a key element of Zero Trust in its Zero Trust Architecture report. With PKI, organizations can ensure the strongest level of user and device authentication without impacting employee productivity or the user experience. PKI supports enterprises in securing business continuity by replacing passwords with user certificates, replacing cumbersome traditional MFA with instant authentication, and automating the lifecycle of all identity certificates. Authentication is seamless to end users and can be easily deployed to every employee device and system using automated tools.

Zero Trust requires governance, policy, and enforcement through a centralized place

Not surprising, providing a highly effective degree of security and authentication to your enterprise’s diverse ecosystem of connected networks and devices is no simple task. Zero Trust relies not only on governance and policy, but also enforcement.

IT teams must ensure that no implicit trust exists across the entirety of increasingly complex network architectures that include public cloud, hybrid, multiple public clouds environments. Additionally, each and every user and device endpoint need to be issued an identity, which then must mutually be authenticated across the network boundary they’re in. On top of this all, IT teams are responsible for managing the entire lifecycle of those identities. The charter to deploy Zero Trust is daunting.

PKI’s mature and ubiquitous authentication capability makes it well-suited for the task. Yet manually managing identities is nearly impossible given the hundreds, thousands, or tens of thousands of connected people, devices, and systems in today’s enterprise. Armed only with spreadsheets and dogged determination, IT teams face the complex, time-consuming process of deploying and maintaining digital certificates one at a time across myriad device OSes and key storage paradigms used by enterprises today. Not to mention that manually managing certificates creates vulnerabilities, like the potential for service interruptions caused by expired certificates.

Organizations need an automated and centralized way to issue, revoke, and replace certificates through a single pane of glass dashboard that gives IT teams the power to automate certificate lifecycle management — from discovery to configuration, provisioning to renewal and revocation. This automated administration makes Zero Trust possible with zero touch.

Migration to Zero Trust can be step-by-step

Even with the help of automation and single-pane-of-glass management, migrating an entire organization to Zero Trust may seem daunting. Fortunately, organizations don’t have to implement certificates en masse, all at once. IT teams can ease the transition by implementing Zero Trust on a step-by-step basis to make the process as painless as possible.

  1. Secure servers and applications: Use SSL/TLS certificates to secure web and application servers, including those in DevOps environments, and cloud environments.
  2. Secure network access endpoints: Use digital certificates to protect the network appliances you rely on to protect your network including firewalls, web-filtering, email gateways, virtual private networks, and Wi-Fi gateways.
  3. Secure device endpoints: Use device certificates to authenticate the identity of all provisioned computers, laptops, tablets, and mobile devices, as well as BYOD devices.
  4. Secure email: Use S/MIME certificates to protect and authenticate the contents of email and email signatures across multiple employee devices and network access points.
  5. Replace passwords for people with user certificates: Use PKI-backed digital certificates to provide the highest degree of authentication for your employees.
#ZeroTrust is a set of principles, not a vendor product. While technology is integral to Zero Trust, it is only part of a broader #security strategy. #respectdata Click to Tweet

Zero Trust helps enterprises move beyond static firewalls to protect the constantly ebbing and flowing edge of identity at the user, device, and application level. Zero Trust is set of principles governing an IT security philosophy that maximizes protection from threats by controlling access and continuously authenticating identity, rather than a one-time activity or single vendor product. Digital identities as verified by PKI certificates are elemental to Zero Trust, and IT teams need a centralized, single pane of glass from which to manage the entire certificate lifecycle.

 

CTO of PKI at Sectigo