Zero trust takes a “stranger-danger” approach to authentication that assumes all users and devices are considered untrustworthy, whether they are accessing networks and data from inside an enterprise’s physical environment or outside it. In a zero-trust world, a trusted identity is the key that unlocks access for people and devices to enter an enterprise’s key networks, systems, and resources.
Since 2010, the term “zero trust” has been a popular topic for industry events, publications, and webinars. To support the rapid adoption of remote and hybrid work models over the last few years, zero-trust initiatives have become widely embraced in enterprise security postures.
In the scramble for IT and cybersecurity operations teams to implement new access management initiatives during the pandemic, many enterprises implemented zero-trust initiatives to enable secure access for remote and hybrid workers. The Biden administration has also become a strong proponent of using zero-trust frameworks to fortify cybersecurity, including it in its cybersecurity executive order in 2021 and the National Cybersecurity Strategy in 2023.
If you’re thinking about implementing zero trust in your organizations, consider the answers to these questions to help you decide the best way to do so.
In addition to ensuring everything accessing an enterprise infrastructure has the appropriate rights and aligning security measures with White House directives, what is the role of zero-trust identity in authentication?
In the beginning of this article, I mentioned the term “trusted identity.” The entire concept of zero trust is based on restricting access until those requesting it can prove they are a trusted individual or device with permission to gain entry. Therefore, there must be a strong method that helps enterprises authenticate that the individuals or devices requesting access are trusted to do so.
When it comes to trust, for decades the gold standard for authentication has been public key infrastructure (PKI). PKI goes beyond traditional password-based approaches to authentication; not only does it help enterprises identify and authenticate users and devices without passwords, but it also enables encryption of machine-to-machine communications across any location.
PKI helps prove trusted identities by enabling enterprises to assign a trust anchor to devices and personnel accessing their networks. It does this by issuing certificates to devices or authorized users using a trusted certificate issuance route, which cannot be fooled by traditional authentication methods, such as a password with special characters.
In a zero-trust environment, each individual, device, and application within an enterprise utilizes a certificate to prove their trusted identity and gain access to resources. How can enterprise IT teams manage these tens of thousands of certificates without being glued to a computer 24 hours a day, seven days a week?
The certificate-issuance process may seem overwhelming due to the number of users and devices that need certificates. One benefit of implementing PKI as the building block for an enterprise’s zero-trust identity framework is you can leverage existing enterprise tools to automate certificate issuance, renewal, and revocation. For Microsoft-based enterprises, applications such as Intune or Active Directory can help alleviate manual certificate issuance and authentication. Because a zero-trust environment rooted in PKI automation can be implemented regardless of operating system or device policies, even IT organizations primarily using MacOS or Chromebooks or allowing employees the option to use their own devices (also known as BYOD) can use this method.
What do enterprises need to do to manage their daily PKI operations?
In terms of PKI infrastructure management, organizations must establish a strong foundation for a successful zero-trust environment and maintain a direct line of sight to all certificates within the organization. Ideally, they can leverage the tools they already have, rather than having to learn, purchase, or maintain additional resources. Their goal is to achieve end-to-end trust, scalability, and cost efficiency, as well as the freedom to retain control of their private trust assets, to achieve a zero-trust PKI operation.
For a more in-depth discussion about zero-trust identity and automation, please watch our on-demand webinar about automation and zero trust.
About the Author
Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than 10 years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).