The concept of Zero Trust is being bandied about a lot recently but what does it actually mean, and how can public key infrastructure (PKI) play a role in adopting this model of information security?
The ethos of Zero Trust is, as it says, trust nothing. The notion being that previous models of information security took a ‘castle-and-moat’ approach to security; high, heavily guarded walls and spike-laden, croc-infested moats to keep unwanted outsiders at bay. Conversely, those who could be trusted to cross the draw bridge have the capacity to move freely inside the castle walls.
Coined in 2010 by John Kindervag, at the time principal analyst at Forrester Research Inc., Zero Trust implies that no person or device should automatically have access to internal systems once inside corporate firewalls, in effect – ‘just because it is already on my network doesn’t mean I can trust it’. Many large-scale breaches have occurred due to bad actors who have managed to gain access through a weak password (colonial pipeline) and then taken advantage of that account to freely pillage data and cause general havoc.
In an environment where dark web password lists are growing at a faster rate than your latest dog-fronted cryptocurrency, IT leaders are recognising that they cannot solely rely on the perimeter security keeping the bad actors at bay.
The strong authentication element of Zero Trust
Organisations who already have PKI based strong authentication deployed are one step ahead in adopting Zero Trust.
In addition to validating the identity and health of connected devices, a fundamental part of Zero Trust is to always know the people trying to access internal systems are who they say they are. Multi-factor authentication (MFA) using PKI offers the level of crypto-based security to achieve just this.
By issuing public/private key based credentials across the workforce, organisations are already adding a cryptographic layer of protection to the identities they trust. Additionally, by setting policies to require the use of a PIN or biometric, organisations have a passwordless solution that offers best practice levels of authentication security, and a seamless UX for employees to access internal systems and resources.
Using a credential management system, such as MyID®, system administrators have the capacity to break down user groups and set distinct policies for MFA. This could mean more checks for the most privileged of users. Equally, it also means that if a user’s account is breached, that they are not going to be able to just wilfully access other internal systems without fulfilling further MFA checks.
Evolving PKI for Zero Trust
Key considerations are the universality of strong authentication – is this available across all user groups or is it solely in place for privileged users? PKI can be difficult to roll out across all user groups, there may be some employee user groups, contractors and even suppliers who require access into parts of your corporate network. How can you issue identities for strong authentication to these people, and set policies to ensure they are only using the methods of authentication you want them to?
An effective credential management system will provide answers to all of these challenges. MyID provides a single point to issue and manage PKI credentials. System administrators of MyID also have the rights to set roles-based access policies. The capacity to issue and manage FIDO based authentication within MyID can also help organisations overcome the issue of getting 100 per cent roll out of strong authentication across all user groups. If PKI is too expensive or complex for contractors, or smart cards are not practical for suppliers, MyID can issue a FIDO credential to a mobile device or a security token such as a YubiKey.
Additional security benefits that can be realised by evolving PKI with a credential management system include enabling digitally signed emails and transaction signing.
Through extending PKI to enable digitally signed emails, employees can have confidence in the communications they receive from colleagues. Sensitive communication can be secured and confidence in requests to take action based on emails can be assured, mitigating the threat of spoofed emails.
Transaction approval can also be streamlined by extending PKI capabilities. Through the strong authentication and auditability of PKI, organisations can enable their employees to digitally sign and approve transactions within their corporate environment and remotely via a desktop, laptop, or mobile device. Delivering a Zero Trust approach to transaction approvals and a greatly streamlined process for end users to help organisations run with greater efficiency.
Today, MyID is being used by enterprises to extend the benefits of PKI, enabling signed emails and transaction signing using mobile authentication.
Interested in evolving your PKI solution to support a Zero Trust approach? Discover how our partner, Expisoft delivers a fully managed service for digital identities and sensitive data through its integration with MyID: https://www.expisoft.se/expisoft-intercede/