How PKI Helps Make the Cybersecurity Executive Order a Reality with Zero Trust
A Critical Component of Cybersecurity Infrastructure Comes of Age
The need was clear, if not overdue: from fuel pipelines to water treatment facilities, our nation’s most critical infrastructure has fallen victim to an ever-expanding number of threats. The White House Executive Order on Improving the Nation’s Cybersecurity Infrastructure — signed in May — aims to address the problem.
In particular, the EO calls on both public and private organizations to upgrade cloud services and implement Zero Trust Architecture to “keep pace with today’s dynamic and increasingly sophisticated cyber threat environment.”
The Zero Trust approach to cybersecurity trusts nothing automatically and requires that all transactions, both inside and outside the network, be authenticated using multi-factor authentication methods. Created in 2010 by then-Forrester analyst John Kindervag, Zero Trust has risen to prominence in recent years thanks to the increasing accessibility of the technologies that support it — and the rising stakes involved with contemporary cyberattacks.
PKI and Zero Trust
Public Key Infrastructure (PKI) is a key component of Zero Trust architecture. It is the gold standard for authenticating the users, devices, services and systems that connect to enterprise networks. It also allows for the encryption of machine-to-machine (M2M) communication in your network, regardless of location.
And it enables organizations to eliminate their reliance on clunky password-based authentication techniques like texted codes in favor of passwordless authentication methods with digital certificates.
No wonder the PKI market is expected to more than double in the next five years, reaching USD 9.8 billion by 2026.
Yet many organizations are put off by the apparent complexities involved with PKI implementation. PKI requires organizations to create, store and distribute digital certificates that map public keys to specific entities and can be used to authenticate them. According to the Ponemon Institute’s 2020 Global PKI and IoT Trends Study, the average number of certificates that organizations must manage grew to 56,192 — a 43% year-over-year increase. It’s a big job to entrust to spreadsheets and DIY in-house systems.
What’s more, the expertise needed to manage PKI certificates is often in short supply: 52% of the security professionals who participated in the Ponemon study said their top challenge was a lack of understanding of their PKI’s security capabilities.
Best Practices for PKI Architecture
PKI doesn’t have to be difficult. So-called PKI-as-a-Service (PKIaaS) solutions — hosted in the cloud, managed by external vendors and delivered through a SaaS portal — enable organizations to outsource the complexities of PKI while retaining visibility and control.
However, not all PKIaaS solutions offer the same levels of trust and protection. Those that follow best-in-class architecture, like HID PKIaaS, rely on a hybrid approach known as Hosted Private PKI. That means they combine cloud infrastructure for front-end certificate management with highly secure and audited data centers that generate and store the most important assets: the private root keys for each entity.
These keys are hosted in a dedicated Hardware Security Module (HSM) that is fully air-gapped and never online. The separation of roles is maintained by fragmenting and distributing them across Administrative Card Sets (ACS) and Operator Card Sets (OCS). And the HSM can be hosted on-prem by organizations that require it.
This approach is easily scalable and can be adapted to multiple security scenarios, while enabling organizations to maintain control of trusted assets.
And isn’t that what operating securely is all about?
To learn more about the business benefits of PKIaaS, read our eBook, Outsourcing PKI to the Cloud.
Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).