David Mahdi, chief strategy officer and CISO advisor at Sectigo, discusses the important role of digital trust in the security strategy
‘Zero trust’ is a trendy buzzword in cyber security today, thanks in part to marketing hype, but there is still confusion among security leaders around what it truly means. Zero trust is a cyber security framework which essentially states that entities, such as human and machines (i.e. software, workloads, containers, and devices) should not be trusted by default. With zero trust, trust is never implicit and should always be verified. Zero trust is often hailed as the best solution to the many authentication and access problems enterprises face, and those problems are myriad now that remote and hybrid work environments are the norm.
It is no longer possible for enterprises simply assume trust, as swathes of users and devices are now operating from outside the presumed safety of the corporate firewall. Enterprises now find themselves with a problem: the need to individually verify, onboard, authenticate every device, user, software, and entity interacting with the organisation’s network to ensure legitimacy, wherever the connections come from. Implementing a zero trust approach is essential, but security leaders shouldn’t obsess over it too much, because it is just the first piece of a much larger puzzle to ultimately establish and maintain ‘digital trust’ – the cornerstone of secure digital business.
Digital trust is the goal, zero trust is the framework
So, what is digital trust, and how do we know we have it? From a very high level, the physical world works on trust. We know that we can use US dollars, as the US government backs them, therefore, any and all users can expect to use them for value exchange. Focusing in on the digital world, digital trust is the notion of ensuring that any and all entities can trust your business. A simple example would be visiting a website, and conducting business; should you trust that it is the site you think it is? And if so, do you have enough trust in that business that you would share payment or personal information? When organisations suffer cyber security breaches, especially if they have reoccurred, customers today now question whether that business runs a trustworthy digital storefront. Without digital trust, digital business cannot and will not exist. So, digital trust is a result of good cyber security and is now mission critical not only for security leaders and CISOs, but the business overall.
Knowing that digital trust is now critical for all businesses and organisations today; why has zero trust gained so much attention? Well, simply put, we can’t assume that we should trust everything, take a zero trust approach, then establish and maintain trust.
From a security leader and CISO perspective, that means that we need to establish and maintain trust with all entities that make up and interact with the business. As such, digital trust here is the trust in machines, software, devices, and humans interacting with digital services that now power our world. It should not be confused with zero trust, which is often misinterpreted. The ‘zero’ implies no trust at all exists. Trust is dynamic, and it needs to be constantly upheld. The way enterprises approach establishing digital trust is important to ensure the functioning of the business, but specifically the security of both human and machine identities.
While many organisations focused on zero trust initiatives over the past few years, many recognised that trust in humans and machines is the foundational layer. In the modern enterprise, security leaders must design solid identity-first security frameworks deeply rooted in cryptography for digital trust to be established. This framework should start with a zero trust mindset, i.e. first verify the identity of the entity, validate its status and determine, if at that current moment, it should be granted access.
Cryptography at the heart of identity-first security
Digital certificates powered by public key infrastructure (PKI) are the gold standard to secure and authenticate human and machine identities and that help to establish and maintain digital trust. Certificates provide the strongest level of user and device authentication. Issued by Certificate Authorities (CAs), they underpin the security of the digital world and are relied on by all technologies from the oldest to the newest, like blockchain and Web3. Ideally, every user and machine trying to access a network or resource (hybrid/multi-cloud) must start with a strong cryptographic digital identity so an enterprise can verify who or what it is interacting with. This is critical since most attackers tend to focus on stealing credentials to access sensitive resources. In other words, they exploit identity as the main attack surface; really, they are “identity breaches” per se.
No matter what line of business you are in, it is paramount to ensure that you are protecting all identities, human, non-human/machine across your environment. And when it comes to non-human or machines, a recent report by CyberArk found that these identities outnumber human identities by 45x. Thanks to digital transformation and new and emerging use cases requiring certificates that support critical business outcomes (i.e. leveraging digital signatures and Robotic Process Automation (RPA), securing DevOps, securely enabling cloud environments, and many others), there has been an explosion in the number of digital identities requiring certificates. Beyond requiring certificates, many use cases would be better off leveraging them to help mitigate identity-related attacks.
Critical as they are, digital certificates themselves require care and management. Managing the massive volumes of digital certificates can prove a challenge for enterprises because certificates can come from different CAs, they all need to be renewed at different times and dates, their lifespans vary wildly, and many are even undiscovered buried in shadow IT. This presents an enormous problem because a single certificate gone unmanaged can spell outages, operational disruption, or leave a door open for hostile intruders.
Many organisations today still manage digital certificates manually or use outdated approaches like spreadsheets to manage overwhelming numbers of digital certificates. This results in making enterprises susceptible to outages or cyber attacks. An enterprise’s identity-first security strategy must include a single and centralised solution to manage the explosion of identities all requiring digital trust to access networks and resources. A new automated approach, that includes Certificate Lifecycle Management (CLM), ensures certificates are renewed or revoked when they need to be, avoiding loss of revenue and reputation.
Of course, we must be mindful of the security stack product and console explosion enterprises might be experiencing. There are just too many security products and consoles to manage. A recent Gartner Top Security and Risk report found 80% of CISOs have a strategy to consolidate security vendors and products. PKI and certificate management solutions have certainly been subject to this solution sprawl and complexity. And perhaps what has impacted many organisations as well, is the amount of money spent on what should be a single solution. In the quest to simplify security products, save money and time, security leaders now have an opportunity to consolidate their PKI and certificate operations consolidate their PKI certificate operations with modern day identity-first machine and human Certificate Lifecycle Management (CLM) solutions.
The most modern CLM solution should:
- Enable Security Stack Consolidation; by way of providing multiple functions, including:
- Private PKI capabilities;
- Public SSL/TLS Capabilities;
- CA Agnostic full-lifecycle management;
- Use case enablement such as Secure Email, Machine Identity management, web security, document signing, and passwordless/device user authentication.
- Leverage open standards, such as ACME, to avoid vendor lock-in.
- Be interoperable with other CAs, CLMs, and other common enterprise tools.
- Leverage cloud-first principles.
- Be cost-effective; as legacy PKIs and CLMs were and continue to be quite costly to acquire, manage and maintain.
Focus on digital trust to enable your digital world
Digital trust is now the overarching goal for cyber security. Recall, as we discussed, when cyber security is done well, the business can enjoy a strong trustworthy posture. This will only become more important as the world forges ahead into Web3 and the metaverse, and furthermore, as the advent of quantum computing inches closer to reality.
Digital identities for both humans, non-humans and machines, for the foreseeable future will continue to be used as an attack surface, and the safest way for CISOs and their teams to mitigate risk is prioritising identity-first security across their entire organisations. Wrap that approach with a zero trust framework, and security leaders will navigate the digital world with much more confidence that their networks and the humans and machines interacting with them are secure. Finally, CEOs and boards can also proceed with confidence that their business will maintain and increase brand trust, by way of ensuring they take digital trust seriously.