In this interview with Help Net Security, David Mahdi, CSO of Sectigo, talks about the importance of digital identity management, the issues organizations have with digital identities and what they can do to overcome them.
The rapid shift to hybrid work has left many organizations susceptible to cybercrime which leveraged identities to gain access. What was it that organizations did wrong?
In the rapid shift to hybrid many organizations did what they could to support their workforce. Legacy secure access and security were simply not enough. Unfortunately, bad actors leveraged this delicate situation, to their advantage. They knew, with simple reconnaissance that they could compromise many enterprises by targeting weak identities. Specifically, usernames and passwords, either alone, or in some cases bolstered with weak multi-factor authentication (such as SMS, which is no longer considered a strong option for MFA).
Organizations responded by introducing alternative methods for authentication, such as mobile push. This is a good move, but still only covers one piece of the puzzle, that is human identities. In reality, users leverage devices, such as laptops, tablets, and mobile phones to access the organizations’ applications and ultimately data.
This requires a completely different approach than what was practiced in the past. The approach needed is often called “zero trust.” Zero trust is a great concept, but it is only the first step in the journey to secure digital identities. What is needed at the foundation is identity-first security. Identity first security is a new concept, introduced by Gartner in 2021. It focuses on the notion that any entity, be a device, software, machine, or human requires digital identity.
With the explosion of digital and hybrid work styles, the amount of machine and human identities has increased dramatically. And it will continue to do so. As these entities connect to our networks, the chance that one of these identities can be compromised by bad actors increases. The first principle here would be to ensure that all human and machines are rooted in strong, non-reputable digital identities. The proven approach in the market today is with digital certificates, which leverage PKI. In fact, some of the best authentication mechanisms leverage digital certificates at their core. With more identities in an ecosystem, more certificates are needed to verify them to hold together the safety of the enterprise.
Although certificates offer the strongest possible safety net for identity-first security, they are notoriously hard to manage. Constantly expiring and requiring renewal, many unprepared organizations are still managing this vital utility with outdated manual means that are prone to human error. If a certificate inventory is managed ineffectively, it becomes highly vulnerable to outages, and security breaches.
What can organizations do to leverage and optimize identity-first security?
The challenge for businesses is to find a solution that can accurately manage this rapidly growing number of human and machine identities. It is no longer sustainable to simply buy more point-products to manage yet another security problem. In this case, when leveraging digital certificates as a baseline for human and machine identities, digital certificates must be provisioned to users and devices, and ultimately, orchestrated and automated.
Manual methods of managing certificates that businesses rely on are not only redundant but also potentially dangerous.
Organizations need to look towards end-to-end, cloud-based, automated, and orchestrated Certificate Lifecycle Management (CLM) solutions to give complete visibility and lifecycle control over any certificate in their environment. This will help them reduce risk and control operational costs. Furthermore, it will also allow them to enable new use cases that will drive further secure business enablement. Even in the most complex enterprise environments, certificate automation offers speed, flexibility, and scale. Full visibility into all digital certificates means that even the largest enterprises can have a centralized view of digital identities and security processes.
If certificate management is smartly orchestrated and automated, it can track things such as expiration dates, notify IT professionals when they’re approaching, and replace them without any manual labour from already overstretched IT teams.
What do organizations have to look out for when managing digital identities, for humans and machines?
First and foremost, orchestration and automation are critical. Limiting manual oversight will vastly reduce the chances of an expired certificate causing a breach or cyberattack. In addition to this, a cybersecurity strategy that invests in employee education is essential. For instance, Business Email Compromise (BEC) attacks are also notoriously difficult to prevent due to sophisticated social engineering techniques.
Businesses must invest time in educating their employees to spot and avoid the latest attack vectors. Implementing secure S/MIME email certificates is another essential step to decrease the chances of BEC and other email-based attacks. However, this should be done in concert with other identity-first principles such as strong authentication (for both humans and machines) as well as access management.
Is there a one-size-fits-all identity-first and digital identity management solution?
Unfortunately, there is no one-size-fits-all identity-first and digital identity management solution, as each enterprise requires different levels and methods of ensuring security, depending on their use cases, compliance, and relative risk profiles. However, all businesses must focus on certificate management as a means to protect all identities for humans and machines. Furthermore, as every single business relies upon email as a fundamental form of communication, any solution must excel in email certificate deployment, discovery, and renewal. As such, integration with common enterprise applications, and various other security solutions is needed to support an enterprise-wide notion of zero trust and identity-first security.
What improvements or developments could we expect when it comes to identity-first security and digital identity management?
While automation alleviates some human and machine identity management challenges, as they increasingly become rooted in digital certificates, the complexity of certificate management doesn’t end there. Most Certificate Authorities (CAs) that issue certificates tend to be reluctant to work together, meaning even the most sophisticated CLM solutions on the market cannot oversee the multitude of different CA-issued certificates in an organization. We will see further development of platforms that are certificate agnostic. Being ‘certificate agnostic’ means that a solution allows businesses to manage every certificate and digital identity in their organizations, no matter what CA it came from.
Furthermore, we will continue to see advances toward quantum-resistant certificates, as quantum computing inches closer to becoming a reality. Many academics and government-funded organizations are working hard to develop cryptographic algorithms that can resist quantum computing power in an attempt to avoid the ‘quantum apocalypse’ (the notion of “crypto-agility”). This is because current RSA and ECC algorithms used in our modern PKI infrastructure are unfortunately no match for this new computing paradigm.