Jason Soroko, CTO of PKI at Sectigo, global leader in certificate lifecycle management, is also co-host of the Root Causes cyber podcast.

Recent breaches of well-established on-premises infrastructure speak to the very core of most chief information security officers’ nightmares. Consider high-profile headlines involving SolarWinds, Microsoft Exchange, the Microsoft Active Directory domain controller printer spooler (PrintNightmare) and Microsoft CA (PetitPotam). Massive incidents like these raise the question: “Should I trust the security of internal corporate ecosystems more than external systems?” It’s likely that many IT leaders are giving too much trust to systems in close proximity to their physical infrastructures.

Organizations assuming that critical business applications are safe simply because they reside on-premises are taking unnecessary risks. Cybercriminals routinely leverage weaknesses in software, so it’s a fallacy that systems behind a firewall are inherently secure.

As malware, hackers and criminal organizations become increasingly sophisticated, security practices must evolve in parallel. This requires developing a more rigorous approach and deploying robust solutions that are able to protect against increasingly penetrative malicious activity.

One major issue is that organizations have complex, hybrid IT infrastructure, and securing each has its own challenges. Take the cloud, for example. Despite the fact that public and hybrid clouds fall outside the direct oversight of IT teams, they are typically more secure than an on-premises infrastructure. This is partly because cloud providers have larger security teams, more layers of security, better patching practices and more sophisticated approaches to business continuity than all but the very largest enterprises. A cloud provider’s entire business model revolves around ensuring customer services and data are continually secure.

More importantly, it is common for major cloud-based infrastructure to be application-focused rather than network-focused. This is an important principle of zero trust architecture. It limits the adversary’s ability to gain a foothold on an internal network. It’s the same reason why modern security thinking prefers application-level authentication to highly privileged VPN network access. Zero trust is not a single technology but rather a security model based on the concept of trusting no application, device or user. It presumes everything is untrustworthy until proved otherwise via identity management, machine authentication, formal access policies or other ways required by an organization’s specific context.

The U.S. government recently put the concept of zero trust at center stage when it announced its plans for a zero-trust architecture for federal agencies by 2024, emphasizing the importance of secure digital identities and strong authentication. Part of this guidance to federal agencies favors an application-centric authentication approach rather than general authentication to a network, often by VPN to an internal corporate network. Cloud applications usually give you this isolation by being application-focused rather than network-focused. It’s another form of the “principle of least privileges,” which pays significant security dividends.

Just like with federal agencies, organizations should consider the importance of zero trust as they look to secure modern infrastructures such as public or hybrid clouds in which services and data span multiple hosts and sites, not all of which fall under the direct oversight of the organization. Every entity in a cloud process or transaction — whether that entity is a host, application, system or user — must be securely validated and authenticated. By hosting some or all applications and services in a cloud, organizations automatically inherit the many security benefits of zero trust without having to implement them directly.

While there are various ways to implement zero trust, a strong passwordless authentication option can be found using a cloud-based public key infrastructure (PKI) approach. PKI leverages digital certificates to verify the identity of participating devices and entities and a public/private key pair to encrypt and decrypt messages. This identity verification process and encryption can be applied to users, systems or devices. It’s also essentially invisible and seamless from the end user’s perspective, requiring no special techniques or skills. Digital certificates are increasingly stored securely in hardware secure elements such as the Trusted Platform Module (TPM) found on all Windows 11 devices and most Windows 10 devices.

Getting Started With PKI And Zero Trust

Implementing zero trust isn’t something that needs to be done in one fell swoop. Implementing it correctly is far more important than implementing it quickly. These certificate lifecycle management and PKI tips can help enterprises get started on the right foot and avoid potentially costly mistakes.

• Conduct thorough certificate discovery. It is impossible to secure a network environment without a complete understanding of which certificates are in use. Organizations need a detailed accounting of all certificates in use, including their source, lifespan and purpose.

• Establish a governance plan. Policy inconsistency can cause issues throughout an enterprise, but especially in PKI. Creating rules on term lengths, when to use public vs. private CAs and what to do in specific situations and use cases is critical.

• Automate processes. Today, most organizations use too many certificates to manage manually, and as users, devices and applications continue to multiply, this will only create more problems. An automated management system governed by strong policies can help keep zero-trust environments secure in both the short term and the long term.

Building The Foundation For A More Secure Future

Digital transformation has dissolved traditional network boundaries, opening the door to malware, hackers and criminal organizations that take advantage of weaknesses in on-premises software. While zero-trust implementations that include PKI can greatly help, the costs and complexities of securing an on-premises architecture are always scaling up.

Consider a cloud-based security approach that can allow organizations to minimize the available attack surface — driving down the odds of a breach — while also controlling and reducing the costs and complexity of managing in-house architecture.

The time to introduce a zero-trust architecture and proactively prevent emerging threats is now. Leveraging the expertise and scalability of trusted cloud-based PKI deployment and maintenance is cost-effective and can allow organizations to benefit from the cloud provider’s expertise while providing the scalability to grow in proportion to emerging business demands. Peace of mind is attainable, and moving to the cloud can create a shorter, smoother road to reach it.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Follow me on Twitter or LinkedInCheck out my website