Technology trends have shifted how IT professionals think about security at the corporate perimeter. Formerly walled-off operational technologies — such as factory floor machinery, utilities and industrial infrastructure, hospital instruments or industrial kitchens — have become connected and vulnerable to cyberattack. Applications and services have moved to the cloud, changing models of user access and shifting to on-demand orchestration, serverless computing and distributed data architectures. Devices have proliferated, with employees often connecting their own personal devices — from mobile phones to tablets and computers to tracked vehicles to corporate networks. These changes, which are collectively challenging the notion of the traditional corporate perimeter, are leading businesses to reshape the foundational assumptions governing user, application and corporate security.
Because companies can no longer rely on physical or virtual boundaries to define what is trusted or not, many organizations are adopting a zero-trust security policy. This “never trust, always verify” approach to security requires all access to networks, applications and services to be authenticated. As a result, identity and access managers are fielding significantly increased demands on their organizations:
In a perimeter-less environment, the number and types of things that need to be secured also increase. The role of the PKI administrator has expanded beyond traditional TLS web security to fielding new and expanding use cases across the organization:
These PKI use cases are proliferating at the same time that certificate validity periods for public trust are shrinking. While shorter validity periods increase certificate security, the quicker turns increase the administrative burden of management as well as the surface area for risk of business disruption. Not surprisingly, this is driving increased need and attention for PKI management solutions that assist with governance of this broadening PKI landscape.
Connected devices, whether these are personal devices connecting to a network or operational technology coming online, increase the attack surface area that must now be protected. Network and operational technology security administrators not only need to consider how to provision device identity but also how to secure devices in operation — how to make devices more tamper-resistant, how to secure communication between them, how to govern how they connect to the network, how to bring together legacy (brownfield) and new (greenfield devices) and enable mutual authentication between them, how to monitor for threats.
Chief security product officers defining and building device-centered solutions, in turn, must consider the surface area that must be protected across the full device lifecycle — across chip manufacturers, device manufacturers, application developers, device operators and device users -— for the lifetime of the device.
The building blocks of digital trust — standards, compliance and operations, trust management and connected trust — are the foundational technology that enable companies to operate securely in a world in which a corporate boundary no longer defines what is trusted and what is not. Digital trust solutions enable companies to:
Corporate-wide digital trust initiatives can establish a comprehensive, unified approach to security within a perimeter-less organization, addressing the way the disintegration of the traditional corporate perimeter is shaping the security demands within different IT departments.
Want to learn more about DigiCert’s platform for digital trust? Email us at pki_info@digicert.com for more information or to set up a sales consultation.
Get the IDC whitepaper Digital Trust: The Foundation for Digital Freedom | DigiCert to read more about digital trust—what it is, how it works, and why it must be a strategic initiative for any organization, including yours.